Botconf 2018

4rd - 7th December 2018, Toulouse

300 participants from all around the world

28 presentations and 3 workshops

4 days of exchanges, discussions and making new friends!

kakemono-botconf (1)

Schedule

Tuesday 4th December 2018

11:00 – 18:00
14:00 – 18:00
14:00 – 18:00

Wednesday 5th December 2018

10:20 – 11:00
Swimming in the Cryptonote Pools
Emilien Le Jamtel 🗣

Abstract (click to view)

In the world of cryptocurrency-related malware, mining currencies based on cryptonote technology like Monero (XMR) is a growing threat for organizations. We can observe that interest in such cryptocurrencies has increased dramatically for malicious actors those past months because of the specificities of this technology. 

In this talk we will explain why such cryptocurrencies are appealing for malicious actors, and how to leverage publicly available sources for hunting of such related activities.

Slides Icon
PDF
11:00 – 11:30
APT Attack against the Middle East: The Big Bang
Aseel Kayal 🗣 | Lotem Finkelstein 🗣

Abstract (click to view)

Over the past few weeks, we discovered the comeback of an APT attack against the Middle East, and specifically against the Palestinian Authority. 

The APT group behind this attack launched a campaign over a year ago, and very little of this operation was seen in the wild since. The renewed Big Bang campaign incorporates improved capabilities, wider functionalities, and a more offensive infrastructure. It also seems to have very specific targets in mind. 

Shared interests and malware features with campaigns belonging to the Gaza Cybergang that emerged in both 2017 and 2018 show that the infamous threat group is most likely behind this attack. 

Although the APT has gone through significant upgrades over the last year, the conductors maintained evident and peculiar fingerprints. Both the delivery methods and the malicious artifacts had unique traces which helped us link the current wave to past attacks. 

Among the techniques attributed to the APT group, one could find fake news websites containing up-to-date articles, well-formulated e-mails with malicious attachments or embedded links, and mobile applications posing as legitimate services. All of these methods are meant to filter-in targeted victims that meet predefined characteristics and lead to a custom-made reconnaissance malware. 

During our investigation, we were able to spot only three instances of the renewed operation, but distinctive characteristics in the command and control websites revealed a wider infrastructure that may serve unknown samples. While our analysis covered the capabilities of the malware, we are certain that this is a part of an ongoing multi-staged attack, the full infection chain of which has not been completed yet. 

The campaign earned its name due to the authors’ affection for the successful TV series “The Big Bang Theory” as reflected in their function naming standard. The malware code is decorated with the character names of the popular series, but also actors of the Turkish series “Resurrection: Ertugrul”. 

In our presentation we will cover the operation of this group, focusing on the recent improvements and tactics, as well as the techniques and procedures (TTPs) that identified this group both in previous attacks and in the current one.

Slides Icon
PDF
11:30 – 12:30
Code Cartographer’s Diary
Daniel Plohmann 🗣 | Steffen Enders | Elmar Padilla

Abstract (click to view)

At last year’s Botconf, we have launched Malpedia [1], our community-driven approach to create a free and independent resource for rapid identification and actionable context when investigating malware. While only touching the surface of analysis possibilities last time (mostly surveying PE header characteristics), we want to take a deep dive in this talk, showing the results of more than two years of ongoing in-depth analysis efforts. This time, the focus will be set on the unpacked representatives of more than 700 families of Windows malware. 

In the first part of this presentation, we will investigate the usage patterns of the Windows API as exposed by malware. For this, we extend ApiScout [2] with a method to extract API usage fingerprints. We will demonstrate how this information can be used to reliably identify and characterize malware families and that this information seems to capture habits of their respective authors to some degree. 

In the second part, we will introduce SMDA [3], a minimalist recursive disassembler library that is optimized for accurate Control Flow Graph (CFG) recovery from memory dumps. SMDA’s output allows us to create a function index, which can be used to identify similar code. On the one hand, we can use this similarity information to recognize and measure how commonly 3rd party libraries are used in malware. On the other hand, we can also isolate the unique, characteristic code for families in order to derive detection signatures for them. 

[1] https://malpedia.caad.fkie.fraunhofer.de 
[2] https://github.com/danielplohmann/apiscout 
[3] https://github.com/danielplohmann/smda  

Slides Icon
PDF
Paper Link Icon
Article
12:30 – 12:50
Cutting the Wrong Wire: how a Clumsy Attacker Revealed a Global Cryptojacking Campaign
Renato Marinho 🗣

Abstract (click to view)

We have seen a massive spike in malicious crypto mining campaigns killing themselves for the chance to have their victim’s CPU. The shorter and shorter time window between vulnerability disclosure and cryptojacking opportunistic attacks taking advantage of them may help us to understand how profitable they are to the point of getting priority over ransomware attacks. This article consists of a walk-through on a remarkable incident caused by an eager and clumsy attacker which ended up revealing multiple cryptojacking campaigns targeting large organizations across the world in early 2018.

14:00 – 15:00
15:00 – 15:40
In-depth Formbook Malware Analysis
Rémi Jullian 🗣

Abstract (click to view)

Form-grabber malware are nowadays quite common. They provide simple yet effective methods for stealing infected users’ credentials. They are named thereby since they target HTML forms’ submissions, made by web-browsers. Sometimes, they also provide classical password stealer capabilities such as key-logging, or modules designed to take screenshots. Also, they can embed code for harvesting users applications’ passwords, stored on the file-system.

Formbook is a ‘ready-to-use’ form-grabber malware, sold illegally on hacking forums. Thus, it can be used by cyber-criminals who don’t necessary own skills in malware development, although it can still be used by more advanced actors. It comes with a PHP web-application, used to implement the C&C server. It also offers a panel, used to graphically manage infected computers, and visualize stolen data.

In order to evade anti-viruses detection, to detect automated malware analysis environments or to complicate its reverse-engineering, Formbook implements many tricks. It also uses interesting code injection techniques, based on APC injection and thread hijacking, to perform actions like process-creation, from within the context of legitimate windows processes such as explorer. Its ability to migrate from a 32-bit process, running in wow64 compatibility mode, to a native 64-bit process also makes it worth looking at.

Slides Icon
PDF
15:40 – 16:10
How Much Should You Pay for your own Botnet ?
Antoine Rebstock 🗣

Abstract (click to view)

Cloud computing provides scalable and on-demand infrastructure, which seems to be the perfect way to host a botnet. This paper focuses on cloud-based botnets to perform legal DDoS resilience tests. We model the cost of such botnets and provide both technical and economical insights into their usage for controlled DDoS attacks. While these purpose-built botnets appear to be more expensive than online DDoS booter services, they remain affordable in the context of legal audits.

Slides Icon
PDF
16:40 – 17:20
Collecting Malicious Particles from Neutrino Botnets
Jakub Souček 🗣 | Jakub Tomanek 🗣 | Peter Kálnai

Abstract (click to view)

Neutrino Bot (also known and detected as Win/Kasidet) is a rapidly changing threat. It first became known around December 2013. It has been actively developed ever since resulting in version 5.4 at the very beginning of 2018. From the early times, when the bot’s commands were focused on various DDoS attacks, it evolved into something quite different. Its current state allows to remotely execute commands, files, scan the infected system and both modify and monitor network traffic while keeping some of the old tricks as well.
In the talk, we would like to look at different versions of the bot and their specifics and describe the changes that are being made. We will also explain its current functionality and transition into a fully functional banking trojan.
The malware is affordable and relatively cheap which leads to many independent actors operating their botnets in a very different way. That said, it is much more interesting to learn what each group leverages the bot for rather than tracking it as a whole.
Identifying similar configurations is not always easy, but there are several ways to do so. We want to demonstrate the methods of how to detect which samples belong to each other in order to identify different botnets. We will show the botnets that have been discovered during the last year, what is typical for them, how do they use the bot and what have they delivered through it. We will also lighten the mood with several examples of situations, when operators failed to execute their malicious activities properly by utilizing wrong configuration or harmless webinjects.
No centralized distribution method is offered, that means every botnet operator has to distribute the bot on his own. The discovered methods include malvertising, trojanized installers or the Ammyy supply chain attack.

Slides Icon
PDF
Paper Link Icon
Article
17:20 – 17:50
Trickbot The Trick is On You!
Floser Bacurio Jr. 🗣 | Joie Salvio 🗣

Abstract (click to view)

Bot malware landscape always changes with both new and old families being updated with new techniques to perform cybercrime. And due to their sheer number, manually analysing and tracking them is a tedious affair. This entails delayed response to the threat. Because of this, automated systems have become an integral part of malware research to learn more about these commonly on-and-off malware operations. Data obtained from these systems can be indispensable for planning and implementing counter moves against the threat. In this way, we can lessen the gap between threat discovery and mitigation. 

With the same motivation, we have conducted research on Trickbot family, which has become one of the most popular botnet families since its first discovery in 2016. It has evolved with new modules being added to its arsenal for spreading and stealing more information from its victims. Up to this day we are seeing new campaigns and modules being distributed in the wild. 
What got us really interested in this malware is its refined network behaviour and more importantly its wide variety of modules that it distributes to its victims. Its rotating C2 servers and by-command delivery of its modules make manual analysis and monitoring extremely tedious. We thought this is a good opportunity to create a tracker system to monitor the malware 
Trickbot’s infrastructure relies in its modular infection distributed via its own network protocol under TLS. This eventually became our entry point in gathering data from its own servers. 

In this presentation, we will discuss Trickbot’s behaviour. More importantly, we will also be focusing on the procedures we took to design and build the monitoring system including the challenges we encountered along the way. This will rely heavily on reverse engineering its network communication and how we were able to use its own protocol to obtain specific artefacts from its servers. 
As a result of the data we gathered, we will share statistics and the information generated from the tracker and how they can be used to help mitigate the threat automatically.

Slides Icon
PDF
17:50 – 18:30
Automation, structured knowledge in Tactical Threat Intelligence
Ronan Mouchoux 🗣 | Ivan Kwiatkowski 🗣

Abstract (click to view)

The connected societies facing ever evolving risks, traditional cyber security solutions have been charged by the popular jury for incompetence. Yet they are working for what they have been designed for, the rise of targeted attacks as well as the maturation of advanced cybercrime force defenders to find new ways of fighting the ghosts in the machines. Cyber Threat Intelligence has emerged for about a decade now, bringing new mind-set, tools and methods to the overall InfoSec community. After reminded what composed this activity, this conceptual presentation will focus on Tactical Threat Intelligence. By diagnosing that adversaries’ behaviour analysis has been mainly hijack to provide technical indicators and strategic feedback, we will review today’s methods and tools used
for cyber threat profiling and express the limitation or problematics they brought to Intelligence Tradecraft specialist. Moves by the impression that today’s Tactical Threat Intelligence is rarely as a say derived into action, we will finally explore new leads that could bring the discipline more operational concretisation and will help tactical analyst is the difficult path to automate tasks in a very psychological influenced domain.

Slides Icon
PDF

Thursday 6th December 2018

09:00 – 09:50
Internals of a Spam Distribution Botnet
Jose Miguel Esparza 🗣

Abstract (click to view)

Cybercriminals use different methods to distribute malware like malicious advertisements, Exploit Kits, loaders or spam campaigns. Unless an attack is really targeted the bad guys will try to infect as many computers as possible and they need some automation for that. It is well-known that they use botnets to distribute malware and create spam campaigns. Popular malware families like Necurs, Cutwail, Onliner Spambot or Emotet are examples of this kind of botnets, which are not usually analyzed deeply because we tend to focus on the final malware families which are spread, like bankers, stealers or RATs. This talk will focus on one these malware families used to send spam, Onliner Spambot, explaining internal details about its different modules, its control panel, how it is checking and misusing stolen credentials, and about the threat actors who are operating it and selling it. Malware distribution is an interesting part of the cybercrime ecosystem and it is important to pay attention to those distribution botnets too.

Slides Icon
PDF
09:50 – 10:20
Botception: Botnet distributes script with bot capabilities
Jan Sirmer 🗣 | Adolf Středa 🗣

Abstract (click to view)

Monitoring botnets is a crucial component of cybersecurity, but it’s not everyday we see a botnet spreading scripts with bot capabilities. At the end of April 2018, while monitoring one of the branches of the Necurs botnet, we observed new scripts being distributed by the botnet.

In our presentation we will dive into the results of our analysis of scripts with bot capabilities, spread by a botnet. The analyzed scripts were spread by the Necurs botnet through spam emails, and while the initial infection chain was rather short, the multiple stages thereafter included capabilities to make it a fully fledged botnet.

The distribution of the these scripts is an interesting step out from the standard behavior of the Necurs botnet, and we will therefore share information about the Necurs’ branch we are monitoring, the changes it underwent in a year, and detailed analysis of the script bot itself. As the code involved in the infection chain was not heavily obfuscated, the analysis will be interlaced with code examples.

Our analysis provides detailed information about the function and behavior of the scripts, the origin of the information and a comparison of the scripts’ versions over time. After we explore the scripts’ whereabouts, we will again dive more deeply into the Ammyy-like malware infection chain.

Slides Icon
PDF
10:20 – 10:50
Stagecraft of Malicious Office Documents – A Look at Recent Campaigns
Nirmal Singh 🗣 | Deepen Desai 🗣 | Tarun Dewan 🗣

Abstract (click to view)

Malicious office documents have become a favorite malware delivery tool for malware authors. We have observed an increase in use of malicious documents over past 4 years. 30% of the malware blocked by Zscaler Cloud Sandbox since 2017 are malicious office documents. Malicious office documents are used for the delivery of crimeware payloads and are also often involved in Advanced Persistent Threats (APT) attacks. Over the time, these malicious office documents have used various obfuscation, encryption and evasion techniques to prevent detection. In this paper, we will provide a detailed analysis of different obfuscation, encryption, exploits and evasion techniques used in these malicious documents. We have analyzed over one thousand malicious documents from fifty different campaigns for this study. This research paper also lists the different malware samples delivered by these malicious documents and the use of powershell as well as other scripting languages.

Slides Icon
PDF
11:10 – 11:50
Hunting and Detecting APTs using Sysmon and PowerShell Logging
Tom Ueltschi 🗣

Abstract (click to view)

Many security professionals and Blue Team members appreciate a good and detailed written APT report by any renowned security company. This is especially true, if they document and explain some new and stealthy technique that was used and not well known yet by defenders.

One such technique is “WMI event subscription” for persistence, which has been used by APT29.
Another one is the “Logon Script” technique (“UserInitMprLogonScript” reg key) used by APT28.
A third technique that is discussed very often is (ab-)using Powershell and “living off the land” (LOL).
To even top this one, attackers are using “unmanaged Powershell” (e.g. using PowerPick) to evade command line based detection. But thanks to the Powershell logging features available since version 5, even this can be detected.

I will discuss and show how to detect all of these techniques by using Sysmon data and Powershell logging (with Splunk as a SIEM).

Slides Icon
PDF
11:50 – 12:40
14:00 – 14:40
14:40 – 15:10
Everything Panda Banker
Dennis Schwarz 🗣

Abstract (click to view)

The Panda Banker malware was first spotted in the wild in early 2016. It has since seen consistent development, gained a significant threat actor user base, and has become one of the most advanced and persistent banking malwares in the current threat landscape. This presentation compiles together the author’s research and tracking of Panda Banker complemented with the prior work of other malware researchers studying the threat. Its aim is to provide a detailed survey of everything Panda Banker: what it is, where did it come from, what it does, how it works, who’s using it, how effective they are, who is being targeted, and where is it going. The hope is for researchers and defenders to walk away with a better understanding of Panda Banker and maybe some ideas on how to better detect and mitigate it.

Slides Icon
PDF
15:10 – 16:00
Judgement Day
Thomas Siebert 🗣

Abstract (click to view)

– Suspsense 🙂

16:30 – 17:20
The Dark Side of the ForSSHe
Romain Dumont 🗣 | Hugo Porcher 🗣

Abstract (click to view)

In February 2014, ESET researchers from Montreal published a report on a group who compromised more than 40,000 Linux servers worldwide since 2011. ESET named this campaign Windigo. At the centre of this operation, Ebury, an OpenSSH backdoor which allowed the attackers to remotely take control of compromised servers as well as stealing login credentials (passwords, keys) which were then used to connect to other servers. This simple yet effective method allowed them to extend their network of compromised servers.

Slides Icon
PDF
Lightning talks
17:20 – 18:15
Slides Icon
PDF














Friday 7th December 2018

09:20 – 09:50
WASM Security Analysis Reverse Engineering
Guangyuan Zhao 🗣 | Tiejun Wu 🗣

Abstract (click to view)

WebAssembly(WASM) is a new technology designed for browers. It aims to define a portable, size- and load-time-efficient binary format to serve as a compilation target which can be compiled to execute at native speed by taking advantage of common hardware capabilities available on a wide range of platforms, including mobile and IoT.
Our presentation will cover a brief introduction of this technology, analysis with or without access to the source code. It will also cover security issues and how it can be used by a botnet.

Slides Icon
PDF
09:50 – 10:10
Red Teamer 2.0: Automating the C&C Set up Process
Charles Ibrahim 🗣

Abstract (click to view)

 This talk follows the amazing documentation provided by Steve Borosh (@424f424f) and Jeff Dimmock’s (@bluscreenofjeff) on their dedicated repo.
Besides, it follows several experiences of red team operations leveraging the tips issued by these authors.
We will describe a new open source tool, whose name will be revealed during the presentation. That tool aims at managing red teams’ operations, and, in particular enables Command and Control infrastructure set up automation.

Slides Icon
PDF
10:10 – 10:40
Mirai: Beyond the Aftermath
Rommel Joven 🗣 | David Maciejak | Jasper Manuel

Abstract (click to view)

Two years have passed since Mirai unleashed its wrath to the world by targeting high profile victims. Many things have happened since then, the good, the author responsible has already been convicted, the bad, source code was released to the public, and the not so bad, organizations became aware of the threat and geared up their defences for the possible next attack. Question is now, what’s next after Mirai? Ever since the release of its source code, many have used, experimented, and modified the code for their own liking and purpose. These so called Mirai copycats all want to have a piece of the IoT pie, battling to compromise more vulnerable IoT devices to grow their own army of bots and become Mirai’s possible heir. This research on the aftermath of Mirai will focus on three technical aspects: Mirai variants with their significant modifications, a genealogy of all Mirai variants identified so far, and if whether other botnets have reuse some of Mirai’s code.
To begin with, we will talk on the added techniques implemented to the variants to infect more IoT devices, like an exhaustive factory default credentials set, the use of both known and unknown exploits and targeting more architectures. We will also present the new ways it monetizes IoT bots like by targeting miners or using them as proxy.
The research as of now identified already 100 variants and still counting. We will discuss on how we automatically decrypt and dump the configuration for easy family identification and C2 extraction. Additionally, to have a better overview and understanding of the variants we will compare all of them and see how they relate to each other.
A botnet that we observed reusing Mirai’s code is Hide ‘N Seek. We will take a look at its modules and compare it to Mirai whether the configuration encryption algorithm is still the same.
To finish the presentation, we will share interesting insights, findings and lessons learned in the research and how these can help researchers in their threat Intel tasks.

Slides Icon
PDF
11:10 – 11:50
Leaving no Stone Unturned – in Search of HTTP Malware Distinctive Features
Piotr Białczak 🗣

Abstract (click to view)

 When we analyze malware C&C network traffic we often see that it contains HTTP protocol. Sometimes the messages are obfuscated and sometimes sent as plain text. They can be intentionally crafted to look like sent by a web browser. But in many cases they are sent using standard libraries and tools. Intuition suggests that there should be some distinct features, which can help to distinguish between malware and benign applications sending HTTP requests. In our presentation we want to present results of our analysis in search of such features.
Analyzed features include headers’ appearance (misspellings, unusual names), header values, general payload analysis (entropy, character analysis etc.) and header sequence order. In our search we have analyzed more than 35 000 pcap files from CERT Polska’s sandbox environment and Malware Capture Facility Project. They include network traffic of about 190 malware families, splitted into common categories like bankers, ransomware, downloader, spambot etc. To identify distinct features, we have compared the results against browser traffic to Alexa’s top 500 popular domains worldwide. The outcome was surprising even for us.

The presentation won’t be academic. We want to share main conclusions which can help you when dealing with malware HTTP traffic. To provide even more operational knowledge, we want to compare the results with traffic generated by popular Windows HTTP libraries and tools. Also we will present particularly interesting examples of HTTP anomalies, both in malware and benign traffic.

Slides Icon
PDF
11:50 – 12:20
Let’s Go with a Go RAT!
Yoshihiro Ishikawa 🗣 | Shinichi Nagano 🗣

Abstract (click to view)

The Go language (GoLang) is an open source programming language developed by Google Inc. in 2009, and it can be run on various platforms such as Linux, Mac, Windows, Android.
Speaking of malware using Golang, Mirai is one of the famous one (they use it for the C2 program), but malware such as Encriyoko, Lady, GoARM.Bot, Go Athena RAT and others are also confirmed.
However, we can’t say that Golang malware is commonly used as development basis for malware coding when looking at the ratio of popular malware.

In this presentation, we would like to introduce the analysis result of a new malware, we called it as “WellMess” that was coded on Golang on multiple platform operating systems. This malware was used by several incident cases that we confirmed from January 2018, we recognize it as a new malware according to our team’s analysis and the traffic generated on its communication to the C2 servers.
Additionally, we will perform reverse engineering explanation of the WellMess malware and perform demonstration on its botnet operation.

Slides Icon
PDF
12:20 – 13:00
Tracking Actors through their Webinjects
James Wyke 🗣

Abstract (click to view)

Webinjects have been a feature of banking malware ever since they were popularised with great success by early families such as Zeus. In that time writing Webinjects has become a highly specialized skill with off-the-shelf Webinjects systems becoming as popular as the banking malware itself.

Webinjects are used to deploy Automated Transfer Systems, payment card data harvesters, session hijackers, and even to deploy web based crypto-currency miners. With some vendors in operation for over five years, the area of Webinjects development appears to be a lucrative and potentially long-lived occupation.

This presentation explores prevalent Webinjects systems, their capabilities and which malware families are deploying them, and how we can use Webinjects to track actors as they switch between using different malware families. We present details of the criminal groups we have discovered this way.

Slides Icon
PDF
14:00 – 14:50
Triada: the Past, the Present, the (Hopefully not Existing) Future
Łukasz Siewierski 🗣

Abstract (click to view)

Triada is an Android threat known within the malware research field for a couple of years. Despite that, it still remains a very interesting threat as their authors did something very rarely seen in any malicious software – instead of evading detection they embraced it. Triada was first detected preinstalled on the system image of some Android low-end devices in mid-2017.

As soon as we detected these applications, we reached out to OEM partners to address this threat and we gained a unique insight into Triada’s evolution and tactics. This presentation will cover Google Play Protect’s findings and present previously unrevealed aspects of Triada and the extent to which it backdoored OEM system images. We will also cover how our unprecedented coordination with OEMs led us to update system images across the Android ecosystem.

14:45 – 15:30
The Snake Keeps Reinventing Itself
Matthieu Faou 🗣

Abstract (click to view)

After having tracked Turla’s activities for several years, we now have a unique understanding of their Tools, Tactics and Procedures (TTPs). In this talk, we would like to share this knowledge to help defenders protect their networks.

Turla is an espionage group known for targeting governments, diplomats and militaries all around the world. One of their first documented campaign was against the US military ten years ago and they are still very active. During this presentation, we will discuss some recent public cases involving Turla operators. This threat actor targets very specific group of people and, as such, use advanced targeting techniques such as spear phishing and watering hole to go after them.

We will present an in-depth analysis of currently undocumented components, such as a highly resilient Outlook backdoor, allegedly used in the early-2018 attack against the German government. We will also provide an overview of the different changes in their TTPs that occurred in the past few months.

Slides Icon
PDF
15:30 – 16:00
How many Mirai variants are there?
Wenji Qu 🗣 | Hui Wang 🗣

Abstract (click to view)

Mirai was soon open-sourced after overwhelming several high-profile targets including Krebsonsecurity, OVH, and DYN in Autumn 2016, which leads to a proliferation of Mirai variants in the past 2 years. For better fight against Mirai botnets, effective variant classification schemes are very necessary. Currently, Mirai variants are usually classified with their branch names (e.g., JOSHO, OWARI, MASUTA) which come from a command line of “/bin/busybox ” found in the Mirai sample. While the default name is “MIRAI”, the was usually replaced with an author interested one (e.g., MASUTA, SATORI, SORA) in later variants.
However, we think branch-based classification scheme is too coarse-grained to reveal: 1) the variances in single variant of different stages, and 2) the connections among different branches. In this talk, we would like to present our classification schemes concluded from 32K+ collected samples and 1,000+ extracted CNCs. Our schemes are mainly based on the data of configurations, supported attack methods, and credential dictionaries, which are all extracted from the samples. For example, we successfully classify Mirai samples into 106 variants based on the combination of supported attack methods. We also successfully connected multiple branches based on the keys used in configuration encryption. To summarize, the content of this talk is as follows:
1)We will demonstrate the idea of automatically extracting configurations, supported attack methods, and credential dictionaries from samples for classification purpose.
2)We will propose a fingerprint technique to recognize Mirai attack methods (e.g., syn_flood, http_flood) with information extracted from samples without reverse engineering work.
3)We will introduce a set of classification schemes based on the extracted data, and will investigate popular Mirai branches with proposed schemes.

It’s worth mentioning that since the used data is processor-independent (e.g., x86, x64, ARM, MIPS, SPARC, PowerPC), our schemes can classify the same variant’s samples even if they are for different CPU architectures.

Slides Icon
PDF

Our official partner

evenement_CECyF_en

Our sponsors

Platinum

Facebook-06-2015-White-on-Blue
google-logo
TalosBrand_RGB_1080

Gold

2019-2-GOLD-LaPoste-TEMPORARY1
GOLD-ORANGE
2019ovhLogoColor
2019SANS-EMEA-18-Logo-RGB-HR
certsg
Trend-Micro

Silver

AIRBUS_CMYK-4
Logo-CONIX-150dpi
CERT-CM-EI-sans
CrowdStrike_logoHorizontal-1

Bronze

sekoia-logo_nom-blanc_sur_noir
InfoArmro_Logo-RGB
Scroll to Top