Botconf 2016

29th November - 2nd December 2016, Lyon

280 participants from all around the world

28 presentations and 3 workshops

4 days of exchanges, discussions and making new friends!

botconf-flyer2

Schedule

Tuesday 29th November 2016

10:30 – 12:30
FastIR Collector
Sébastien Larinier 🗣

Abstract (click to view)

The goal of the wokshop is to present and use the open source live forensic collector FastIR on differents cases investigations on Windows: RAT with tricks anti forensics, rootkits, Trojan with dll injections… And we’ll present new features we have developped this year with agent and server.

14:00 – 17:30
Cracking Banking Fraud
Pavel Asinovsky 🗣 | Magal Baz 🗣

Abstract (click to view)

This workshop takes us into the world of banking malware, and more specifically into researchers’ chase after configurations – the attack books that dictate which banks are targeted and how. These precious ever-changing fragments of data and the continuous change in the encryption methods, keeps us alert and on our tows.

In this workshop we learn about banking malware modus operandi and we play the role of the researcher, by going through a hands-on guided process of analyzing encrypted configurations and studying how data is protected. We shall study the way it is encrypted, eventually formulating a simple method of decryption. Our study case will be the infamous Dridex malware. Participants will be introduced to the world of banking fraud, gain an understanding of the process of researching encryption methods, acquire basic tools for addressing encrypted data of unknown format and enjoy the thrill of a live challenge.

14:00 – 17:30
MISP, the Threat Sharing Platform, a Developer Perspective to Extensions and Collaboration
Alexandre Dulaunoy 🗣 | Andras Iklody 🗣

Abstract (click to view)

MISP is becoming a key open source package for indicator and threat sharing in the information security community. MISP improved its modularity in the recent versions and propose various ways to use and extend the platform. The workshop will introduce developers and contributors on how to tame the MISP platform and customize it for your needs. The objective is also to gather feedback from the existing MISP users in order to improve the software.

External link: Blog post
Video
14:00 – 17:30
Getting Your Hands Dirty: How to Analyze the Behavior of Malware Traffic and Web Connections
Veronica Valeros 🗣 | Sebastián García 🗣

Abstract (click to view)

Nowadays there are a lot of tools to analyze traffic, but the most important thing to have is the experience and knowledge of a malware analyst. The goal of the workshop is to give a hands-on experience on analyzing the behavior of malware and botnet traffic in the network by studying their web patterns and their traffic behavior. The workshop will use both pcap files of real malware captures and real normal captures. Participants will learn a proven approach on how to do their traffic analysis, how to recognize malicious connections, how to separate normal behaviors from malicious behaviors, how to recognize anomalous patterns and how to deal with large amounts of traffic. Analyzing only malware traffic may not be so complicated for some people, but accurately separating it from normal traffic is harder.

The most important lesson of the workshop is not how to use wireshark or tcpdump. The workshop transmits the experience of recognizing the malicious actions of malware in the network. How to identify when malware tries to hide, how to recognize the encryptions, how to discard false connections, etc. The participants should leave with a good set of knowledge about obtain an overall analysis picture of the traffic to recognize if there are malicious behaviors on it.

Slides Icon
PDF

Wednesday 30th November 2016

11:20 – 12:00
Locky, Dridex, Necurs: the evil triad
Jean-Michel Picod 🗣

Abstract (click to view)

While Locky and Dridex inner working are well understood as they have been on the news all year long,  how their distribution system operate is still relatively unknown as it is only seen by email providers.In this talk we lift the curtain and present how Locky, Dridex, and Necurs their distributing botnet look like from the Gmail perspective.  We will outline the key techniques and protocols that those gangs are using in an attempt to evade detection and orchestrate their campaigns. We will conclude by showcasing a selection of the techniques used in their droppers which illuminate how proficient those groups have become at exploiting Javascript quirks.

12:05 – 12:55
Visiting the Bear’s Den
Jessy Campos 🗣 | Joan Calvet 🗣

Abstract (click to view)

Sednit, a.k.a. Fancy Bear/APT28/Sofacy, is a group of attackers operating since at least 2004 and whose main objective is to steal confidential information from specific targets. Over the past two years, this group’s activity increased significantly, in particular with numerous attacks against foreign affairs ministries and embassies all over the world.
Technically speaking, Sednit is probably one of the best espionage groups out there. Not only have they created a complex software ecosystem — composed of tens of different components –, but they also regularly come out with 0-day exploits. Also remarkable is their ability to very quickly integrate newly published techniques in their toolkit.
This talk presents the results of a two-year hunt after Sednit, during which we dug up and analyzed many of their software. In particular, we will delve into technical details of their most impressive components:
– DOWNDELPH, a mysterious downloader deployed in rare cases and with advanced persistence methods. In particular, we found a Windows bootkit dropping this component, and also a Windows rootkit, both never documented.
– XTUNNEL, a network proxy tool able to transform an infected machine into a pivot to contact computers normally unreachable from the Internet. Heavily obfuscated, and based on a custom encrypted protocol, XTUNNEL is a major asset in Sednit post-infection toolkit.
– XAGENT, the flagship Sednit backdoor, for which Windows, Linux and iOS versions have been developed. Built as a modular framework around a so-called “kernel”, it allows to build flexible backdoors with, for example, the ability to switch between various network protocols.
– SEDKIT, a full-fledged exploit-kit, which depending on the target’s configuration may drop 0-day exploits or revamped exploits.
During our tracking, we also gained a great visibility on Sednit post-infection modus operandi, a world full of Mimikatz and various custom hacking tools.

External links: Blog post | Blog post
Slides Icon
PDF
14:00 – 14:30
LURK – The Story about Five Years of Activity
Vladimir Kropotov 🗣 | Fyodor Yarochkin 🗣

Abstract (click to view)

Lurk activity was solely in Russia slince late 2011, but the technologies they use became noisy, when it appeared in the “World Market” years later. We were able to track activity despite the low detection by AV vendors.

We will comment the activity of the group over five years, showing methods, tactics and many high profile (mostly something we call intermediate victims) whom sites was used for malware distribution. The list of the victims includes high profile news agencies (up to 1 million unique visitors per day) end even domain in government sections.

We coordinated our efforts with victims and CERTs and can share successful and not successful steps of attack mitigation for this group. This group was arrested in June and we should be able to document the impact on exploit kit activities.

Slides Icon
PDF
Video
14:35 – 15:05
Browser-based Malware: Evolution and Prevention
Andrey Kovalev 🗣 | Evgeny Sidorov 🗣

Abstract (click to view)

Nowadays web technologies allow users to make a lot of their work online. Cloud services, social networks, online games etc. are gaining more and more popularity and are replaicing desktop applications and offline stuff. Web-browsers also offer special opportunities, that can be increased by the use of different extensions and plugins. This fact made web-browsers an extremely attractive target for cybercriminals and they found new ways of how to implement browser-based attacks, spread malware and get maximum benefits from the infection campaigns.

The story of browser based malware has begun from so called “Man-in-the-browser attacks” (MITB). The first mention of this technique was made in 2005 by Augusto Paes de Barros in his presentation “The future of backdoors – worst of all worlds”. Originally this approach was employed by popular banking trojans (Zeus, SpyEye etc.) to steal bank account credentials and to hijack transactions in e-banking systems. For using this approach malware patches browser’s processes to hijach data buffers before they will be sent through the network to web resource. After browser’s update cybercriminals have to reverse engineering changes and create update for malware. But now the world has changed and it’s much easier to develop basic browser’s extension, that injects javascript to every web page, that user surf. Such script could check URL in the browser tab and change behavior depending from it: in web search services it could insert additional advertising banners, in email services, it could insert additional text to user messages, in online banking it could make web-inject for hijacking transactions.

In the presentation we will cover new implementation and spreading techniques of “Man-in-the-browser” attack. We will highlight some interesting samples, their functions and monetization models, that we have found in the wild.

Slides Icon
PDF
Video
15:10 – 15:30
Language Agnostic Botnet Detection Based on ESOM and DNS
Christian Dietz 🗣 | Rocco Mandrysch 🗣 | Urs Anliker | Gabi Dreo

Abstract (click to view)

Botnets enable various cyber-criminal activities, like DDoS, banking fraud, data theft and extortion. Current botnet detection approaches face many challenges, for example, peer-to-peer infrastructures and domain fast-flux or encrypt the command and control information, in order to prevent signature based detection. In the recent years an increasing number of approaches have focused on DNS based detection of bots. However, such approaches can be negatively influenced by the variance of linguistic characteristics in different networks or root zones of the domain name system. Therefore, we propose a novel approach based on Emergent Self-Organizing Maps and DNS request monitoring to find bots in real-live network environments. Our approach is language agnostic as it uses a high level of abstraction of the network traffic and DNS request in particular. Furthermore, it can semi-automatically adjust itself to changing behavior of bots. We validated our approach based on real network traffic.

Slides Icon
PDF
16:00 – 16:50
Vawtrak Banking Trojan : A Threat to the Banking Ecosystem
Victor Acin 🗣 | Raashid Bhat 🗣

Abstract (click to view)

Vawtrak has been among the top banking Trojans since quite a long time now. Banking Trojans have not been discussed much in security conferences contrary to APT’s and other type of malwares. This research is based on in-depth analysis of Vawtrak and analytical results from tracking infrastructure also changes in the botnet over a period of time. Vawtrak has been observed to target some major banks. We will also analyse the modular plugins that are used by Vawtrak. Apart from the technical perspective we will also explore the analytical examination of data observed during our course of monitoring Vawtrak e.g targets, web injects and other malware families downloaded by Vawtrak.

This talk is segregated into the following sections

1 : Learn in-depth technical details of a banking trojan and the ecosystem of a banking trojan
2 : How attackers are spreading and collecting information from victims
3 : Technical details about how to monitor a banking botnet


White paper: Show
Slides Icon
PDF
Video
16:55 – 17:35
Snoring Is Optional: The Metrics and Economics of Cyber Insurance for Malware Related Claims
Wayne Crowder 🗣

Abstract (click to view)

Insurance addresses the economics of security on the internet. Cyber insurance is sold to companies as a way to offset the risk and costs of a security incident. Governments, large enterprises and small businesses are purchasing policies to cover risk, recoup costs and recover losses from a cyber incident. This talk will discuss the nature of cyber insurance policies, the different types of policies and what they cover. A breakdown of the companies/industries that are buying policies will be shown.

The talk will show the types of attacks organizations are dealing with on a daily basis. Examples from claims made against polices with costs will also be discussed. The talk will provide insight into the economic impact of malware to organizations. It will then inform the viewer about the benefits or pitfalls of a cyber insurance policy with examples of claims, denials and costs.

Slides Icon
PDF
Video
17:40 – 18:20
Hunting Droids from the Inside
Łukasz Siewierski 🗣

Abstract (click to view)

This talk will be a survey of different potentially harmful applications (PHAs), botnets and malware campaigns on Android that we encountered in 2016. I’ll walk through a variety of different malicious apps, explain the malware authors’ objectives and the techniques they use in order to achieve those objectives. In addition to detecting and analyzing PHAs, we also actively shield users from them through platform enhancements. For example, by changing Android APIs to make them less prone to abuse, we render some of the potentially harmful APKs unusable and benign for users. In some cases, we’ve deprecated APIs or introduced new features, resulting in a significant drop in affected users. This is not only limited to providing protections from PHAs in the Google Play store, but also for any apps that users install on their phones. I will highlight a series of anti-abuse measures and present the positive impact it’s had on the ecosystem at large.

Thursday 1st December 2016

09:00 – 09:40
Slides Icon
PDF
09:45 – 10:35
Attacking Linux/Moose 2.0 Unraveled an EGO MARKET
Masarah Paquet-Clouston 🗣 | Olivier Bilodeau 🗣

Abstract (click to view)

Want to give your blog a push or your “gun show” more views? Then why not buy 50,000 fake followers for $1,000! Click farms from down South or botnets such as Game over Zeus will be more than happy to supply them for you.

For this talk, a criminologist and a security researcher teamed up to hunt a large-scale botnet familiar to Botconf 2015’s attendees: Linux/Moose. The hunt was fastidious since Linux/Moose 2.0 has stealth features and runs only on embedded systems such as consumer routers or Internet of Things (IoT) devices. Using honeypots set up across the world, we managed to get virtual routers infected to learn how this botnet spreads and is operated. To do so, we performed a large-scale HTTPS man-in-the-middle attack on several honeypots over the course of several months decrypting the bot’s proxy traffic. This gave us an impressive amount of information on the botnet’s activities: the name of the fake accounts it uses, its modus operandi to create fake follows and the identification of its consumers, companies and individuals.

External link: Blog post
Video
11:00 – 11:50
Tracking Exploit Kits
John Bambenek 🗣

Abstract (click to view)

Despite the ever growing number of malware families, botnets and criminal campaigns; there is only a defined few means by which malware can find its victims. This talk will be a deep dive into tracking exploit kits and the infrastructure behind them. Starting with using our own telemetry and Microsoft’s Malicious URL feed from their Bing crawler, a global visibility has been established into exploit kit activity and using this starting point, we will cover how to track and differentiate exploit kits, their payloads and campaigns and uncovering their backend infrastructure.

Slides Icon
PDF
Video
11:50 – 12:20
Improve DDoS Botnet Tracking With Honeypots
Ya Liu 🗣 | Wenji Qu

Abstract (click to view)

DDoS botnet tracking can be used to watch botnet assisted attacks in real time together with the details including the botnet families, C&C servers, attack types, and attack parameters. Such information helps us to learn current DDoS attacks and improve existing detection and mitigation solutions. To achieve better tracking, we need to figure out: 1) what coverages the tracked attacks have among the real ones; 2) how many active DDoS bot families are still out of our telescope.
To answer those 2 questions, both the real attacks and a method to correlate them with the used botnet families (or attacking tools) are necessary. Our studies show that DDoS bots differ from each other not only in their C&C protocols, but also, in most cases, in their packet generating algorithms (PGA for short) which are used by the bots to generate the enormous number of attacking packets according to the received commands. Therefore, it’s possible to boil the observed attacks down to the bot families by analyzing their PGA’s.
In this presentation, I would talk about how to use honeypots to collect the real DDoS attacks with spoofed source IP’s. The method to break down PGA, as well as the techniques to profile PGA from the collected attacking packets, would be introduced. In the final part, I would present some real examples we have found.

Slides Icon
PDF
Video
12:20 – 12:50
Function Identification and Recovery Signature Tool
Angel Villegas 🗣

Abstract (click to view)

Reverse Engineering benign or malicious samples can take a considerable amount of time and new samples are created daily. Leveraging disassemblers, like IDA Pro, a reverse engineer can analyze the same routines across several samples over the lifetime of their career. Their knowledge is not easily transferred to similar samples or functions for themselves or others. In particular we can consider the problem code reuse has on reversing efforts, whether it is via statically-linked libraries or integrating existing software. In this presentation we want to provide a solution for transferring knowledge to similar functions by introducing a new reverse engineering tool, named FIRST (Function Identification and Recovery Signature Tool), to reduce analysis time and enable information sharing.

Slides Icon
PDF
Video
Paper Link Icon
Article
14:00 – 14:35
Advanced Incident Detection and Threat Hunting using Sysmon (and Splunk)
Tom Ueltschi 🗣

Abstract (click to view)

Enterprises and organizations of all sizes are struggling to prevent and detect all malware attacks and advanced adversary actions inside their networks in a timely manner. Prevention focused technology hasn’t been good enough to prevent breaches for years and detection has been lacking in many ways.
This presentation will give an overview and detailed examples on how to use the free Sysinternals tool SYSMON to greatly improve host-based incident detection and enable threat hunting approaches.
Splunk is just an example of a SIEM to centralize Sysmon log data and be able to search and correlate large amounts of data to create high-quality alerts with low false-positive rates. The same could likely be done using another free or commercial SIEM.
The main goal is to share an approach, a methodology how to greatly improve host-based detection by using Sysmon and Splunk to create alerts.
One main topic throughout the presentation will be how to find suspicious or malicious behaviors, how to implement search queries and how to reduce or eliminate false-positives. Examples will cover different crimeware malware families as well as tools and TTPs used by Red Teams and advanced adversaries.
For the latter, a commercial tool (Cobalt Strike) was used to test different privilege escalation and lateral movement techniques and develop queries for detection. Sysinternals Process Monitor and Sysmon tools were used to analyze behaviors on the endpoints involved.
Any Blue Team member should be able to take away some ideas and approaches to improve detection and incident response readiness in their organization.

Slides Icon
PDF
Video
14:40 – 15:00
How Does Dridex Hide Friends?
Paul Rascagnères 🗣 | Sébastien Larinier 🗣 | Alexandra Toussaint 🗣

Abstract (click to view)

During an incident, CERT Sekoia investigated fraudulent money transfers. These transfers were made from a French firm account to other bank accounts based in different places in Europe. The fraud has been valued at 800 000 euros.
Initially, the bank of the French firm indicted an accountant officer of this firm for making these transfers. The transaction were made with 2FA authentication process.
CERT Sekoia has demonstrated that the accountant officer’s computer was compromised and his computer was certainly used to perform these transfers.
The compromising occurred in two stages:

  • First, when Dridex arrived on the computer
  • Secondly, Dridex was used to download another malware (RAT).

Video
15:05 – 15:35
A Tete-a-Tete with RSA Bots
Jens Frieß 🗣 | Laura Guevara 🗣

Abstract (click to view)

The expansion and specifically the sophistication of botnets has brought with it an increased use of cryptography for safe-guarding communication channels between bots and their command-and-control instances. Asymmetric encryption (or public-key cryptography) currently poses a major challenge for malware analysts. In this regard, understanding the communication protocol is a critical requirement in the analysis of botnets.
The goal of this short-talk is to present a generic, fully automated method for tracking botnet communication protocols and a prototype implementation for recovering obfuscated network traffic. Our method arises from the need of constantly analyzing highly active botnet families while sparing significant reverse engineering effort. The results show that our approach successfully obtains changes in message structures by circumventing encryption and interacting directly with the bots.

Slides Icon
PDF
16:05 – 16:35
Takedown client-server botnets the ISP-way
Quảng Trần Minh 🗣

Abstract (click to view)

Botnet is currently a existing threat to Internet users around the world. Users can lose money, personal information if infected. Bonet takedown has been a pressing need of many organizations in the world: the FBI, the national governments, the Internet service provider (ISP). For ISPs, this is actually a legitimate need to protect their consumers, their networks and meet the requirements of law enforcement agencies.
Basically, there are two types of botnet network models: Client-Server and Peer-to-Peer. In particular, ISPs can play a significant role in client-server botnet shutdown based on their inherent advantages.
Normally, in order to demolish a client-server botnet network, organizations must cooperate with service providers (domain name registrars, hosting/server providers) to acquire the malicious domain or server, then monitor the connections to shutdown. However, this method is quite passive when having to wait for the coordination of service providers. In particular, this method is not feasible for the bullet-proof server.
However, ISPs have a lot of advantages to takedown client-server botnets: own the user’s Internet infrastructure, capable of monitoring/processing/routing traffic on their network, own the technology allow deep analysis of packets.

In this presentation, we will discuss methods which an ISP can use to takedown a client-server botnet on its network based on the ability to redirect malicious connections from C&C server to ISP analysis server using ISP DNS infrastructure, IP routing, that can easily track and shutdown botnet.

Slides Icon
PDF
Video
16:40 – 17:10
Detecting the Behavioral Relationships of Malware Connections
Sebastián García 🗣

Abstract (click to view)

A normal computer infected with malware is difficult to detect. There have been several approaches in the last years which analyze the behavior of malware and obtain good results. The malware traffic may be detected, but it is very common to miss-detect normal traffic as malicious and generate false positives. This is specially the case when the methods are tested in real and large networks. The detection errors are generated due to the malware changing and rapidly adapting its domains and patterns to mimic normal connections. To better detect malware infections and separate them from normal traffic we propose to detect the behavior of the group of connections generated by the malware. It is known that malware usually generates various related connections simultaneously and therefore it shows a group pattern. Based on previous experiments, this paper suggests that the behavior of a group of connections can be modelled as a directed cyclic graph with special properties, such as its internal patterns, relationships, frequencies and sequences of connections. By training the group models on known traffic it may be possible to better distinguish between a malware connection and a normal connection.

Slides Icon
PDF
Video
17:15 – 17:35
Analysis of Free Movies and Series Websites Guided by Users Search Terms
Luis Alberto Benthin Sanguino 🗣 | Martin Clauß 🗣

Abstract (click to view)

Cybercriminals employ websites to infect victims with malware using techniques such as drive-by-download or social engineering. On the other hand, several approaches (e.g. client honeypots) exist to detect malicious websites. Nonetheless, this is a time-consuming task, and thus, computational resources should be spent on targets that are more prone to be malicious than others.
For economic reasons, websites that offer free entertainment content like movies and series are frequently visited by web users. Based on this empirical observation, we hypothesized that users visiting Free Movies and Series (FMS) websites are more exposed to malware than when visiting other type of web content.
To prove this hypothesis, we set up an infrastructure composed of a web crawler, to obtain URLs related to the FMS category and other categories extracted from Google Trends, and an analysis component based on VirusTotal. In total, 52,531 URLs were scanned, of which 17,738 correspond to FMS.
The analysis classified 11.2 % of these URLs as malicious, compared to only 1.27 % of the URLs corresponding to the Google Trends categories.

Slides Icon
PDF
Video
Lightning talks

Slides Icon
PDF

Slides Icon
PDF

Slides Icon
PDF

Slides Icon
PDF

Slides Icon
PDF

Slides Icon
PDF

Slides Icon
PDF

Slides Icon
PDF


Slides Icon
PDF

Friday 2nd December 2016

09:30 – 10:00
Nymaim Origins, Revival and Reversing Tales
Alberto Ortega 🗣

Abstract (click to view)

In this presentation we will talk about the return of Nymaim. We will emphasize on how they got into banking fraud and the complexity they added to the code to make reversing tough and also overcome dynamic analysis, signature matching and DGA sinkholing.

Slides Icon
PDF
10:05 – 10:55
Rough Diamonds in Banking Botnets
Jose Miguel Esparza 🗣 | Frank Ruiz 🗣

Abstract (click to view)

Millions of computers are infected and become part of botnets every day. Our relatives and most of our friends are happily infected, but some of these bots are more important than others. Botnet herders are aware of that and when they don’t have enough resources they sell specific infections to other groups which will give these special systems the love they need. We call these systems “rough diamonds”. During this presentation we will give real examples about how some of these targeted attacks end up in credit card breaches and high-amount fraud transactions.

11:25 – 12:15
ISFB, Still Live and Kicking
Maciej Kotowicz 🗣

Abstract (click to view)

Also known as Gozi2/Ursnif, sometimes Rovnix, ISFB reappeared in early 2013 attracting some attention from the research community and a lot of confusion in the naming convention and to what was being analyzed. Then suddenly, it went dark again.
However, dark does not mean dead. With attention of the world focused on Dridex and Dyre, ISFB silently evolved, hiding from the spotlight to become one of the most complex and fully featured banking trojans out there. In this paper, we want to break the silence surrounding ISFB, giving a full description of the capabilities of this malware which are beyond those of the average banking trojan: 4 ways of communicating with the C&C, half a dozen tricks to steal your money, the ability to create movies of your activity and naturally numerous ways of manipulating your web traffic.
It all comes as a very nicely designed piece of software, with a custom configuration format, beautifully fitted into the malware itself, uncommonly used crypto and rather clean code, making it an interesting target for an analyst.
While it’s perfect target for a an analyst, it’s broad capabilities make it a weapon of choice for a bad guys, making it a one the most popular bankers alongside vawtrak and ZeuS derivatives.
But, in today’s world, malware is more than just a binary sitting on your computer, but an entire infrastructure supporting it in the backend. We will therefore also provide an overview of the architecture used for that purpose, including the whole chain of tiers that lead us to the C&C server,
The paper will be backed up by a set of scripts and signatures (IoCs) that will help in hunting for this threat, extracting interesting pieces of configuration and webinjects it self.

Slides Icon
PDF
Video
Paper Link Icon
Article
12:20 – 13:00
Challenges for a cross-jurisdictional botnet takedown
Margarita Louca 🗣

Abstract (click to view)

Practical case: how legislation can improve Law Enforcement effectiveness in pursuing criminals acting in an international environment.
What to do when criminals act as if they were multinational enterprises, delocalizing their criminal services across multiple jurisdictions? When Internet is borderless and laws are bound to territories, successfully disrupting a botnet with domains and infrastructure scattered across multiple jurisdictions takes more than good will. In the case presented, Law Enforcement coordination with different judicial authorities and the private sector highlights the need for discussing further the legal challenges posed by carrying out cross-border investigative actions with the aim of disrupting criminal ecosystems and striving for crime attribution across multiple legislations.

14:00 – 14:30
Preventing File-Based Botnet Persistence and Growth
Kurtis Armour 🗣

Abstract (click to view)

In the current threat landscape, we see most botnets propagating via exploits and file based malware. Anything that touches the disk has the ability to be blocked via access controls on the host. New techniques utilize more than just binaries to execute malicious code which is why there is a need for execution control. The main techniques we see botnets attempting to grow is through malware utilizing javascript payloads, standard binaries, doc macros and powershell payloads. In light of these techniques this talk will cover methods for implementing appropriate application whitelists and configuration changes that make it easier for security administrators / security professionals to protect and maintain a secure environment. In addition to block rules and best practices the presentation will go over audit based policies that can be implemented.

Slides Icon
PDF
Video
14:35 – 15:15
Dridex Gone Phishing
Magal Baz 🗣 | Gal Meiri 🗣

Abstract (click to view)

In January 2016, we discovered a new modus operandi launched by Evil Corp, the organization that owned and operated Dridex banking Trojan. A new build was released to the wild, using Andromeda botnet platform, mainly targeting users in the UK. We studied the attacks linked with the new Dridex infection campaigns and learned that the malware’s operators have made considerable investments in a new attack methodology. Dridex started to perform redirection attacks instead of the original web-injections, sending the victim to an entirely fake site mimicking the original site of the user’s bank, while presenting the authentic certificate.

Scroll to Top