automation of internet-of-things botnetstakedownby an isp · automation of internet-of-things...

A u t o m a t i o n O f I n t e r n e t - o f - T h i n g sB o t n e t s T a k e d o w n B y A n I S P

S é b a s t i e n M é r i o t< s e b a s t i e n . m e r i o t @ c o r p . o v h . c o m >

@ s m e r i o t

BotConf 2017Montpellier06/12/2017

HOSTING PROVIDER PARADOXBOTCONF2017

- SufferfromDDoSAttack- YoumayhosttheC&Cthathitsyou.

- Thelawsforbidsyoutolookatyourcustomer’sdata.- Howtoestablishtheinfringement?

- RelyonAbusereports- Lotofnoise- Mostofthetimeincomplete- Alreadygone

INTERNET-OF-THINGS BOTNETBOTCONF2017

Hydra2008

Tsunami2010

Gafgy/Qbot2014

MrBlack2014

MIRAI2016

Reaper?2017

PEER-TO-PEER INFECTIONBOTCONF2017

C&C

InfectedDevice

Internet

SKIDZBOTCONF2017

STRONG POTENTIAL OF HARMBOTCONF2017

QBOT

- 2015– Socialnetworksà 400Gbps

MIRAI

- September,20th 2016– OVHà 1Tbps- September,20th 2016– Krebsà 620Gbps

- October,21st 2016– Dynà 1Tbps

FlowsoftheOVHattack

HOW TO DETECT THOSE C&C ?BOTCONF2017

- UseShodan tosearchforC&Cbanners- Easy&reliable- Notexhaustiveenough

- 360’sNetlab- Veryinteresting- Notsuitableforabuseteam

HOW TO RECOVER THE C&C ?BOTCONF2017

- Useourhoneypots&sampleanalysis?- Sandbox?

- Exoticarch:MIPS,ARM,SH4,…- Oldkernels(2.x)- Upto30samples/min

- Codeiseasytoreverse- “strings”

WORKFLOWBOTCONF2017

Scan Challenge-Response

Recoverthesample

Sampleanalysis

RecovertheC&C Connection Abuse

notification Action

BotsLoaders Honeypots SampleAnalyzer Abuse

SAMPLE ANALYSISBOTCONF2017

Unpack+

UnXOR

Staticanalysis• strings• constants

Dynamicanalysis•DNS&flows

SAMPLE ANALYSISBOTCONF2017

Unpack+

UnXOR

Staticanalysis• strings• constants

Dynamicanalysis•DNS&flows

SAMPLE ANALYSISBOTCONF2017

Unpack+

UnXOR

Staticanalysis• strings• constants

Dynamicanalysis•DNS&flows

Obfucated Unxor’ed

SAMPLE ANALYSISBOTCONF2017

Unpack+

UnXOR

Staticanalysis• strings• constants

Dynamicanalysis•DNS&flows

SAMPLE ANALYSISBOTCONF2017

Unpack+

UnXOR

Staticanalysis• strings• constants

Dynamicanalysis•DNS&flows

SAMPLE ANALYSISBOTCONF2017

Unpack+

UnXOR

Staticanalysis• strings• constants

Dynamicanalysis•DNS&flows

SAMPLE ANALYSISBOTCONF2017

Unpack+

UnXOR

Staticanalysis• strings• constants

Dynamicanalysis•DNS&flows

SAMPLE ANALYSISBOTCONF2017

Unpack+

UnXOR

Staticanalysis• strings• constants

Dynamicanalysis•DNS&flows

STATISTICSBOTCONF2017

sept-15

oct-1

5no

v-15

déc-15

janv-16

févr-16

mars-16

avr-16

mai-16

juin-16

juil-16

août-16

sept-16

oct-1

6no

v-16

déc-16

janv-17

févr-17

mars-17

avr-17

mai-17

juin-17

juil-17

août-17

sept-17

oct-1

7no

v-17

AbuseReportConcerningIOTMalwares

AbuseReport AVGBefore AVGAfter

B e f o r e t h e w o r k f l o w

A f t e r t h e w o r k f l o w

RESPONSIVENESSBOTCONF2017

Detectedin3daysafterthevpscreation

LESS C&C HOSTED BUT UPWARDS TRENDBOTCONF2017

0,00%10,00%20,00%30,00%

PercentageOfIOTC&CHostedByOVH

0100200300

MonthlyDetectedIOTC&C Trend

GLOBALISATIONBOTCONF2017

- Beingmorereactivetogether- DetectingIOTC&C- Detectingbots

- Let’shopemanufacturerwilllearnfromtheirmistakes…

02/2017 03/2017 04/2017 05/2017 06/2017 07/2017 08/2017 09/2017 10/2017 11/2017

#1 Virgin OVH Nuclearfallout

Comcast OVH OVH OVH OVH OVH OVH

#2 SkyUK Comcast Comcast OVH Cloudflare

Comcast Comcast Cloudflare

Comcast Comcast

#3 OVH Qwest GHOSTnet Nuclearfallout

Internap Marbis Cloudflare

Comcast AT&T Cloudflare

#4 TelecomItalia

Dotsi OVH AT&T Dotsi Cloudflare

AT&T AT&T Cloudflare

SkyUK

RankingOfTheMostTargetedAutonomousSystemByIOTC&COverTheMonths

CONCLUSIONBOTCONF2017

- Strongpotentialtocauseharm(still)- But… Easytodetectandtotakedown!

- ManagingAbuseisahardjob!

- Howtosharedata?- AbuseReportFormat(ARF/X-ARF)- Botconf 2015:TheMissingPieceOfThreatIntel,FrankDenis

T H A N K Y O U