Schedule
Tuesday 5th December 2017
Olivier Bilodeau 🗣 | Masarah Paquet-Clouston 🗣
Abstract (click to view)
Fully understanding a botnet often requires a researcher to go beyond standard reverse-engineering practice and explore the malware’s network traffic. The latter can provide meaningful information on the evolution of a malware’s activity. However, it is often disregarded in malware research due to time constraints and publication pressures.
The workshop is about overcoming such constraints by providing a powerful workflow to conduct quick analysis of malicious traffic. The data science approach presented capitalizes on open-source tools (Wireshark/Tshark, Bash with GNU parallel) and valuable python libraries (ipython, mitmproxy, pandas, matplotlib). During the workshop, participants will do practical technical labs with datasets from our recent botnet investigation. They will learn how to quickly find patterns, plot graphs and interpret data in a meaningful way. Although the exercises will focus on botnet’s data, the tools and skills learned will be useful to all sorts of context. Moreover, to ensure that participants take the most out of the workshop, it will be built in a way to allow them to easily replicate the data-analysis environment at home and reproduce similar analysis with their own traffic data.
Workshop Outline
- Introduction to the workshop
- Overview of the Linux/Moose botnet
- The datasets available: Pcaps and mitmproxy logs
- Overview of the tools we will use
- Network traffic and C&C protocol analysis
- Lab 1: Find the potential victims that have been targeted by the botnet’s scanner
- Lab 2: Find and extract the C&C traffic in the Pcaps
- Lab 3: Find the list of proxy clients IPs and evaluate if the list changes through time
- Decrypted HTTPS traffic data analysis
- Lab 4: Find the list of websites targeted by the botnet and graph them based on the proxy client IP
- Lab 5: Graph the total number of requests made per proxy client through time
- Lab 6: Find whether proxy clients are re-using their fake social media accounts
Raphaël Vinot 🗣 | Saâd Kadhi 🗣 | Jérôme Leonard 🗣
Abstract (click to view)
Agenda:
- Cyber Threat Intel & Incident Response in 2017
- MISP, TheHive & Cortex Overview,
- Installing & configuring the product stack
… Bringing it all together
- An IR case study,
- Dealing with notifications,
- How CTI feeds IR,
- How IR feeds CTI,
- The CTI-IR cycle: case study
Sébastien Larinier 🗣
Abstract (click to view)
The goal of this workshop is to present how to use python to make machine learning. We take examples of security data like malware and we explain how to transform data to use algorithms of machine learning. We detail the different algorithms and the different librairies Scikit-learn and Tensorflow.
The algorithms help to clusterize quickly a database malware to create yara signature for using in Incident Response. The participants will work on little dataset and develop some code based on theses librairies and create yara signature.
Wednesday 6th December 2017
Robert Erra 🗣 | Sébastien Larinier 🗣 | Alexandre Letois | Marwan Burelle
Abstract (click to view)
Malware are now developed at an industrial scale and human analysts need automatic tools to help them.
We propose here to present the results of our experiments on this difficult problem: how to cluster a very large set of malware (with only static information) to be able to classify some new malware. To cluster a set of (numerical) objects is to group into meaningful categories these objects. We want objects in the same group to be closer (or more similar) to each other than to those in other groups. Such groups of similar objects are called clusters. When data are labeled, this problem is called supervised clustering. It is a difficult problem but easier that the {it unsupervised clustering} problem we have when data are not labeled.
All our experiments have been done with code written in Python and we have mainly used scikit-learn so you will probably be able to do the work again with your own feature vectors (well we hope for you!).
We will present some results on our dataset of two million malware. We will give some example of the results we have found and we will talk about future works that could be interesting to do (well: problems still to be solved).
Mark Lechtik 🗣 | Or Eshed 🗣
Abstract (click to view)
In a World where oil is scarce and people click mail attachments they really shouldn’t, One Man sets out on an epic journey for glory, conquest, and other people’s money. So begins the amazing tale of the “Oil bot” campaign: a tale of a single man who ran a sting operation on a good share of the industrial sector, armed with nothing but his supply of off-the-shelf RATs, his very subpar OPSEC standards, and his Nigerian hutzpah. The talk will follow the entire course of Check Point’s investigation into this affair – from the few emails that didn’t add up, through the campaign’s not-so-intricate C&C infrastructure, to the point where we were inside the campaign, looking at all the incredulous details. How do you scam people into scamming other people? What leads a fraudster to leave a trail of incriminating footprints?
And what does a Nigerian scammer want with an energy company, anyway? One thing’s for sure: In this brave new world, the Nigerian prince is no longer happily calling to inform you that you should transfer your money to them; it is you who is angrily calling your bulk provider, asking where all your money went.
Renato Marinho 🗣 | Raimir Holanda 🗣
Abstract (click to view)
From DDoS attacks to malicious code propagation, Botnets continue to represent a strength threat to entities and users connected to the Internet and, due to this, continue to be an important research area. The power of those numerous networks proved us its power when they interrupted great part of the Internet causing impacts to companies like Twitter and Netflix when Mirai P2P Botnet targeted Dyn company’s DNS services back in 2016. In this paper, we present the study that allowed us to find out a “Mirai-like” botnet called Rakos – from our high interactivity honeypot recruitment to the detailed analysis and exploitation of this botnet C&C protocol using crawling and node-injection methods to enumerate and estimate its size. Our contribution includes also a comparison between two P2P botnet exploration methods used in our research and in which situations they may be better suitable in further analysis. Additionally, we propose the term “transient” to designate botnets formed by malware that does not use persistence on the compromised system as this tends to be usual amongst modern threats to IoT (Internet of Things) devices.
Jakub Křoustek 🗣 | Peter Matula 🗣 | Petr Zemek
Abstract (click to view)
Machine-code decompilation transforms an executable file into a high-level language. It has found its applications mostly in the field of reverse engineering, where analysts use decompilers to inspect suspicious binaries.
This paper introduces RetDec, a recently open-sourced retargetable decompiler for platform-independent analysis of binary files. More specifically, we give an overview of the RetDec project’s history, its current state, comparison with other decompilers,
and an example of a successful application.
Karine e Silva 🗣
Abstract (click to view)
Business, organizations, and individuals can largely contribute to a better collective response to botnets. Apart from the power of thwarting attacks as they occur, multistakeholders play a meaningful role in handing over evidence to law enforcement about botnet crimes. Yet, criminal procedure law places significant a threshold on how evidence collected by third parties may be used in a criminal investigation and before court. In this study, I am particularly interested with the so-called category of illegally obtained evidence, in other words, evidence that is amassed in a way that (potentially) violates the standards prescribed by criminal procedural law. This distinction is downright pertinent to the current debate on botnet intelligence that could be disclosed to law enforcement and, more importantly, on whether data gathered in grey zones of the law could be used against cybercriminals.
Traditionally, legal systems have opposed to the doctrine of the fruit of the poisonous tree. Following this stream, evidence gathered via unlawful means suffers from the same spoilage as the original source of the collection. According to this doctrine, illegally obtained evidence is per se illegal and holds no value in the due legal procedure. This remains largely the doctrine adopted by most civil law systems, including many EU Member States. However, pragmatic perspectives of the law have refused to repudiate the nature of the poisonous fruits: the silver platter doctrine has gained space among EU Member States, such as the Netherlands, where illegally obtained evidence handed over to law enforcement, where such unlawful obtaining was not influenced by the authorities, should not be disavowed but brought into play. I intend to investigate whether an adaptation of the silver platter doctrine may be deemed legitimate in the context of cybercrime and justify the sharing of botnet evidence with law enforcement where such data is collected by businesses, organizations, and individuals.
This is an experimental study. It explores and critically analyses the main trends on the use of unlawfully obtained evidence by law enforcement in the U.S. and in select EU Member States (the NL and DE or FR). It builds upon these findings to propose rules that may pave the way for greater use of botnet evidence by law enforcement in a way that is consistent and respectful of the EU framework for fundamental rights: including the limits and opportunities that such a framework may entail.
Jarosław Jedynak 🗣 | Paweł Srokosz 🗣
Abstract (click to view)
Botnets are a curious thing for malware researchers. Although we’re constantly trying to shut them down and stop the responsible people, we’re also focusing a lot of attention on studying and analysing their inner workings in order to learn more about how they operate.
And the best strategy of getting information from a botnet is tricking it into sending everything to us on its own. In this talk we’ll describe our latest project, which does exactly that. We are reverse-engineering communication protocols, re-implementing them in python and impersonating real bots. This way, we can get fresh information/malware/spam/urls directly from a C&C, process it automatically, and react appropriately.
We want to share our insights from a year of tracking, compare our approach with more blackbox solutions (hint: there are advantages and disadvantages), and discuss some challenges and our solutions to them. Although we won’t focus on specific malware protocols, we’ll mention them in the passing.
Christopher Baker 🗣 | Allison Nixon 🗣 | Chad Seaman
Abstract (click to view)
On the internet, no one knows you’re a dog, but they know that you are accessing their website from an IP announced by an ASN that belongs to an ISP on the East Coast of the United States. As the DOM renders a piece of third party fraud detection, javascript runs and collects details about local time, flash, etc, creating a finger print for your browser. It also takes a look at your IP address to see if it is a reasonable match to the zip code associated with the credit card you’re using and possibly confirming that it matches the netblock you frequently login from. This second component, access to secure sockets (SOCKS) in ISP networks and other netblocks, is the topic covered in this presentation. We will cover the market for SOCKs, including vendors and pricing models, as well as a botnet that we came across when monitoring SOCKs markets
Sébastien Mériot 🗣
Abstract (click to view)
For the past 12 months, the Internet-Of-Things botnets have made the headlines. Behind the media noise lies a threat that could be easily remedied by taking appropriate actions to discourage the herders which, most of the time, are kiddies. The latters often purchase the services of a third party to set up the Command & Control on dedicated servers and thus, have a strong potential to cause harm. The growing number of botnets made us reflect upon a workflow to contain the trend.
This presentation aims to show how easy it is to identify the Command & Controls of the Internet-of-Things botnets and how OVH implemented an automated workflow to search them out of its network. This workflow is currently running in production and is able to extract the Command & Control IP in 9 out of 10 cases. and could be easily implemented by other ISPs.
OVH is the third hosting company in the world, providing bare metal servers, cloud instances, web hosting, xDSL links, etc. Also known for having mitigated a Distributed Deny of Service attack above the symbolic terabits per second barrier issued by a MIRAI botnet, OVH is definitively committed to fight against botnets.
Pedro Drimel Neto 🗣
Abstract (click to view)
In the past, mobile malware used to target victims only to harvest SMS messages, which are often used as a 2FA (two-factor authentication) mechanism or as OTP (one-time password). Since late 2015, we have seen attacks which targeted the entire bank app with an overlay type of attack that started a new era in Android banking botnets. This is what we will be detailing and discussing on this presentation. In the past, mobile malware used to target victims only to harvest SMS messages, which are often used as a 2FA (two-factor authentication) mechanism or as OTP (one-time password). Since late 2015, we have seen attacks which targeted the entire bank app with an overlay type of attack that started a new era in Android banking botnets. This is what we will be detailing and discussing on this presentation.
First, we will quickly introduce the audience of past Android malware families that had SMS harvest as a goal. Perkele, Zitmo and iBanking are some examples of those families.
Then, we will focus on modern Android malware evolution in terms of obfuscation, anti-analysis, C&C communication and infection mechanisms. We will also provide insights into some of those modern Android malware botnets including some not yet known to the public. The Android malware families we will be discussing are: Slempo (also known as GMBot and SlemBunk), MazarBot, Catelites, Shifu, Marcher and BankBot (also known as Maza-in).
Elie Bursztein 🗣 | Oren Koriat 🗣
Abstract (click to view)
This talk provides a retrospective on how during 2017 Check Point and Google jointly hunted down Gooligan – one of the largest Android botnets at the time. Beside its scale what makes Gooligan a worthwhile case-study is its heavy reliance on stolen oauth tokens to attack Google Play’s API, an approach previously unheard of in malware.
This talk starts by providing an in-depth analysis of how Gooligan’s kill-chain works from infection and exploitation to system-wide compromise. Then building on various telemetry we will shed light on which devices were infected and how this botnet attempted to monetize the stolen oauth tokens. Next we will discuss how we were able to uncover the Gooligan infrastructure and how we were able to tie it to another prominent malware family: Ghostpush. Last but not least we will recount how we went about re-securing the affected users and takedown the infrastructure.
Thursday 7th December 2017
Félix Aimé 🗣
Abstract (click to view)
How to find watering holes (aka. Strategic Web Compromise – SWC) from your bedroom? At the intersection between geopolitics and technology, « KNIGHTCRAWLER » is a personal project developed to find some malicious activities on several thousand of strategic websites (Govs, NGOs, companies, newpapers etc.). Dozens of watering holes related to APT and cybercrime stuff has been discovered using this project, including several exploit kits and actors not yet published in open source.
Alan Neville 🗣
Abstract (click to view)
On May 12, 2017 a virulent new strain of ransomware known as Wannacry hit hundreds of thousands of computers affecting all types of organisations across the globe. While it is well understand how Wannacry spread using EternalBlue, there was little information on how the attack initially began.
It is often the case that tracking the activity of an attacker back in time can be invaluable for learning more about how the attacker operates, and potentially identifying any mistakes made. This proved true with WannaCry 1.0.
This talk aims to present a walk-through of Symantec’s investigation into Wannacry and how we were able to identify links to previously identified malware families and tools used in attacks against Sony Pictures Entertainment in November, 2014 to ultimately identify who was behind the attack.
Maria Jose Erquiaga 🗣 | Sebastián García | Carlos Garcia Garino
Abstract (click to view)
During the last couple of years there has been an important surge on the use of HTTPs by malware. The exact reason for this increase is not completely understood yet, but it is hypothesized that it was forced by organizations only allowing web traffic to the Internet and that using HTTPs makes the malware similar to normal connections. Therefore, there has been a growing interest in understanding the usage of HTTPs by malware. This paper describes our research to obtain large quantities of real malware traffic using HTTPs, our use of man-in-the-middle HTTPs interceptor proxies to open and study the content and our analysis of how the behavior of the malware changes after being intercepted. Our research goal is to understand the use of HTTPs in malware traffic and the impact of intercepting its traffic. After our analysis we conclude that the use of a interceptor proxy in a network should be carefully considered.
Anna Shirokova 🗣 | Veronica Valeros
Abstract (click to view)
With more than 18M websites on the internet using WordPress [1] and hundreds of known vulnerabilities reported [2], this and other well-known Content Management Systems (CMS) have been systematically attacked for the past years by different threat actors looking for disposable infrastructure for their attacks.
Brute-forcing is one of the most common types of attacks against CMS. The main goal of this attack is pretty straightforward: to obtain a valid username and password and access the CMS administration panel. Attackers take advantage of the fact that, in most cases, CMSs chosen passwords are very weak. Successfully brute-forced websites are commonly used for hosting C&Cs, scams, and drive-by attacks to spread malware.
The goal of this presentation is threefold. First, we will give an overview of the history and current state of brute-force attacks and discuss the reasons for why WordPress is getting under brute-force attacks more often than the other CMS platforms. Second, we will provide an overview of the different brute-forcing botnets and the techniques they use. Third, we will provide an in-depth analysis of the Sathurbot botnet.
The Trojan Sathurbot first appeared in 2013 [3], and is still active, affecting hundreds of users. To this date, the trojan has 4 known modules: backdoor, downloader, web crawler, and brute-forcing. The downloader module allows the trojan to deliver additional malware to the infected machine such as Boaxxe, Kovter, and Fleercivet. The web crawler module allows the trojan to search in different searching engines for websites using WordPress CMS. The brute-forcing module is what the trojan uses to attempt to login to the WordPress admin panels with different credentials. The case of study focuses on the web crawling and brute-forcing modules with specific insights obtained from a real infection. It provides insights of the infrastructure, target selection, aggressiveness, and an analysis of its success from our observation.
Finally, we will talk about detections methods to identify these type of attacks.
Will Glazier 🗣 | Mayank Dhiman
Abstract (click to view)
Automation attacks are currently plaguing organizations in industries ranging from financial to retail, to gaming & entertainment. These attacks exploit stolen credential leaks, black market & custom attack toolkits, and massively scalable infrastructure to launch widely distributed attacks that are extremely difficult to detect, let alone attribute. In this presentation we will inform the audience of the scale of this problem, discuss a detection methodology to counter these attacks, and walk through 3 real-world examples of how attackers created and monetized the distributed infrastructure they require to launch these attacks.
Daniel Plohmann 🗣 | Martin Clauß | Steffen Enders | Elmar Padilla
Abstract (click to view)
In this paper, we introduce Malpedia, our take on a collaborative platform for the curation of a coherent corpus of cleanly labeled, unpacked malware samples. Illustrating one of the use cases for this data set, we provide a comparative overview of structural characteristics for more than 300 families of Windows malware.
Sebastian Eschweiler 🗣
Abstract (click to view)
We have already heard of Nymaim’s famous obfuscation techniques, such as WinAPI wrappers, function detours, encrypted memcpy, and others. But have you heard of heaven’s gate, hybrid binaries and thread obfuscation? In this presentation, we will dive into some of the obfuscation patterns that are still untold.
Yuriy Yuzifovich 🗣 | Hongliang Liu | Alexey Sarychev | Amir Asiaee
Abstract (click to view)
We propose and implement a novel method of discovering botnet activities by identifying new core domains (domains that are directly below a TLD) that appear in real-time DNS query traffic as suspicious, and discovering botnet C&C groups using a domain correlation machine learning model. This method discovers botnet C&C groups before security list vendors which it is benchmarked against.
Matthieu Faou 🗣 | Frédéric Vachon 🗣
Abstract (click to view)
Stantinko is a botnet that we estimate infects around half a million machines mainly located in the Russian Federation and Ukraine. In addition to its prevalence, Stantinko stands out because of its use of advanced anti-analysis techniques, the heavy usage of encryption to hide malicious code and the use of anti-virus evasion tricks that allowed them to stay under the radar for the past five years. While its main purpose is to commit advertisement fraud, Stantinko also installs a backdoor allowing them to run arbitrary code on the victim’s machine.
The Stantinko malware family dates back to at least 2012. We noticed a significant change in the group’s toolset that occured at the beginning of 2015, which made it way more difficult to track them and to gather all the pieces necessary to conduct a complete analysis of this notably undocumented threat.
When we began our analysis, we were not sure at what kind of malware we were looking at. It took us some time to understand Stantinko’s purpose because of its fileless modular architecture. After reverse-engineering its network protocol, we were able to collect the modules that contain the actual malicious code and were able to slowly draw the big picture. We found out that its malicous activities include advertising fraud, Facebook fraud and brute-forcing administrator credentials of Joomla and WordPress Content Management Systems. At this point, it became clear to us that we were looking at a crimeware botnet.
This presentation will cover the findings from our six-month hunt after this large-scale stealthy botnet.
Lightning talks
Friday 8th December 2017
Anthony Kasza 🗣
Abstract (click to view)
Due to it’s flexibility and capacity for embedding other objects, the rich text format (RTF) is a preferred file type used by both precision and quantity focused threat actors. This presentation will discuss the state of threats making use of the file format and provide a brief overview of how the file format is constructed. The presentation will also explain results of exploratory experiments conducted to achieve a deep comprehension of the file format’s structure. Best practices for building protections in organizations will be discussed. Techniques developed while hunting for specific features across large sample sets will be shared.
Paul Jung 🗣
Abstract (click to view)
PassWord Stealer (PWS) are around since more than a decade now. They are legions. Some like Pony, aka FareIT are well known. But nobody takes really time to explain what is around, what it is capable of and how this little industry works.
However, they are still a common threat actively used according to our incidents logs.
A PWS is not a RAT we made this distinction. The aim of a PWS is to be launched, steal a lot of credentials and optionally keylog and/or drop another payload.
Sadly nobody cares about them anymore when they fire an antivirus inside a company.
To illustrate this, my presentation will go thought a couple of PWS that I meet, and I will an overview of the history and capabilities of the threat, give tricks and tools/script needed to identify and decipher them. A couple of these decoding/identification tools are freely available to the community and not written by me, this task may be achieved by a lot of security people without even any skills in reverse engineering.
Finally I will try to summarize these threats by giving to the participants a clear view of what is available in the field.
Paul Rascagnères 🗣 | David Maynor 🗣
Abstract (click to view)
The 27th of June 2017, a new wormable malware variant has surfaced. Talos is identifying this new malware variant as Nyetya. The sample leverages EternalBlue, EternalRomance, WMI, and PsExec for lateral movement inside an affected network. The presentation will be divided in two parts:
the first part will describe Nyetya: how it works, the integrated exploits, Doublepulsar modifications, the “encryption” of the infected systems… This part will be focused on the analysis of the malware (reverse engineering)
the second part will describe the incident response performed by Cisco Advanced Services Incident Response in Ukraine focused on M.E.Doc software. This part will contains the techniques used by the attackers to massively compromised M.E.Doc users. A timeline will be exposed and detailed
Yohai Einav 🗣 | Hongliang Liu | Alexey Sarychev
Abstract (click to view)
We propose and implement a sublinear hash-collision method on a GPU to search for dynamic Locky DGA seed in real-time DNS query traffic. By combining real-time DNS traffic and this fast search method, we successfully detected all dynamic Locky DGA seeds within seconds from their first appearance, and predicted all future C&C names from those seeds. These C&C names are distributed to production systems used by ISPs worldwide, where they’re blocked. They’re also shared with DGArchive and the security community.
Shusei Tomonaga 🗣 | Keisuke Muda 🗣
Abstract (click to view)
When attackers intrude into a network by APT attack, malware infection spreads to many hosts and servers. In incident investigations, it is important to examine what actually happened during lateral movement through log analysis and forensic investigation of infected hosts. However, in many cases, there may not be sufficient logs left on the host, which makes it difficult to reveal what attackers did on the network.
Therefore, we investigated attackers’ activities after network intrusion by investigating C2 servers and decoding the malware communication. As a result, we found that there are some common patterns in lateral movement methods and tools that are often used.
In addition, we analyzed the tools and Windows commands and investigated the logs recorded on the host upon execution. As a result, it was revealed that the tools’ execution logs are not recorded with the Windows default settings.
This presentation will explain some attack patterns and typical tools used in lateral movement that are identified through our research. We will also demonstrate how to investigate or detect incidents where such tools and commands are used.
Jaeson Schultz 🗣 | Warren Mercer | Edmund Brumaghin | Nick Biasini
Abstract (click to view)
Email threats have always been a major part of the threat landscape. As the use of exploit kits and other malware distribution techniques have decreased, malicious spam campaigns play an even greater role in the distribution of malware to organizations around the globe.
Enter Necurs, the biggest player in the spam game today. Over the past couple of years, Necurs has singlehandedly transformed the email threat landscape and continues to innovate with regards to the distribution of malware downloaders. Widely considered to be the largest spam botnet on the planet, Necurs is responsible for a large percentage of the overall spam volumes seen around the globe every day. For being such a major threat, very little information has been published regarding its makeup and how it’s being operated by cybercriminals.
This talk will take a deep dive on the botnet itself and the ways in which C2 is handled. This includes analysis of some of the major spam campaigns for which it has been responsible including both malware distribution and other non-malware based campaigns, including stock based pump-and-dump. Additionally, we will discuss details of the C2 infrastructure and DGA capabilities we’ve observed over the last several months. We will also cover the modular nature of the Necurs malware itself, and how this multi-faceted threat is capable of generating revenue and damaging organizations without sending a single email.
Łukasz Siewierski 🗣
Abstract (click to view)
During my talk, I will outline the current state of apps that try to break the Android sandbox model, either by directly exploiting the Android device or by trying to circumvent the protections in place. In the past, there has been mentions of malware families that try to interfere with the Android system the same way Windows malware frequently does – by implementing function hooks or code injection. My talk will also show the difficulties faced by malicious authors, their creativity, goals and ways that Android system security features prevent such behaviour.
Robert Simmons 🗣
Abstract (click to view)
Many threat intelligence teams are small and must make limited resources work in the most efficient way possible. The data these teams rely on may be quite high volume and potentially low signal to noise ratio. The tools used to collect and exploit this data have finite resources and must be leveraged at the highest utilization possible. Additionally, these tools must be applied to the most valuable data first.
This talk presents a process that your team can implement to make your threat and malware hunting more efficient. The core of this process uses YARA rules to process files from an arbitrary source in volume. From that core, it covers methods of prioritizing the output of the rules based on the team’s priority and the confidence in the quality of the rules. Using this process, files are submitted to sandboxes for automated analysis. The output of each of these systems is then parsed for certain qualities that would increase or decrease the value of the information to the team. Attendees will take away not only a solid process that they can implement in their own organizations, but also a list of gotchas and problems that they should avoid.