Attacking Linux/Moose Unraveled an Ego Market

For this talk, a criminologist and a security researcher teamed up to hunt a large-scale botnet dubbed Linux/Moose that conducts social media fraud. Linux/Moose has stealth features and runs only on embedded systems such as consumer routers or Internet of Things (IoT) devices. Using honeypots set up across the world, we managed to get virtual routers infected to learn how this botnet spread and operated. We performed a large-scale HTTPS man-in-the-middle attack on several honeypots over the course of several months decrypting the bots’ proxy traffic. This gave us an impressive amount of information on the botnet’s activities on social networks: the name of the fake accounts it uses, its modus operandi to conduct social media fraud and the identification of its consumers, companies and individuals.

This presentation will be of interest to a wide audience. First, it will present the elaborate methodology we used to infect custom honeypots with Linux/Moose and led to contributions to the open-source Cowrie Honeypot Project. Second, it will describe the technical details behind the man-in-the-middle attack conducted to decrypt the traffic. The talk will further increase its draw by placing the botnet’s activities within a larger-scope: the illicit market for social media fraud. With the data gathered from the decrypted traffic and open-source research, market dynamics behind the sale of social media fraud will be presented, allowing an overview of the botnet’s potential profitability. Overall, this research elevates the standards of botnet studies as it not only investigates how a botnet is built, but also what drives it.

Continue reading…

Automating Detection, Investigation and Mitigation with LimaCharlie

WorkShop Duration: 3 Hours.

The workshop will begin with an overview of the various detection and automation mechanisms available in LimaCharlie.
Afterwards we will create Detections and Hunters for LimaCharlie that will automate the detection and investigation of specific malware samples (provided for the Workshop, attendees can also bring their own).
Continue reading…

Cracking Custom Encryption – An Intuitive Approach to Uncovering Malware’s Protected Data

WorkShop Duration: 2 Hours.

As banking fraud researchers, we take part in a never-ending chase after new configurations of banking malware. We strive to have the upper hand, by figuring out where the configurations are hidden and how they are encrypted. It can be quite thrilling, when a new version of the malware is released, encryption had changed, and the configuration must be decrypted before time runs out. We’d like to share this thrill, and teach useful skills that may come in handy when dealing with a variety of custom encryption algorithms used by malware authors. In many cases, cracking an encryption requires advanced skills in math and reverse engineering. But quite often malware authors create custom algorithm for data formatting and encryption, which can be overcome using a more intuitive skillset and methods. A great example is the encryption used by Dridex, which we shall use as a case study. In this workshop, lecturing will be kept to the necessary minimum and the major part of it will be dedicated to a hands-on guided process of analyzing raw encrypted data. We shall study the way it is encrypted, eventually formulating a simple method of decryption. Participants will gain an understanding of the process of researching an actual encryption method, acquire basic tools for addressing encrypted data of unknown format and enjoy the thrill of a live challenge.

Continue reading…

Malware and Memory Forensics

For the first time at a Canadian conference, we are pleased to announce that we have a digital forensics and incident response (DFIR) training from none other than the co-author of the Malware Analyst Cookbook and The Art of Memory Forensics books Michael Ligh. Michael is also a core developer of the open source memory forensics tool Volatility.

Continue reading…

Not Safe For Organizing: The state of targeted attacks against civil society

Groups that work to protect human rights and civil liberties around the world are under attack by the many of the same attackers who target industry and government. These groups and organizations have far fewer resources to defend themselves, yet the stakes of the attacks are often much higher. This talk will give an update on the state of affairs, emphasizing two cases drawn from CItizen Lab’s recent work: attacks against the Tibetan community, and the Packrat group in Latin America.
Continue reading…

Modern Object-Oriented Malware Reverse Engineering

Please note that this class has been cancelled.

This training course is designed for anyone who wants to learn how to reverse engineer object-oriented code and perform analysis of complex threats. The introductory material of the class provides students with essential information on C++ code generation process: how object-oriented types are laid out in an executable, what kind of additional information compilers put into binaries and how object-oriented architecture may be reconstructed from the machine code. After this students will focus on using reverse engineering tools to put in practice what they’ve learned earlier. A lot of attention is devoted to automation of reverse engineering. As a bonus, the authors will demonstrate how to identify certain vulnerability classes such as use-after-free with Hex-Rays Decompiler SDK. Another major part of the training is related to reverse engineer malware from real-world targeted attacks where students will apply learned skills in practice. Continue reading…

Applying DevOps Principles for Better Malware Analysis

The malware battle online is far from being over. Several thousands of new malware binaries are collected by antivirus companies every day. Most organizations don’t have the expertise on staff to know if they are being targeted or if they are hit with mass-spreading malware, although knowing the difference is vital for a proper defensive strategy. Continue reading…