Veronica Valeros
Last known affiliation: Stratosphere Laboratory, AIC, FEL, Czech Technical University in Prague
Bio: Veronica is a senior researcher with over 10 years of cybersecurity experience. As a project leader, she drives research and development projects, improves processes, and leads community engagement. She specialises in malware traffic analysis and threat research. She has presented at international conferences and co-founded MatesLab hackerspace and the Independent Fund for Women in Tech.
Anna Shirokova 🗣 | Veronica Valeros
Abstract (click to view)
With more than 18M websites on the internet using WordPress [1] and hundreds of known vulnerabilities reported [2], this and other well-known Content Management Systems (CMS) have been systematically attacked for the past years by different threat actors looking for disposable infrastructure for their attacks.
Brute-forcing is one of the most common types of attacks against CMS. The main goal of this attack is pretty straightforward: to obtain a valid username and password and access the CMS administration panel. Attackers take advantage of the fact that, in most cases, CMSs chosen passwords are very weak. Successfully brute-forced websites are commonly used for hosting C&Cs, scams, and drive-by attacks to spread malware.
The goal of this presentation is threefold. First, we will give an overview of the history and current state of brute-force attacks and discuss the reasons for why WordPress is getting under brute-force attacks more often than the other CMS platforms. Second, we will provide an overview of the different brute-forcing botnets and the techniques they use. Third, we will provide an in-depth analysis of the Sathurbot botnet.
The Trojan Sathurbot first appeared in 2013 [3], and is still active, affecting hundreds of users. To this date, the trojan has 4 known modules: backdoor, downloader, web crawler, and brute-forcing. The downloader module allows the trojan to deliver additional malware to the infected machine such as Boaxxe, Kovter, and Fleercivet. The web crawler module allows the trojan to search in different searching engines for websites using WordPress CMS. The brute-forcing module is what the trojan uses to attempt to login to the WordPress admin panels with different credentials. The case of study focuses on the web crawling and brute-forcing modules with specific insights obtained from a real infection. It provides insights of the infrastructure, target selection, aggressiveness, and an analysis of its success from our observation.
Finally, we will talk about detections methods to identify these type of attacks.
Veronica Valeros 🗣 | Sebastián García 🗣
Abstract (click to view)
Nowadays there are a lot of tools to analyze traffic, but the most important thing to have is the experience and knowledge of a malware analyst. The goal of the workshop is to give a hands-on experience on analyzing the behavior of malware and botnet traffic in the network by studying their web patterns and their traffic behavior. The workshop will use both pcap files of real malware captures and real normal captures. Participants will learn a proven approach on how to do their traffic analysis, how to recognize malicious connections, how to separate normal behaviors from malicious behaviors, how to recognize anomalous patterns and how to deal with large amounts of traffic. Analyzing only malware traffic may not be so complicated for some people, but accurately separating it from normal traffic is harder.
The most important lesson of the workshop is not how to use wireshark or tcpdump. The workshop transmits the experience of recognizing the malicious actions of malware in the network. How to identify when malware tries to hide, how to recognize the encryptions, how to discard false connections, etc. The participants should leave with a good set of knowledge about obtain an overall analysis picture of the traffic to recognize if there are malicious behaviors on it.
Veronica Valeros 🗣
Abstract (click to view)
What does a botnet do when it gets bored? Make every infection second count – even if it means to use the infection time for brute forcing.
This presentation aims to show a complete sandbox infection cycle, which started with a seemingly Gamarue infection and end up with an automated horizontally brute forcing malware and more than 4000 WordPress sites targeted.
By performing an in-deep network traffic analysis of a 15 days network capture, the talk will unveil how this botnet works.