use your enemies: tracking botnets with bots. · 2017. 12. 25. · software/security engineer @...
TRANSCRIPT
![Page 1: Use your enemies: tracking botnets with bots. · 2017. 12. 25. · Software/Security Engineer @ CERT.pl P4 CTF RE/Software dev Botnets, especially P2P ones @msmcode msm@cert.pl $](https://reader033.vdocuments.net/reader033/viewer/2022051822/5febf515d66473776d77956e/html5/thumbnails/1.jpg)
Use your enemies: tracking botnets with bots.
![Page 2: Use your enemies: tracking botnets with bots. · 2017. 12. 25. · Software/Security Engineer @ CERT.pl P4 CTF RE/Software dev Botnets, especially P2P ones @msmcode msm@cert.pl $](https://reader033.vdocuments.net/reader033/viewer/2022051822/5febf515d66473776d77956e/html5/thumbnails/2.jpg)
Jarosław Jedynak
Software/Security Engineer @ CERT.plP4 CTFRE/Software devBotnets, especially P2P oneshttps://tailcall.net@[email protected]
$ whois msm
![Page 3: Use your enemies: tracking botnets with bots. · 2017. 12. 25. · Software/Security Engineer @ CERT.pl P4 CTF RE/Software dev Botnets, especially P2P ones @msmcode msm@cert.pl $](https://reader033.vdocuments.net/reader033/viewer/2022051822/5febf515d66473776d77956e/html5/thumbnails/3.jpg)
Paweł Srokosz
Security researcher/Malware analyst @ CERT.plP4 CTFRE/Software devStudying CS at Warsaw University of Technologyhttps://0xcc.pl@[email protected]
$ whois psrok1
![Page 4: Use your enemies: tracking botnets with bots. · 2017. 12. 25. · Software/Security Engineer @ CERT.pl P4 CTF RE/Software dev Botnets, especially P2P ones @msmcode msm@cert.pl $](https://reader033.vdocuments.net/reader033/viewer/2022051822/5febf515d66473776d77956e/html5/thumbnails/4.jpg)
This talkIf you know both yourself and your enemy, you can win numerous battles without jeopardy.
Sun Tzu
Have a little chat with botnet:
What bots usually talk about?
How to learn your enemy's language?
Improve your skills (constantly)
Avoid the Friend Zone
Be like a native speaker
![Page 5: Use your enemies: tracking botnets with bots. · 2017. 12. 25. · Software/Security Engineer @ CERT.pl P4 CTF RE/Software dev Botnets, especially P2P ones @msmcode msm@cert.pl $](https://reader033.vdocuments.net/reader033/viewer/2022051822/5febf515d66473776d77956e/html5/thumbnails/5.jpg)
This talkIf you know both yourself and your enemy, you can win numerous battles without jeopardy.
Sun Tzu
mtracker project:
Part of SISSDEN project coordinated by NASK
Scrapping useful information from various botnets
We're trying to communicate with C&C using own clients
Idea: "malware emulation" with scripts instead of sandboxing real malware
![Page 6: Use your enemies: tracking botnets with bots. · 2017. 12. 25. · Software/Security Engineer @ CERT.pl P4 CTF RE/Software dev Botnets, especially P2P ones @msmcode msm@cert.pl $](https://reader033.vdocuments.net/reader033/viewer/2022051822/5febf515d66473776d77956e/html5/thumbnails/6.jpg)
What bots usually talk about
![Page 7: Use your enemies: tracking botnets with bots. · 2017. 12. 25. · Software/Security Engineer @ CERT.pl P4 CTF RE/Software dev Botnets, especially P2P ones @msmcode msm@cert.pl $](https://reader033.vdocuments.net/reader033/viewer/2022051822/5febf515d66473776d77956e/html5/thumbnails/7.jpg)
What bots usually talk about
![Page 8: Use your enemies: tracking botnets with bots. · 2017. 12. 25. · Software/Security Engineer @ CERT.pl P4 CTF RE/Software dev Botnets, especially P2P ones @msmcode msm@cert.pl $](https://reader033.vdocuments.net/reader033/viewer/2022051822/5febf515d66473776d77956e/html5/thumbnails/8.jpg)
What bots usually talk aboutBotnets are used for malware distribution:
Malware updates
![Page 9: Use your enemies: tracking botnets with bots. · 2017. 12. 25. · Software/Security Engineer @ CERT.pl P4 CTF RE/Software dev Botnets, especially P2P ones @msmcode msm@cert.pl $](https://reader033.vdocuments.net/reader033/viewer/2022051822/5febf515d66473776d77956e/html5/thumbnails/9.jpg)
What bots usually talk aboutBotnets are used for malware distribution:
Malware updates
Additional components doing specific tasks
![Page 10: Use your enemies: tracking botnets with bots. · 2017. 12. 25. · Software/Security Engineer @ CERT.pl P4 CTF RE/Software dev Botnets, especially P2P ones @msmcode msm@cert.pl $](https://reader033.vdocuments.net/reader033/viewer/2022051822/5febf515d66473776d77956e/html5/thumbnails/10.jpg)
What bots usually talk aboutBotnets are used for malware distribution:
Malware updates
Additional components doing specific tasks
Various malware (loaders)
![Page 11: Use your enemies: tracking botnets with bots. · 2017. 12. 25. · Software/Security Engineer @ CERT.pl P4 CTF RE/Software dev Botnets, especially P2P ones @msmcode msm@cert.pl $](https://reader033.vdocuments.net/reader033/viewer/2022051822/5febf515d66473776d77956e/html5/thumbnails/11.jpg)
What bots usually talk about
![Page 12: Use your enemies: tracking botnets with bots. · 2017. 12. 25. · Software/Security Engineer @ CERT.pl P4 CTF RE/Software dev Botnets, especially P2P ones @msmcode msm@cert.pl $](https://reader033.vdocuments.net/reader033/viewer/2022051822/5febf515d66473776d77956e/html5/thumbnails/12.jpg)
What bots usually talk aboutBotnets are used for malware distribution:
Malware updates
Additional components doing specific tasks
Various malware (loaders)
Fresh, zero-day samples immediately after release
![Page 13: Use your enemies: tracking botnets with bots. · 2017. 12. 25. · Software/Security Engineer @ CERT.pl P4 CTF RE/Software dev Botnets, especially P2P ones @msmcode msm@cert.pl $](https://reader033.vdocuments.net/reader033/viewer/2022051822/5febf515d66473776d77956e/html5/thumbnails/13.jpg)
What bots usually talk about
![Page 14: Use your enemies: tracking botnets with bots. · 2017. 12. 25. · Software/Security Engineer @ CERT.pl P4 CTF RE/Software dev Botnets, especially P2P ones @msmcode msm@cert.pl $](https://reader033.vdocuments.net/reader033/viewer/2022051822/5febf515d66473776d77956e/html5/thumbnails/14.jpg)
What bots usually talk about
![Page 15: Use your enemies: tracking botnets with bots. · 2017. 12. 25. · Software/Security Engineer @ CERT.pl P4 CTF RE/Software dev Botnets, especially P2P ones @msmcode msm@cert.pl $](https://reader033.vdocuments.net/reader033/viewer/2022051822/5febf515d66473776d77956e/html5/thumbnails/15.jpg)
What bots usually talk about
![Page 16: Use your enemies: tracking botnets with bots. · 2017. 12. 25. · Software/Security Engineer @ CERT.pl P4 CTF RE/Software dev Botnets, especially P2P ones @msmcode msm@cert.pl $](https://reader033.vdocuments.net/reader033/viewer/2022051822/5febf515d66473776d77956e/html5/thumbnails/16.jpg)
What bots usually talk about
![Page 17: Use your enemies: tracking botnets with bots. · 2017. 12. 25. · Software/Security Engineer @ CERT.pl P4 CTF RE/Software dev Botnets, especially P2P ones @msmcode msm@cert.pl $](https://reader033.vdocuments.net/reader033/viewer/2022051822/5febf515d66473776d77956e/html5/thumbnails/17.jpg)
What bots usually talk aboutCollected data are useful in many ways:
Improving anti-fraud systems used in online banking
Finding out new phishing campaigns
Tracking changes in botnet infrastructure
![Page 18: Use your enemies: tracking botnets with bots. · 2017. 12. 25. · Software/Security Engineer @ CERT.pl P4 CTF RE/Software dev Botnets, especially P2P ones @msmcode msm@cert.pl $](https://reader033.vdocuments.net/reader033/viewer/2022051822/5febf515d66473776d77956e/html5/thumbnails/18.jpg)
So...
![Page 19: Use your enemies: tracking botnets with bots. · 2017. 12. 25. · Software/Security Engineer @ CERT.pl P4 CTF RE/Software dev Botnets, especially P2P ones @msmcode msm@cert.pl $](https://reader033.vdocuments.net/reader033/viewer/2022051822/5febf515d66473776d77956e/html5/thumbnails/19.jpg)
How to learn your enemy's language
![Page 20: Use your enemies: tracking botnets with bots. · 2017. 12. 25. · Software/Security Engineer @ CERT.pl P4 CTF RE/Software dev Botnets, especially P2P ones @msmcode msm@cert.pl $](https://reader033.vdocuments.net/reader033/viewer/2022051822/5febf515d66473776d77956e/html5/thumbnails/20.jpg)
How to learn your enemy's language
![Page 21: Use your enemies: tracking botnets with bots. · 2017. 12. 25. · Software/Security Engineer @ CERT.pl P4 CTF RE/Software dev Botnets, especially P2P ones @msmcode msm@cert.pl $](https://reader033.vdocuments.net/reader033/viewer/2022051822/5febf515d66473776d77956e/html5/thumbnails/21.jpg)
Automated malware analysis toolchain
![Page 22: Use your enemies: tracking botnets with bots. · 2017. 12. 25. · Software/Security Engineer @ CERT.pl P4 CTF RE/Software dev Botnets, especially P2P ones @msmcode msm@cert.pl $](https://reader033.vdocuments.net/reader033/viewer/2022051822/5febf515d66473776d77956e/html5/thumbnails/22.jpg)
Banker trojan
Big threat in Poland
Heavily obfuscated
Throughly analysed by cert.pl:
https://cert.pl/en/news/nymaim-revisited/
Case study: Nymaim
![Page 23: Use your enemies: tracking botnets with bots. · 2017. 12. 25. · Software/Security Engineer @ CERT.pl P4 CTF RE/Software dev Botnets, especially P2P ones @msmcode msm@cert.pl $](https://reader033.vdocuments.net/reader033/viewer/2022051822/5febf515d66473776d77956e/html5/thumbnails/23.jpg)
Banker trojan
Big threat in Poland
Heavily obfuscated
Throughly analysed by cert.pl:
https://cert.pl/en/news/nymaim-revisited/
We need to extract webinjects/C&Cs, sowe can react appropriately.
Mtracker to the rescue
Case study: Nymaim
![Page 24: Use your enemies: tracking botnets with bots. · 2017. 12. 25. · Software/Security Engineer @ CERT.pl P4 CTF RE/Software dev Botnets, especially P2P ones @msmcode msm@cert.pl $](https://reader033.vdocuments.net/reader033/viewer/2022051822/5febf515d66473776d77956e/html5/thumbnails/24.jpg)
Case study: Nymaim (webinjects)
![Page 25: Use your enemies: tracking botnets with bots. · 2017. 12. 25. · Software/Security Engineer @ CERT.pl P4 CTF RE/Software dev Botnets, especially P2P ones @msmcode msm@cert.pl $](https://reader033.vdocuments.net/reader033/viewer/2022051822/5febf515d66473776d77956e/html5/thumbnails/25.jpg)
Case study: NymaimProblem: we can't talk to C&C server when we don't even know its IP address
![Page 26: Use your enemies: tracking botnets with bots. · 2017. 12. 25. · Software/Security Engineer @ CERT.pl P4 CTF RE/Software dev Botnets, especially P2P ones @msmcode msm@cert.pl $](https://reader033.vdocuments.net/reader033/viewer/2022051822/5febf515d66473776d77956e/html5/thumbnails/26.jpg)
Solution: cuckoo to the rescue.
To be precise: (modified) cuckoo modified
Case study: NymaimProblem: we can't talk to C&C server when we don't even know its IP address
![Page 27: Use your enemies: tracking botnets with bots. · 2017. 12. 25. · Software/Security Engineer @ CERT.pl P4 CTF RE/Software dev Botnets, especially P2P ones @msmcode msm@cert.pl $](https://reader033.vdocuments.net/reader033/viewer/2022051822/5febf515d66473776d77956e/html5/thumbnails/27.jpg)
Cuckoo + scripts = Ripper
![Page 28: Use your enemies: tracking botnets with bots. · 2017. 12. 25. · Software/Security Engineer @ CERT.pl P4 CTF RE/Software dev Botnets, especially P2P ones @msmcode msm@cert.pl $](https://reader033.vdocuments.net/reader033/viewer/2022051822/5febf515d66473776d77956e/html5/thumbnails/28.jpg)
Case study: NymaimConfig extraction from dump: simple bruteforce
def nymaim_brute_blob(self, mem): for i in range(mem.base, mem.base + mem.dsize-12): decrypted = self.nymaim_extract_blob(mem, i) if is_good_config(decrypted): return parse_config(decrypted)
def nymaim_extract_blob(self, mem, ndx): # ... prev_chr, result = 0, '' for i, c in enumerate(raw): bl = ((key0 & 0x000000FF) + prev_chr) & 0xFF key0 = (key0 & 0xFFFFFF00) + bl prev_chr = ord(c) ^ bl result += chr(prev_chr) key0 = (key0 + key1) & 0xFFFFFFFF key0 = ((key0 & 0x00FFFFFF) << 8) + ((key0 & 0xFF000000) >> 24) return result
![Page 29: Use your enemies: tracking botnets with bots. · 2017. 12. 25. · Software/Security Engineer @ CERT.pl P4 CTF RE/Software dev Botnets, especially P2P ones @msmcode msm@cert.pl $](https://reader033.vdocuments.net/reader033/viewer/2022051822/5febf515d66473776d77956e/html5/thumbnails/29.jpg)
Case study: Nymaim
![Page 30: Use your enemies: tracking botnets with bots. · 2017. 12. 25. · Software/Security Engineer @ CERT.pl P4 CTF RE/Software dev Botnets, especially P2P ones @msmcode msm@cert.pl $](https://reader033.vdocuments.net/reader033/viewer/2022051822/5febf515d66473776d77956e/html5/thumbnails/30.jpg)
Nymaim: sample
![Page 31: Use your enemies: tracking botnets with bots. · 2017. 12. 25. · Software/Security Engineer @ CERT.pl P4 CTF RE/Software dev Botnets, especially P2P ones @msmcode msm@cert.pl $](https://reader033.vdocuments.net/reader033/viewer/2022051822/5febf515d66473776d77956e/html5/thumbnails/31.jpg)
Nymaim: ripped
![Page 32: Use your enemies: tracking botnets with bots. · 2017. 12. 25. · Software/Security Engineer @ CERT.pl P4 CTF RE/Software dev Botnets, especially P2P ones @msmcode msm@cert.pl $](https://reader033.vdocuments.net/reader033/viewer/2022051822/5febf515d66473776d77956e/html5/thumbnails/32.jpg)
Malware pipeline so far
but we can do better than that
![Page 33: Use your enemies: tracking botnets with bots. · 2017. 12. 25. · Software/Security Engineer @ CERT.pl P4 CTF RE/Software dev Botnets, especially P2P ones @msmcode msm@cert.pl $](https://reader033.vdocuments.net/reader033/viewer/2022051822/5febf515d66473776d77956e/html5/thumbnails/33.jpg)
Case study: NymaimMalicious URLs, that's nice
But where are our webinjects?
![Page 34: Use your enemies: tracking botnets with bots. · 2017. 12. 25. · Software/Security Engineer @ CERT.pl P4 CTF RE/Software dev Botnets, especially P2P ones @msmcode msm@cert.pl $](https://reader033.vdocuments.net/reader033/viewer/2022051822/5febf515d66473776d77956e/html5/thumbnails/34.jpg)
Case study: NymaimMalicious URLs, that's nice
But where are our webinjects?That's where malware emulation comes in.
![Page 35: Use your enemies: tracking botnets with bots. · 2017. 12. 25. · Software/Security Engineer @ CERT.pl P4 CTF RE/Software dev Botnets, especially P2P ones @msmcode msm@cert.pl $](https://reader033.vdocuments.net/reader033/viewer/2022051822/5febf515d66473776d77956e/html5/thumbnails/35.jpg)
Malware pipeline so far
Webinjects extracted from communication
![Page 36: Use your enemies: tracking botnets with bots. · 2017. 12. 25. · Software/Security Engineer @ CERT.pl P4 CTF RE/Software dev Botnets, especially P2P ones @msmcode msm@cert.pl $](https://reader033.vdocuments.net/reader033/viewer/2022051822/5febf515d66473776d77956e/html5/thumbnails/36.jpg)
Malware pipeline so far
Webinjects extracted from communication
...actually, that's not everything
![Page 37: Use your enemies: tracking botnets with bots. · 2017. 12. 25. · Software/Security Engineer @ CERT.pl P4 CTF RE/Software dev Botnets, especially P2P ones @msmcode msm@cert.pl $](https://reader033.vdocuments.net/reader033/viewer/2022051822/5febf515d66473776d77956e/html5/thumbnails/37.jpg)
The circle is now complete
Malware serpent, eating its own tail
![Page 38: Use your enemies: tracking botnets with bots. · 2017. 12. 25. · Software/Security Engineer @ CERT.pl P4 CTF RE/Software dev Botnets, especially P2P ones @msmcode msm@cert.pl $](https://reader033.vdocuments.net/reader033/viewer/2022051822/5febf515d66473776d77956e/html5/thumbnails/38.jpg)
Improvise. Adapt. Overcome.
![Page 39: Use your enemies: tracking botnets with bots. · 2017. 12. 25. · Software/Security Engineer @ CERT.pl P4 CTF RE/Software dev Botnets, especially P2P ones @msmcode msm@cert.pl $](https://reader033.vdocuments.net/reader033/viewer/2022051822/5febf515d66473776d77956e/html5/thumbnails/39.jpg)
Emotet
![Page 40: Use your enemies: tracking botnets with bots. · 2017. 12. 25. · Software/Security Engineer @ CERT.pl P4 CTF RE/Software dev Botnets, especially P2P ones @msmcode msm@cert.pl $](https://reader033.vdocuments.net/reader033/viewer/2022051822/5febf515d66473776d77956e/html5/thumbnails/40.jpg)
Appears in June 2014 as banker, currently only spambot
DHL malspam in Poland (April 2017)
Modular malware
Version v4 analysed by cert.pl:
https://www.cert.pl/en/news/analysis-of-emotet-v4/
We need to track spam module data
(distribution URLs, list of compromised accounts).
Once again: mtracker to the rescue
Emotet
![Page 41: Use your enemies: tracking botnets with bots. · 2017. 12. 25. · Software/Security Engineer @ CERT.pl P4 CTF RE/Software dev Botnets, especially P2P ones @msmcode msm@cert.pl $](https://reader033.vdocuments.net/reader033/viewer/2022051822/5febf515d66473776d77956e/html5/thumbnails/41.jpg)
Emotet modules
Credentials stealerDDoS moduleSpam moduleNetwork spreaderBanker module (missing in new versions)
C&C also sends main module updates
Emotet
![Page 42: Use your enemies: tracking botnets with bots. · 2017. 12. 25. · Software/Security Engineer @ CERT.pl P4 CTF RE/Software dev Botnets, especially P2P ones @msmcode msm@cert.pl $](https://reader033.vdocuments.net/reader033/viewer/2022051822/5febf515d66473776d77956e/html5/thumbnails/42.jpg)
EmotetProtocol based on Protocol Buffers (under encryption and compression layers)
![Page 43: Use your enemies: tracking botnets with bots. · 2017. 12. 25. · Software/Security Engineer @ CERT.pl P4 CTF RE/Software dev Botnets, especially P2P ones @msmcode msm@cert.pl $](https://reader033.vdocuments.net/reader033/viewer/2022051822/5febf515d66473776d77956e/html5/thumbnails/43.jpg)
Emotet
![Page 44: Use your enemies: tracking botnets with bots. · 2017. 12. 25. · Software/Security Engineer @ CERT.pl P4 CTF RE/Software dev Botnets, especially P2P ones @msmcode msm@cert.pl $](https://reader033.vdocuments.net/reader033/viewer/2022051822/5febf515d66473776d77956e/html5/thumbnails/44.jpg)
Emotet
![Page 45: Use your enemies: tracking botnets with bots. · 2017. 12. 25. · Software/Security Engineer @ CERT.pl P4 CTF RE/Software dev Botnets, especially P2P ones @msmcode msm@cert.pl $](https://reader033.vdocuments.net/reader033/viewer/2022051822/5febf515d66473776d77956e/html5/thumbnails/45.jpg)
Improvise. Adapt. Overcome.
![Page 46: Use your enemies: tracking botnets with bots. · 2017. 12. 25. · Software/Security Engineer @ CERT.pl P4 CTF RE/Software dev Botnets, especially P2P ones @msmcode msm@cert.pl $](https://reader033.vdocuments.net/reader033/viewer/2022051822/5febf515d66473776d77956e/html5/thumbnails/46.jpg)
Emotet
![Page 47: Use your enemies: tracking botnets with bots. · 2017. 12. 25. · Software/Security Engineer @ CERT.pl P4 CTF RE/Software dev Botnets, especially P2P ones @msmcode msm@cert.pl $](https://reader033.vdocuments.net/reader033/viewer/2022051822/5febf515d66473776d77956e/html5/thumbnails/47.jpg)
Emotet
![Page 48: Use your enemies: tracking botnets with bots. · 2017. 12. 25. · Software/Security Engineer @ CERT.pl P4 CTF RE/Software dev Botnets, especially P2P ones @msmcode msm@cert.pl $](https://reader033.vdocuments.net/reader033/viewer/2022051822/5febf515d66473776d77956e/html5/thumbnails/48.jpg)
Emotet
![Page 49: Use your enemies: tracking botnets with bots. · 2017. 12. 25. · Software/Security Engineer @ CERT.pl P4 CTF RE/Software dev Botnets, especially P2P ones @msmcode msm@cert.pl $](https://reader033.vdocuments.net/reader033/viewer/2022051822/5febf515d66473776d77956e/html5/thumbnails/49.jpg)
EmotetAfter few days... bot was receiving only empty responses
![Page 50: Use your enemies: tracking botnets with bots. · 2017. 12. 25. · Software/Security Engineer @ CERT.pl P4 CTF RE/Software dev Botnets, especially P2P ones @msmcode msm@cert.pl $](https://reader033.vdocuments.net/reader033/viewer/2022051822/5febf515d66473776d77956e/html5/thumbnails/50.jpg)
EmotetEmotet v4.1 - hardcoded magic constant needed to get spam
// v4.0message SpamRequestBody { required string botId = 1; required int32 flags = 2 [default = 3]; required bytes additionalData = 3;}
// v4.1message SpamRequestBody { required int32 hdrConst = 1; required string botId = 2; required bytes unk1 = 3; required bytes unk2 = 4;}
![Page 51: Use your enemies: tracking botnets with bots. · 2017. 12. 25. · Software/Security Engineer @ CERT.pl P4 CTF RE/Software dev Botnets, especially P2P ones @msmcode msm@cert.pl $](https://reader033.vdocuments.net/reader033/viewer/2022051822/5febf515d66473776d77956e/html5/thumbnails/51.jpg)
Emotet
![Page 52: Use your enemies: tracking botnets with bots. · 2017. 12. 25. · Software/Security Engineer @ CERT.pl P4 CTF RE/Software dev Botnets, especially P2P ones @msmcode msm@cert.pl $](https://reader033.vdocuments.net/reader033/viewer/2022051822/5febf515d66473776d77956e/html5/thumbnails/52.jpg)
Emotet
![Page 53: Use your enemies: tracking botnets with bots. · 2017. 12. 25. · Software/Security Engineer @ CERT.pl P4 CTF RE/Software dev Botnets, especially P2P ones @msmcode msm@cert.pl $](https://reader033.vdocuments.net/reader033/viewer/2022051822/5febf515d66473776d77956e/html5/thumbnails/53.jpg)
Improvise. Adapt. Overcome.
![Page 54: Use your enemies: tracking botnets with bots. · 2017. 12. 25. · Software/Security Engineer @ CERT.pl P4 CTF RE/Software dev Botnets, especially P2P ones @msmcode msm@cert.pl $](https://reader033.vdocuments.net/reader033/viewer/2022051822/5febf515d66473776d77956e/html5/thumbnails/54.jpg)
EmotetAfter few days - bot was receiving only empty responses, once again
![Page 55: Use your enemies: tracking botnets with bots. · 2017. 12. 25. · Software/Security Engineer @ CERT.pl P4 CTF RE/Software dev Botnets, especially P2P ones @msmcode msm@cert.pl $](https://reader033.vdocuments.net/reader033/viewer/2022051822/5febf515d66473776d77956e/html5/thumbnails/55.jpg)
EmotetTake a look at request structure
message RegistrationRequestBody { required int32 command = 1; required string hostname = 2; // <---- <<< suspicious >>> required fixed32 osVersion = 3; required fixed32 crc32 = 4; // sends update when "incorrect" required string procList = 5; // <---- <<< suspicious >>> required string unk1 = 6 required string unk2 = 7;}
![Page 56: Use your enemies: tracking botnets with bots. · 2017. 12. 25. · Software/Security Engineer @ CERT.pl P4 CTF RE/Software dev Botnets, especially P2P ones @msmcode msm@cert.pl $](https://reader033.vdocuments.net/reader033/viewer/2022051822/5febf515d66473776d77956e/html5/thumbnails/56.jpg)
Emotet def init_bot(self, cnc, el): self.url = cnc self.rsa_pk = PKCS1_OAEP.new(RSA.importKey(el["public_key"])) self.aes_key = rbytes(16) # ... # hostname: DESKTOP (hm....) self.hostname = "DESKTOP_{0:0{1}X}".format(rint32(), 8)
Maybe it was banned by unusual hostname?
![Page 57: Use your enemies: tracking botnets with bots. · 2017. 12. 25. · Software/Security Engineer @ CERT.pl P4 CTF RE/Software dev Botnets, especially P2P ones @msmcode msm@cert.pl $](https://reader033.vdocuments.net/reader033/viewer/2022051822/5febf515d66473776d77956e/html5/thumbnails/57.jpg)
Emotet def init_bot(self, cnc, el): self.url = cnc self.rsa_pk = PKCS1_OAEP.new(RSA.importKey(el["public_key"])) self.aes_key = rbytes(16) # ... # hostname: XXXXXXXX self.hostname = "{2}_{0:0{1}X}".format(rint32(), 8, rstring(randint(4,8)).upper())
Now it works!
![Page 58: Use your enemies: tracking botnets with bots. · 2017. 12. 25. · Software/Security Engineer @ CERT.pl P4 CTF RE/Software dev Botnets, especially P2P ones @msmcode msm@cert.pl $](https://reader033.vdocuments.net/reader033/viewer/2022051822/5febf515d66473776d77956e/html5/thumbnails/58.jpg)
Emotet def init_bot(self, cnc, el): self.url = cnc self.rsa_pk = PKCS1_OAEP.new(RSA.importKey(el["public_key"])) self.aes_key = rbytes(16) # ... # hostname: XXXXXXXX self.hostname = "{2}_{0:0{1}X}".format(rint32(), 8, rstring(randint(4,8)).upper())
... but was banned anyway after next few days
![Page 59: Use your enemies: tracking botnets with bots. · 2017. 12. 25. · Software/Security Engineer @ CERT.pl P4 CTF RE/Software dev Botnets, especially P2P ones @msmcode msm@cert.pl $](https://reader033.vdocuments.net/reader033/viewer/2022051822/5febf515d66473776d77956e/html5/thumbnails/59.jpg)
They don't know that we know they knowISFB - checking number of reports after registration
You need to be marked as legit to retrieve injectsEmotet:
blacklistingban on request limit overrun (probably)
![Page 60: Use your enemies: tracking botnets with bots. · 2017. 12. 25. · Software/Security Engineer @ CERT.pl P4 CTF RE/Software dev Botnets, especially P2P ones @msmcode msm@cert.pl $](https://reader033.vdocuments.net/reader033/viewer/2022051822/5febf515d66473776d77956e/html5/thumbnails/60.jpg)
Smokeloader
![Page 61: Use your enemies: tracking botnets with bots. · 2017. 12. 25. · Software/Security Engineer @ CERT.pl P4 CTF RE/Software dev Botnets, especially P2P ones @msmcode msm@cert.pl $](https://reader033.vdocuments.net/reader033/viewer/2022051822/5febf515d66473776d77956e/html5/thumbnails/61.jpg)
Smokeloader features:
Main functionality: malware loaderIn its full version drops password grabbers (as plugins)Sending executables to bots directly or via URLGeolocalized tasks
Smokeloader
![Page 62: Use your enemies: tracking botnets with bots. · 2017. 12. 25. · Software/Security Engineer @ CERT.pl P4 CTF RE/Software dev Botnets, especially P2P ones @msmcode msm@cert.pl $](https://reader033.vdocuments.net/reader033/viewer/2022051822/5febf515d66473776d77956e/html5/thumbnails/62.jpg)
Smokeloader
![Page 63: Use your enemies: tracking botnets with bots. · 2017. 12. 25. · Software/Security Engineer @ CERT.pl P4 CTF RE/Software dev Botnets, especially P2P ones @msmcode msm@cert.pl $](https://reader033.vdocuments.net/reader033/viewer/2022051822/5febf515d66473776d77956e/html5/thumbnails/63.jpg)
SmokeloaderSolution: geolocalized bots (communication via proxy chosen by country)
![Page 64: Use your enemies: tracking botnets with bots. · 2017. 12. 25. · Software/Security Engineer @ CERT.pl P4 CTF RE/Software dev Botnets, especially P2P ones @msmcode msm@cert.pl $](https://reader033.vdocuments.net/reader033/viewer/2022051822/5febf515d66473776d77956e/html5/thumbnails/64.jpg)
Improvise. Adapt. Overcome.
![Page 65: Use your enemies: tracking botnets with bots. · 2017. 12. 25. · Software/Security Engineer @ CERT.pl P4 CTF RE/Software dev Botnets, especially P2P ones @msmcode msm@cert.pl $](https://reader033.vdocuments.net/reader033/viewer/2022051822/5febf515d66473776d77956e/html5/thumbnails/65.jpg)
Other communication troublesSinkholing
Blocked domain, but C&C still available via IP addressIs it real C&C or just sinkhole?
Legit domains in static config (e.g. google.com, spamhaus.org)Alternative DNS root (Namecoin domains .bit)TOR hidden services (.onion)
![Page 66: Use your enemies: tracking botnets with bots. · 2017. 12. 25. · Software/Security Engineer @ CERT.pl P4 CTF RE/Software dev Botnets, especially P2P ones @msmcode msm@cert.pl $](https://reader033.vdocuments.net/reader033/viewer/2022051822/5febf515d66473776d77956e/html5/thumbnails/66.jpg)
ChthonicTrojan banker.
Interesting feature: static configuration with .bit TLD (namecoin protocol)
![Page 67: Use your enemies: tracking botnets with bots. · 2017. 12. 25. · Software/Security Engineer @ CERT.pl P4 CTF RE/Software dev Botnets, especially P2P ones @msmcode msm@cert.pl $](https://reader033.vdocuments.net/reader033/viewer/2022051822/5febf515d66473776d77956e/html5/thumbnails/67.jpg)
Improvise. Adapt. Overcome.
![Page 68: Use your enemies: tracking botnets with bots. · 2017. 12. 25. · Software/Security Engineer @ CERT.pl P4 CTF RE/Software dev Botnets, especially P2P ones @msmcode msm@cert.pl $](https://reader033.vdocuments.net/reader033/viewer/2022051822/5febf515d66473776d77956e/html5/thumbnails/68.jpg)
Improvise. Adapt. Overcome.
![Page 69: Use your enemies: tracking botnets with bots. · 2017. 12. 25. · Software/Security Engineer @ CERT.pl P4 CTF RE/Software dev Botnets, especially P2P ones @msmcode msm@cert.pl $](https://reader033.vdocuments.net/reader033/viewer/2022051822/5febf515d66473776d77956e/html5/thumbnails/69.jpg)
NecursSpambot, with spambotnet.
Interesting feature: P2P botnet, likes to share its peers.
![Page 70: Use your enemies: tracking botnets with bots. · 2017. 12. 25. · Software/Security Engineer @ CERT.pl P4 CTF RE/Software dev Botnets, especially P2P ones @msmcode msm@cert.pl $](https://reader033.vdocuments.net/reader033/viewer/2022051822/5febf515d66473776d77956e/html5/thumbnails/70.jpg)
Improvise. Adapt. Overcome.
![Page 71: Use your enemies: tracking botnets with bots. · 2017. 12. 25. · Software/Security Engineer @ CERT.pl P4 CTF RE/Software dev Botnets, especially P2P ones @msmcode msm@cert.pl $](https://reader033.vdocuments.net/reader033/viewer/2022051822/5febf515d66473776d77956e/html5/thumbnails/71.jpg)
Gootkit & moreTrojan & moreInteresting feature: can serve as a proxy (for criminals)
![Page 72: Use your enemies: tracking botnets with bots. · 2017. 12. 25. · Software/Security Engineer @ CERT.pl P4 CTF RE/Software dev Botnets, especially P2P ones @msmcode msm@cert.pl $](https://reader033.vdocuments.net/reader033/viewer/2022051822/5febf515d66473776d77956e/html5/thumbnails/72.jpg)
Gootkit & moreTrojan & moreInteresting feature: can serve as a proxy (for criminals)
mtracker?We could proxy and MITM traffic but...
Nope.
Completely different architecture than mtracker.We want to stop botmasters, not help them with a reliable proxy.Too complicated from legal point of view ;].
![Page 73: Use your enemies: tracking botnets with bots. · 2017. 12. 25. · Software/Security Engineer @ CERT.pl P4 CTF RE/Software dev Botnets, especially P2P ones @msmcode msm@cert.pl $](https://reader033.vdocuments.net/reader033/viewer/2022051822/5febf515d66473776d77956e/html5/thumbnails/73.jpg)
Legal issues
![Page 74: Use your enemies: tracking botnets with bots. · 2017. 12. 25. · Software/Security Engineer @ CERT.pl P4 CTF RE/Software dev Botnets, especially P2P ones @msmcode msm@cert.pl $](https://reader033.vdocuments.net/reader033/viewer/2022051822/5febf515d66473776d77956e/html5/thumbnails/74.jpg)
Legal issues(from technical point of view)
![Page 75: Use your enemies: tracking botnets with bots. · 2017. 12. 25. · Software/Security Engineer @ CERT.pl P4 CTF RE/Software dev Botnets, especially P2P ones @msmcode msm@cert.pl $](https://reader033.vdocuments.net/reader033/viewer/2022051822/5febf515d66473776d77956e/html5/thumbnails/75.jpg)
SISSDEN Project
![Page 76: Use your enemies: tracking botnets with bots. · 2017. 12. 25. · Software/Security Engineer @ CERT.pl P4 CTF RE/Software dev Botnets, especially P2P ones @msmcode msm@cert.pl $](https://reader033.vdocuments.net/reader033/viewer/2022051822/5febf515d66473776d77956e/html5/thumbnails/76.jpg)
Problem 1: DDoS activityWith malware sandboxes/incubators:
Problem: DDoS is punishable by law [citation_needed]
![Page 77: Use your enemies: tracking botnets with bots. · 2017. 12. 25. · Software/Security Engineer @ CERT.pl P4 CTF RE/Software dev Botnets, especially P2P ones @msmcode msm@cert.pl $](https://reader033.vdocuments.net/reader033/viewer/2022051822/5febf515d66473776d77956e/html5/thumbnails/77.jpg)
Problem 1: DDoS activityWith malware sandboxes/incubators:
Problem: DDoS is punishable by law [citation_needed]Solution: Uplink throttling
![Page 78: Use your enemies: tracking botnets with bots. · 2017. 12. 25. · Software/Security Engineer @ CERT.pl P4 CTF RE/Software dev Botnets, especially P2P ones @msmcode msm@cert.pl $](https://reader033.vdocuments.net/reader033/viewer/2022051822/5febf515d66473776d77956e/html5/thumbnails/78.jpg)
Problem 1: DDoS / spam activityWith malware sandboxes/incubators:
Problem: DDoS is punishable by law [citation_needed]Solution: Uplink throttling
Problem: Spam is punishable by law [citation_needed]
![Page 79: Use your enemies: tracking botnets with bots. · 2017. 12. 25. · Software/Security Engineer @ CERT.pl P4 CTF RE/Software dev Botnets, especially P2P ones @msmcode msm@cert.pl $](https://reader033.vdocuments.net/reader033/viewer/2022051822/5febf515d66473776d77956e/html5/thumbnails/79.jpg)
Problem 1: DDoS / spam activityWith malware sandboxes/incubators:
Problem: DDoS is punishable by law [citation_needed]Solution: Uplink throttling
Problem: Spam is punishable by law [citation_needed]Solution: Uplink throttling (not ideal, spam still gets through)
![Page 80: Use your enemies: tracking botnets with bots. · 2017. 12. 25. · Software/Security Engineer @ CERT.pl P4 CTF RE/Software dev Botnets, especially P2P ones @msmcode msm@cert.pl $](https://reader033.vdocuments.net/reader033/viewer/2022051822/5febf515d66473776d77956e/html5/thumbnails/80.jpg)
Problem 1: DDoS / spam activityWith malware sandboxes/incubators:
Problem: DDoS is punishable by law [citation_needed]Solution: Uplink throttling
Problem: Spam is punishable by law [citation_needed]Solution: Uplink throttling (not ideal, spam still gets through)Solution: SMTP interception
![Page 81: Use your enemies: tracking botnets with bots. · 2017. 12. 25. · Software/Security Engineer @ CERT.pl P4 CTF RE/Software dev Botnets, especially P2P ones @msmcode msm@cert.pl $](https://reader033.vdocuments.net/reader033/viewer/2022051822/5febf515d66473776d77956e/html5/thumbnails/81.jpg)
Problem 1: DDoS / spam activityWith malware sandboxes/incubators:
Problem: DDoS is punishable by law [citation_needed]Solution: Uplink throttling
Problem: Spam is punishable by law [citation_needed]Solution: Uplink throttling (not ideal, spam still gets through)Solution: SMTP interceptionProblem: Canary emails used by botmasters
![Page 82: Use your enemies: tracking botnets with bots. · 2017. 12. 25. · Software/Security Engineer @ CERT.pl P4 CTF RE/Software dev Botnets, especially P2P ones @msmcode msm@cert.pl $](https://reader033.vdocuments.net/reader033/viewer/2022051822/5febf515d66473776d77956e/html5/thumbnails/82.jpg)
Problem 1: DDoS / spam activityWith malware emulators:
Problem: DDoS is punishable by law [citation_needed]
![Page 83: Use your enemies: tracking botnets with bots. · 2017. 12. 25. · Software/Security Engineer @ CERT.pl P4 CTF RE/Software dev Botnets, especially P2P ones @msmcode msm@cert.pl $](https://reader033.vdocuments.net/reader033/viewer/2022051822/5febf515d66473776d77956e/html5/thumbnails/83.jpg)
Problem 1: DDoS / spam activityWith malware emulators:
"Problem": DDoS is punishable by lawMalware is only emulated, so this problem doesn't exist: malicious commands are just ignored
![Page 84: Use your enemies: tracking botnets with bots. · 2017. 12. 25. · Software/Security Engineer @ CERT.pl P4 CTF RE/Software dev Botnets, especially P2P ones @msmcode msm@cert.pl $](https://reader033.vdocuments.net/reader033/viewer/2022051822/5febf515d66473776d77956e/html5/thumbnails/84.jpg)
Problem 1: DDoS / spam activityWith malware emulators:
"Problem": DDoS is punishable by lawMalware is only emulated, so this problem doesn't exist: malicious commands are just ignored
Problem: Spam is punishable by law [citation_needed]Malware is only emulated. Spam commands are logged and ignored
![Page 85: Use your enemies: tracking botnets with bots. · 2017. 12. 25. · Software/Security Engineer @ CERT.pl P4 CTF RE/Software dev Botnets, especially P2P ones @msmcode msm@cert.pl $](https://reader033.vdocuments.net/reader033/viewer/2022051822/5febf515d66473776d77956e/html5/thumbnails/85.jpg)
Problem 1: DDoS / spam activityWith malware emulators:
"Problem": DDoS is punishable by lawMalware is only emulated, so this problem doesn't exist: malicious commands are just ignored
Problem: Spam is punishable by law [citation_needed]Malware is only emulated. Spam commands are logged and ignoredPartial solution: problem: canary emails again used by botmasters
![Page 86: Use your enemies: tracking botnets with bots. · 2017. 12. 25. · Software/Security Engineer @ CERT.pl P4 CTF RE/Software dev Botnets, especially P2P ones @msmcode msm@cert.pl $](https://reader033.vdocuments.net/reader033/viewer/2022051822/5febf515d66473776d77956e/html5/thumbnails/86.jpg)
With malware sandboxes/incubators:
Solution: I'm not aware of any generic solutions?
Obviously, blocking TCP ports is possible on a case-by-case basis.
Problem 2: Proxy serversProblem: Malware acting like proxy for criminals
![Page 87: Use your enemies: tracking botnets with bots. · 2017. 12. 25. · Software/Security Engineer @ CERT.pl P4 CTF RE/Software dev Botnets, especially P2P ones @msmcode msm@cert.pl $](https://reader033.vdocuments.net/reader033/viewer/2022051822/5febf515d66473776d77956e/html5/thumbnails/87.jpg)
With malware sandboxes/incubators:
Solution: I'm not aware of any generic solutions?
Obviously, blocking TCP ports is possible on a case-by-case basis.
With malware emulators:
Solution: Malware is only emulated. Proxy commandsare ignored. Botmasters doesn't seem to care.
Problem 2: Proxy serversProblem: Malware acting like proxy for criminals
![Page 88: Use your enemies: tracking botnets with bots. · 2017. 12. 25. · Software/Security Engineer @ CERT.pl P4 CTF RE/Software dev Botnets, especially P2P ones @msmcode msm@cert.pl $](https://reader033.vdocuments.net/reader033/viewer/2022051822/5febf515d66473776d77956e/html5/thumbnails/88.jpg)
With malware sandboxes/incubators:
Solution: I'm not aware of any generic solutions?
Obviously, blocking TCP ports is possible on a case-by-case basis.
With malware emulators:
Solution: Malware is only emulated. Proxy commandsare ignored. Botmasters doesn't seem to care.
Problem 2: Proxy serversProblem: Malware acting like proxy for criminals
![Page 89: Use your enemies: tracking botnets with bots. · 2017. 12. 25. · Software/Security Engineer @ CERT.pl P4 CTF RE/Software dev Botnets, especially P2P ones @msmcode msm@cert.pl $](https://reader033.vdocuments.net/reader033/viewer/2022051822/5febf515d66473776d77956e/html5/thumbnails/89.jpg)
With malware sandboxes/incubators:
Solution: I'm not aware of any generic solutions?
Obviously, blocking TCP ports is possible on a case-by-case basis.
With malware emulators:
Solution: Malware is only emulated. Proxy and p2pcommands are ignored. Botmasters doesn't seem tocare.
Problem 2: Proxy serversProblem: Malware acting like proxy for criminals
Problem: P2P botnets
![Page 90: Use your enemies: tracking botnets with bots. · 2017. 12. 25. · Software/Security Engineer @ CERT.pl P4 CTF RE/Software dev Botnets, especially P2P ones @msmcode msm@cert.pl $](https://reader033.vdocuments.net/reader033/viewer/2022051822/5febf515d66473776d77956e/html5/thumbnails/90.jpg)
Problem 3: Personal dataProblem: Malware can download personal data in order to carry out further attacks.
![Page 91: Use your enemies: tracking botnets with bots. · 2017. 12. 25. · Software/Security Engineer @ CERT.pl P4 CTF RE/Software dev Botnets, especially P2P ones @msmcode msm@cert.pl $](https://reader033.vdocuments.net/reader033/viewer/2022051822/5febf515d66473776d77956e/html5/thumbnails/91.jpg)
Peer list (ip addresses)
Problem 3: Personal dataProblem: Malware can download personal data in order to carry out further attacks. For example:
![Page 92: Use your enemies: tracking botnets with bots. · 2017. 12. 25. · Software/Security Engineer @ CERT.pl P4 CTF RE/Software dev Botnets, especially P2P ones @msmcode msm@cert.pl $](https://reader033.vdocuments.net/reader033/viewer/2022051822/5febf515d66473776d77956e/html5/thumbnails/92.jpg)
Peer list (ip addresses)Email addresses
Problem 3: Personal dataProblem: Malware can download personal data in order to carry out further attacks. For example:
![Page 93: Use your enemies: tracking botnets with bots. · 2017. 12. 25. · Software/Security Engineer @ CERT.pl P4 CTF RE/Software dev Botnets, especially P2P ones @msmcode msm@cert.pl $](https://reader033.vdocuments.net/reader033/viewer/2022051822/5febf515d66473776d77956e/html5/thumbnails/93.jpg)
Peer list (ip addresses)Email addressesEmail accounts with passwords(goddamnit emotet)
Problem 3: Personal dataProblem: Malware can download personal data in order to carry out further attacks. For example:
![Page 94: Use your enemies: tracking botnets with bots. · 2017. 12. 25. · Software/Security Engineer @ CERT.pl P4 CTF RE/Software dev Botnets, especially P2P ones @msmcode msm@cert.pl $](https://reader033.vdocuments.net/reader033/viewer/2022051822/5febf515d66473776d77956e/html5/thumbnails/94.jpg)
Peer list (ip addresses)Email addressesEmail accounts with passwords(goddamnit emotet)
Problem 3: Personal dataProblem: Malware can download personal data in order to carry out further attacks. For example:
![Page 95: Use your enemies: tracking botnets with bots. · 2017. 12. 25. · Software/Security Engineer @ CERT.pl P4 CTF RE/Software dev Botnets, especially P2P ones @msmcode msm@cert.pl $](https://reader033.vdocuments.net/reader033/viewer/2022051822/5febf515d66473776d77956e/html5/thumbnails/95.jpg)
Results
![Page 96: Use your enemies: tracking botnets with bots. · 2017. 12. 25. · Software/Security Engineer @ CERT.pl P4 CTF RE/Software dev Botnets, especially P2P ones @msmcode msm@cert.pl $](https://reader033.vdocuments.net/reader033/viewer/2022051822/5febf515d66473776d77956e/html5/thumbnails/96.jpg)
![Page 97: Use your enemies: tracking botnets with bots. · 2017. 12. 25. · Software/Security Engineer @ CERT.pl P4 CTF RE/Software dev Botnets, especially P2P ones @msmcode msm@cert.pl $](https://reader033.vdocuments.net/reader033/viewer/2022051822/5febf515d66473776d77956e/html5/thumbnails/97.jpg)
![Page 98: Use your enemies: tracking botnets with bots. · 2017. 12. 25. · Software/Security Engineer @ CERT.pl P4 CTF RE/Software dev Botnets, especially P2P ones @msmcode msm@cert.pl $](https://reader033.vdocuments.net/reader033/viewer/2022051822/5febf515d66473776d77956e/html5/thumbnails/98.jpg)
Results
![Page 99: Use your enemies: tracking botnets with bots. · 2017. 12. 25. · Software/Security Engineer @ CERT.pl P4 CTF RE/Software dev Botnets, especially P2P ones @msmcode msm@cert.pl $](https://reader033.vdocuments.net/reader033/viewer/2022051822/5febf515d66473776d77956e/html5/thumbnails/99.jpg)
![Page 100: Use your enemies: tracking botnets with bots. · 2017. 12. 25. · Software/Security Engineer @ CERT.pl P4 CTF RE/Software dev Botnets, especially P2P ones @msmcode msm@cert.pl $](https://reader033.vdocuments.net/reader033/viewer/2022051822/5febf515d66473776d77956e/html5/thumbnails/100.jpg)
![Page 101: Use your enemies: tracking botnets with bots. · 2017. 12. 25. · Software/Security Engineer @ CERT.pl P4 CTF RE/Software dev Botnets, especially P2P ones @msmcode msm@cert.pl $](https://reader033.vdocuments.net/reader033/viewer/2022051822/5febf515d66473776d77956e/html5/thumbnails/101.jpg)
Results
![Page 102: Use your enemies: tracking botnets with bots. · 2017. 12. 25. · Software/Security Engineer @ CERT.pl P4 CTF RE/Software dev Botnets, especially P2P ones @msmcode msm@cert.pl $](https://reader033.vdocuments.net/reader033/viewer/2022051822/5febf515d66473776d77956e/html5/thumbnails/102.jpg)
This research was partially funded by the SISSDEN project.
This project has received funding from the European Union’s Horizon 2020 research and innovationprogramme under grant agreement No 700176.
![Page 103: Use your enemies: tracking botnets with bots. · 2017. 12. 25. · Software/Security Engineer @ CERT.pl P4 CTF RE/Software dev Botnets, especially P2P ones @msmcode msm@cert.pl $](https://reader033.vdocuments.net/reader033/viewer/2022051822/5febf515d66473776d77956e/html5/thumbnails/103.jpg)
Q & AQuestions?