This third and last day of this great experience started with an awesome speech from Hendrik Adrian and Dhia Mahjoub about Fast Flux Proxy Networks, which is a DNS technique used by botnets in which multiple ever-changing IPs are associated with a unique DNS name. These IPs are swapped in and out with a high frequency, making it harder to target all the hosts behind the Domain Name.
Right after this, the Yandex team explained their experiences with multiple Unix botnets, from Apache modules, like Darkleech, to email spammers.
Osama Kamal made a brief introduction to DNS Analytics, based on the log files from the DNS servers, in order to detect possible infections. This is done with a service developed to identify infections via multiple techniques, from manual verification of the domains, domain and keyword blacklisting, and subdomain discovery, to sinkholing.
The host of the conference, the “Université de Lorraine”, also made presentation on their research about malware and botnets at LORIA. Jean-Yves Marion, one of the members of the research team, has addressed the practical (how to recover the communication protocol or identify critical functions) and theoretical issues (malware classification and detection) of malware research. The solution for this problems might reside in the analysis of a higher level of semantics, called Morphological analysis, that uses signatures based on abstract flow graphs from the recovered states of the binary (each unpack or wave).
In the afternoon, David Sancho gave us his input in Operation Emmental, a “perfect phishing attack” that was based on a trojan that changed the default DNS for a host, making the host to resolve the domains to whatever IP the attacker wants. The infection mechanism was based on a phishing campaign via email with an attachment with a payload. Once the victim executes the payload, it infects the victim’s PC, installing a certificate and changing the DNS IP, and redirects the victim to their bank webpage. From there, the webpage asks the user to download an application for their phone, for double authentication purposes, infecting their phone too. This way, the attackers have control of all the webpages the victim might access, and of their phone device. So the attackers have the user’s bank credentials and the device that’s usually used for the double authentication.
The last speech of the day, brought to us by Maciej Kotowicz, was an explanation on the ZeuS trojan banker family. He explained that there are multiple ZeuS versions, mostly evolving from ZeuS v2.0, which has various improvements from its predecessor, like anti-tracking techniques.
We have to say that we left Nancy with a very good feeling, we’ve enjoyed a lot all of the talks and people, and we sure hope we can be there next year. We also want to thank the organization and all the participants for this wonderful time.
Ferran Pichel, Ramon Vicens, Victor Acin, Cyber Threat Analysts