Botconf 2018 Wrap-Up Day #3

And the conference is over! I’m flying back to home by tomorrow morning so I’ve time to write my third wrap-up. The last day of the conference is always harder for many attendees due to the late parties. But I was present on time to attend the last set of presentations. The first one was presented by Wu Tiejun and Zhao Guangyan: “WASM Security Analysis Reverse Engineering”. They started with an introduction about WASM or “Web Assembly”. It’s a portable technology deployed in browsers which helps to provide an efficient binary format available on many different platforms. An interesting URL they mentioned is WAVM, a standalone VM for WebAssembly. They also covered the CVE-2018-4121. I’m sorry for the lack in details but the speakers were reading their slides and it was very hard to follow them. Sad, because I’m sure that they have a deep knowledge about this technology. If you’re interesting, have a look at their slides once published or here is another resource.
The next speaker was Charles IBRAHIM who presented an interesting usage of a botnet. The title of his presentation was “Red Teamer 2.0: Automating the C&C Set up Process”. Botconf is a conference dedicated to fighting botnets but this time, it was about building a botnet! By definition, a botnet can be very useful: sharing resources, executing commands on remote hosts, collecting data, etc. All those operations can be very interesting while conducting red team exercises. Indeed, red teams need tools to perform operations in a smooth way and have to remain below the radar. There are plenty of tools available for red teamers but there is a lack of aggregation. Charles presented the botnet they developed. The goal is to reduce the time required to build the infrastructure, to easily execute common actions, log operations and reduce OPSEC risks. About the C&C infrastructure, they provide user authentication, logging capabilities, remote agent deployment and administration and cover communication techniques. Steps of the red team process were reviewed:
  • Reconnaissance: via recon-ng
  • Weaponization: installation of a RAT with AV alarms, empire agent
  • Delivery: EC2 instance creation, Gophish
  • Exploitation & post-exploitation: Receives the RAT connection, launch discovery commands
Very interesting approach to an alternative use of a botnet.
Then, Rommel Joven came on stage to talk about Mirai: “Beyond the Aftermath“. Mirai was a huge botnet that affected many IoT tools. Since if was discovered, what’s going on? Mirai was also used to DDoS major sites like krebsonsecurity.com, Twitter, Spotify, Reddit, etc. Later the source code was released. Why does it affect IoT devices?

  • Easy to exploit
  • 24/7 availability
  • Powerful enough for DDoS
  • Rarely monitored / patched
  • Low security awareness
  • Malware source code available for reuse
The last point was the key of the presentation. Rommel explained that, since the leak, many new malware were developed reusing some functions or some part of the code present in Mirai. 80K samples were detected in 2018 so far with 49% of the Mirai code. Malware developers are like common developers: why reinvent the wheel if you can borrow some code somewhere else? Then Rommel reviewed some malware samples that are know to re-use the Mirai code (or at least a part of):
  • Hajime – same user/password combinations
  • IoTReaper: user of 9 exploits for infection, integration LUA
  • Persirai/Http81: borrows the port scanner from Mirai as well as utils functions. Found similar strings
  • BashLite: MiraiScanner() , MiraiIPRanges(), … 
  • HideNSeek: configuration table similarity, utils functions, capability of data exfiltration
  • ADB.Miner: Port scanning from Mirai, adds a Monero miner, 
When you deploy a botnet, the key is to monetize it. How is it achieved with Mirai & alternatives: by performing cryptomining operations, by stealing ETH coins, by installing proxies or booters.
Let’s continue with Piotr BIAŁCZAK who presented “Leaving no Stone Unturned – in Search of HTTP Malware Distinctive Features“. The idea behind Piotr’s research is to analyze HTTP requests to try to identify which ones are performed by a regular browser or a malware (Windows malware samples), then to try to build families. The research was based on a huge number of PCAP files that were analyzed through the following process:
PCAP > HTTP request > IDS > SID assigned to request > Analysis > Save to the database
Data sources of PCAP files are the CERT Polska’s sandbox system, mcfp.felk.cvut.cz. HTTP traffic was performed via popular browsers and access to the top-500 Alexa via Selenium. About numbers, 36K+ PCAP file were analyzed and 2.5M+ alerts generated. Traffic from malware samples was from many know families like Locky, Zbot, Ursif, Dreambot, Pony, Nemucod, … 172 families identified in total, 19% of requests of unknown malware. To analyze results, they searched for errors, features inherent to malicious operations (example: obfuscation) and the identification of features which reflect differences in data exchange.
About headers, interesting stuffs are:
  • Occurrence frequency
  • Mispelling
  • Lack of headers
  • Protocol version
  • Destination port
  • Strange user-agent
  • Presence of non-printable characters
About payloads:
  • Non-printable characters
  • Obfuscation
  • Presence of request pipelining
Some of the findings:
  • Lack of colon in header line
  • Unpopular white space character + space before comma
  • End of header line other than CR+LR
  • Non ASCII character in header line
  • Destination port (other ports used by some malware families)
  • Prevalence of HTTP 1.0 version request by malware samples
  • Non ascii characters in payload (downloaders, bankers and trojans)
  • GET request with payload
  • POST with out Referer header
The research was interesting but I don’t see the point for a malware developer to make bad HTTP requests instead of using a standard library to make HTTP request.
Yoshihiro ISHIKAWA & Shinichi NAGANO presented Let’s Go with a Go RAT!”. The wellmess malware is written in Go and was not detected by AV before June 2018. Mirai is one of the famous malware written in this language. The performed a deep review of wellmess:
  • It’s a RAT
  • C2 : RCE, upload and download files
  • Identify: Go & .net (some binaries)
  • Windows 32/64 bits and ELF X64
  • Compiled with Ubuntu
  • The “wellmess” name is coming from “Welcome Message”
  • Usage of IRC terms
  • They make a now classic typo page 🙂
  • Specific user-agents
  • C&C infrastructure (no domains, only IP addresses)
  • Lateral movement not by default but performed via another tool called gost (Go Simple Tunnel)
  • Some version are in .Net
  • Bot command syntax: using XML messages
They performed a live demo of the botnet and C&C comms. Very deep analyzis. They also provided Suricata IDS and YARA rules to detect the malware (check the slides).
After the lunch break, James Wyke presented “Tracking Actors through their Webinjects”. He started with a recap about banking malware and webinjects. they are not simple because web apps are complex. Off-the-shelf solutions are available. The idea of the research: Can we classify malware families based on web injects? some are popular for years (Zeuxs, Gozi). James reviewed many webinjects:
  • Yummba
  • Tables
  • inj_inj
  • LOB_ATS
  • adm_ssl
  • concert_all
  • delsrc

For each of them, he gave details like the targets, origin, explanation of the name and a YARA rule to detect them and many more information.

Then Łukasz Siewierski presented “Triada: the Past, the Present, the (Hopefully not Existing) Future“. He explained in details the history of the Triada malware present in many Android smartphones. It was discovered in 2016 but involved with the time.
Matthieu Faou presented “The Snake Keeps Reinventing Itself”. It was a very nice overview of the Turla espionage group. A lot of details were provided, especially about the exploitation of Outlook. I won’t give more details here, have a look at my wrap-up from Hack.lu 2018 where Matthieu give the same presentation.
Finally, the scheduled was completed with Ya Liu’s presentation: “How many Mirai variants are there?“. Again a presentation about Mirai and alternative malware that re-use the same source code. There was some overlapping with Rommel’s presentation (see above) but the approach was more technical. Ya explained how automate the extraction of configurations, what are the attack methods and dictionaries. From 21K analyzed samples, they extracted configurations and attack methods. Based on these data, they created five classification schemes. More info was also published here.
As usual, there was a small closing ceremony with more information about this edition: 26 talks for a total of 1080(!) minutes, 400 attendees coming from all over the world. Note already the date of the 2019 edition: 3-6 December. The event will be organized in Bordeaux!