A u t o m a t i o n O f I n t e r n e t - o f - T h i n g sB o t n e t s T a k e d o w n B y A n I S P
S é b a s t i e n M é r i o t< s e b a s t i e n . m e r i o t @ c o r p . o v h . c o m >
@ s m e r i o t
BotConf 2017Montpellier06/12/2017
HOSTING PROVIDER PARADOXBOTCONF2017
- SufferfromDDoSAttack- YoumayhosttheC&Cthathitsyou.
- Thelawsforbidsyoutolookatyourcustomer’sdata.- Howtoestablishtheinfringement?
- RelyonAbusereports- Lotofnoise- Mostofthetimeincomplete- Alreadygone
INTERNET-OF-THINGS BOTNETBOTCONF2017
Hydra2008
Tsunami2010
Gafgy/Qbot2014
MrBlack2014
MIRAI2016
Reaper?2017
PEER-TO-PEER INFECTIONBOTCONF2017
C&C
InfectedDevice
Internet
SKIDZBOTCONF2017
STRONG POTENTIAL OF HARMBOTCONF2017
QBOT
- 2015– Socialnetworksà 400Gbps
MIRAI
- September,20th 2016– OVHà 1Tbps- September,20th 2016– Krebsà 620Gbps
- October,21st 2016– Dynà 1Tbps
FlowsoftheOVHattack
HOW TO DETECT THOSE C&C ?BOTCONF2017
- UseShodan tosearchforC&Cbanners- Easy&reliable- Notexhaustiveenough
- 360’sNetlab- Veryinteresting- Notsuitableforabuseteam
HOW TO RECOVER THE C&C ?BOTCONF2017
- Useourhoneypots&sampleanalysis?- Sandbox?
- Exoticarch:MIPS,ARM,SH4,…- Oldkernels(2.x)- Upto30samples/min
- Codeiseasytoreverse- “strings”
WORKFLOWBOTCONF2017
Scan Challenge-Response
Recoverthesample
Sampleanalysis
RecovertheC&C Connection Abuse
notification Action
BotsLoaders Honeypots SampleAnalyzer Abuse
SAMPLE ANALYSISBOTCONF2017
Unpack+
UnXOR
Staticanalysis• strings• constants
Dynamicanalysis•DNS&flows
SAMPLE ANALYSISBOTCONF2017
Unpack+
UnXOR
Staticanalysis• strings• constants
Dynamicanalysis•DNS&flows
SAMPLE ANALYSISBOTCONF2017
Unpack+
UnXOR
Staticanalysis• strings• constants
Dynamicanalysis•DNS&flows
Obfucated Unxor’ed
SAMPLE ANALYSISBOTCONF2017
Unpack+
UnXOR
Staticanalysis• strings• constants
Dynamicanalysis•DNS&flows
SAMPLE ANALYSISBOTCONF2017
Unpack+
UnXOR
Staticanalysis• strings• constants
Dynamicanalysis•DNS&flows
SAMPLE ANALYSISBOTCONF2017
Unpack+
UnXOR
Staticanalysis• strings• constants
Dynamicanalysis•DNS&flows
SAMPLE ANALYSISBOTCONF2017
Unpack+
UnXOR
Staticanalysis• strings• constants
Dynamicanalysis•DNS&flows
SAMPLE ANALYSISBOTCONF2017
Unpack+
UnXOR
Staticanalysis• strings• constants
Dynamicanalysis•DNS&flows
STATISTICSBOTCONF2017
sept-15
oct-1
5no
v-15
déc-15
janv-16
févr-16
mars-16
avr-16
mai-16
juin-16
juil-16
août-16
sept-16
oct-1
6no
v-16
déc-16
janv-17
févr-17
mars-17
avr-17
mai-17
juin-17
juil-17
août-17
sept-17
oct-1
7no
v-17
AbuseReportConcerningIOTMalwares
AbuseReport AVGBefore AVGAfter
B e f o r e t h e w o r k f l o w
A f t e r t h e w o r k f l o w
RESPONSIVENESSBOTCONF2017
Detectedin3daysafterthevpscreation
LESS C&C HOSTED BUT UPWARDS TRENDBOTCONF2017
0,00%10,00%20,00%30,00%
PercentageOfIOTC&CHostedByOVH
0100200300
MonthlyDetectedIOTC&C Trend
GLOBALISATIONBOTCONF2017
- Beingmorereactivetogether- DetectingIOTC&C- Detectingbots
- Let’shopemanufacturerwilllearnfromtheirmistakes…
02/2017 03/2017 04/2017 05/2017 06/2017 07/2017 08/2017 09/2017 10/2017 11/2017
#1 Virgin OVH Nuclearfallout
Comcast OVH OVH OVH OVH OVH OVH
#2 SkyUK Comcast Comcast OVH Cloudflare
Comcast Comcast Cloudflare
Comcast Comcast
#3 OVH Qwest GHOSTnet Nuclearfallout
Internap Marbis Cloudflare
Comcast AT&T Cloudflare
#4 TelecomItalia
Dotsi OVH AT&T Dotsi Cloudflare
AT&T AT&T Cloudflare
SkyUK
RankingOfTheMostTargetedAutonomousSystemByIOTC&COverTheMonths
CONCLUSIONBOTCONF2017
- Strongpotentialtocauseharm(still)- But… Easytodetectandtotakedown!
- ManagingAbuseisahardjob!
- Howtosharedata?- AbuseReportFormat(ARF/X-ARF)- Botconf 2015:TheMissingPieceOfThreatIntel,FrankDenis
T H A N K Y O U