Botconf Author Listing

Peter Kálnai


Last known affiliation: ESET

Date: 2018-12-05
Collecting Malicious Particles from Neutrino Botnets
Jakub Souček 🗣 | Jakub Tomanek 🗣 | Peter Kálnai

Abstract (click to view)

Neutrino Bot (also known and detected as Win/Kasidet) is a rapidly changing threat. It first became known around December 2013. It has been actively developed ever since resulting in version 5.4 at the very beginning of 2018. From the early times, when the bot’s commands were focused on various DDoS attacks, it evolved into something quite different. Its current state allows to remotely execute commands, files, scan the infected system and both modify and monitor network traffic while keeping some of the old tricks as well.
In the talk, we would like to look at different versions of the bot and their specifics and describe the changes that are being made. We will also explain its current functionality and transition into a fully functional banking trojan.
The malware is affordable and relatively cheap which leads to many independent actors operating their botnets in a very different way. That said, it is much more interesting to learn what each group leverages the bot for rather than tracking it as a whole.
Identifying similar configurations is not always easy, but there are several ways to do so. We want to demonstrate the methods of how to detect which samples belong to each other in order to identify different botnets. We will show the botnets that have been discovered during the last year, what is typical for them, how do they use the bot and what have they delivered through it. We will also lighten the mood with several examples of situations, when operators failed to execute their malicious activities properly by utilizing wrong configuration or harmless webinjects.
No centralized distribution method is offered, that means every botnet operator has to distribute the bot on his own. The discovered methods include malvertising, trojanized installers or the Ammyy supply chain attack.

Slides Icon
PDF
Paper Link Icon
Article
Date: 2014-04-12
Chinese Chicken: Multiplatform DDoS Botnets
Peter Kálnai 🗣 | Jaromír Hořejší 🗣

Abstract (click to view)

One of capabilities of a malicious botnet is to perform a distributed denial of service (DDoS) attack. Attacks can be performed by various methods like volumetric flooding, slow HTTP attacks or TCP protocol misuse. A DNS amplification is an example of volumetric flooding that became popular recently. It is well known that Trojans for the Windows platform with resources containing Chinese locale have a long tradition of interest in this type of attacks and lack other spying features that Trojans usually possess.

We present a survey of current trends in usage of standalone grey area tools performing DDoS for multiple platforms. The focus is put especially on Linux and FreeBSD versions. These tools are later trojanized by adding persistence using executable droppers or scripts editing crontab. The infection vector starts with automated brute-forcing of the SSH protocol, the malicious flooding tools are then deployed in the compromised system and executed. The competition for resources, such as ports and CPU time, is manifested as the initial attempt to kill and to remove other, possibly flooding, processes. Variants for Windows x86/x64 are co-distributed already with persistence and possess a debug string ‘Chicken’ appearing in the title.

The technical part of this analysis covers versions designed for several platforms and architectures. This involves behavioral aspects of initial droppers, the installation of components performing DDoS, the description of internet communication and the collection of various system and performance statistics. For a better insight, we will demonstrate several bot builders and C&C panels which have been acquired. Screenshots of publicly available advertisements promoting the charged customizability of Linux variants will be displayed.

During our analysis, we connected to the botnets and monitored several C&C servers for a certain period of time which gave us a chance to collect some statistics. Therefore we are able to present particular examples of websites and services which were flooded. We shortly discuss the motivation behind the selection of these attack preferences.

Slides Icon
PDF
Video
Scroll to Top