on

Botconf 2014 – Day 2

Botconf

Today it’s been a long day with many interesting speeches, starting with a technical workshop on how to debug rootkits with windbg, and ending with a great research work, done by Tom Ueltschi, on ponmocup malware and Zuponcic infection Kit.

Meanwhile, during the day we’ve seen a variety of slide decks related to DDoS botnets, mobile malware, bitcoin mining, APTs, polish banking trojans, Ad fraud botnets and sandbox bypassing techniques.

As said before, one of the speeches was about a “Timeline of Mobile Botnets”, in which Ruchna Nigam explained us how the mobile samples have evolved since 2009, starting with a simple Symbian, talking about bankers like Zitmo, Droidkungfu, Spidmo, Hesperbot and ending with mobile app RATs and Ransomware. In the presentation, the motivations (spying, financial and propagation among others ) and the attack vectors of such cybercriminals (official Google Play store, Drive-by downloads, USB and targeted attacks related to certain events), have been discussed.

We’ve seen another presentation, given by the Google guys, about adsense business model and how do they track and detect clickfraud attacks performed by trojans like zeroaccess or z00clicker.

Once again in Botconf event, we’ve seen speeches like “APT Investigation Backstage” concluding that we all are good single technical guys, but, to fight against APTs and eCrime we need to team up and collaborate to have a global overview of what is going in the darkside of the Internet.

Lukasz Siewierski showed his findings in terms of targeted polish banking trojans, with some peculiar behaviors from this malware. First of all, Lukasz explained how VBKlip detects BAN numbers from bank accounts in the clipboard, and changes them in the fly to manipulate the destination account in the copy and paste operations done with wire transfers, in order to transfer this money to another account. He also explained the evolution of this malware (Banametrix sample), which searches via scraping methods BANS in the different processes of a system, instead of looking for them in the clipboard. Finally the speech ended with the release of some vulnerabilities related to some grabber samples like CarbonGrabber and Bilal Ghouri.

About DDoS botnets, we’ve seen two presentations today. In the first one, Dennis Schwarz has given us his vision about the different groups that own DDoS botnets such as Dirtjumper, Ferret, Gbot, Athena and many more. In the second one, the guys from Avast, have explained us that attacks, coming mainly from China, have become significantly more frequent this past year, specially those targeting online services for which availability is crucial.

In conclusion, we can say that this has been a very productive day, as we’ve seen very different samples and attacks performed by a great range of botnet types.

Ferran Pichel, Ramon Vicens, Victor Acin, Cyber Threat Analysts

Demo Free Trial MSSP
Program