![Page 1: Automation Of Internet-of-Things BotnetsTakedownBy An ISP · Automation Of Internet-of-Things BotnetsTakedownBy An ISP Sébastien Mériot @smeriot](https://reader035.vdocuments.us/reader035/viewer/2022081521/5e595111be395f0dd6519bbd/html5/thumbnails/1.jpg)
A u t o m a t i o n O f I n t e r n e t - o f - T h i n g sB o t n e t s T a k e d o w n B y A n I S P
S é b a s t i e n M é r i o t< s e b a s t i e n . m e r i o t @ c o r p . o v h . c o m >
@ s m e r i o t
BotConf 2017Montpellier06/12/2017
![Page 2: Automation Of Internet-of-Things BotnetsTakedownBy An ISP · Automation Of Internet-of-Things BotnetsTakedownBy An ISP Sébastien Mériot @smeriot](https://reader035.vdocuments.us/reader035/viewer/2022081521/5e595111be395f0dd6519bbd/html5/thumbnails/2.jpg)
HOSTING PROVIDER PARADOXBOTCONF2017
- SufferfromDDoSAttack- YoumayhosttheC&Cthathitsyou.
- Thelawsforbidsyoutolookatyourcustomer’sdata.- Howtoestablishtheinfringement?
- RelyonAbusereports- Lotofnoise- Mostofthetimeincomplete- Alreadygone
![Page 3: Automation Of Internet-of-Things BotnetsTakedownBy An ISP · Automation Of Internet-of-Things BotnetsTakedownBy An ISP Sébastien Mériot @smeriot](https://reader035.vdocuments.us/reader035/viewer/2022081521/5e595111be395f0dd6519bbd/html5/thumbnails/3.jpg)
INTERNET-OF-THINGS BOTNETBOTCONF2017
Hydra2008
Tsunami2010
Gafgy/Qbot2014
MrBlack2014
MIRAI2016
Reaper?2017
![Page 4: Automation Of Internet-of-Things BotnetsTakedownBy An ISP · Automation Of Internet-of-Things BotnetsTakedownBy An ISP Sébastien Mériot @smeriot](https://reader035.vdocuments.us/reader035/viewer/2022081521/5e595111be395f0dd6519bbd/html5/thumbnails/4.jpg)
PEER-TO-PEER INFECTIONBOTCONF2017
C&C
InfectedDevice
Internet
![Page 5: Automation Of Internet-of-Things BotnetsTakedownBy An ISP · Automation Of Internet-of-Things BotnetsTakedownBy An ISP Sébastien Mériot @smeriot](https://reader035.vdocuments.us/reader035/viewer/2022081521/5e595111be395f0dd6519bbd/html5/thumbnails/5.jpg)
SKIDZBOTCONF2017
![Page 6: Automation Of Internet-of-Things BotnetsTakedownBy An ISP · Automation Of Internet-of-Things BotnetsTakedownBy An ISP Sébastien Mériot @smeriot](https://reader035.vdocuments.us/reader035/viewer/2022081521/5e595111be395f0dd6519bbd/html5/thumbnails/6.jpg)
STRONG POTENTIAL OF HARMBOTCONF2017
QBOT
- 2015– Socialnetworksà 400Gbps
MIRAI
- September,20th 2016– OVHà 1Tbps- September,20th 2016– Krebsà 620Gbps
- October,21st 2016– Dynà 1Tbps
FlowsoftheOVHattack
![Page 7: Automation Of Internet-of-Things BotnetsTakedownBy An ISP · Automation Of Internet-of-Things BotnetsTakedownBy An ISP Sébastien Mériot @smeriot](https://reader035.vdocuments.us/reader035/viewer/2022081521/5e595111be395f0dd6519bbd/html5/thumbnails/7.jpg)
HOW TO DETECT THOSE C&C ?BOTCONF2017
- UseShodan tosearchforC&Cbanners- Easy&reliable- Notexhaustiveenough
- 360’sNetlab- Veryinteresting- Notsuitableforabuseteam
![Page 8: Automation Of Internet-of-Things BotnetsTakedownBy An ISP · Automation Of Internet-of-Things BotnetsTakedownBy An ISP Sébastien Mériot @smeriot](https://reader035.vdocuments.us/reader035/viewer/2022081521/5e595111be395f0dd6519bbd/html5/thumbnails/8.jpg)
HOW TO RECOVER THE C&C ?BOTCONF2017
- Useourhoneypots&sampleanalysis?- Sandbox?
- Exoticarch:MIPS,ARM,SH4,…- Oldkernels(2.x)- Upto30samples/min
- Codeiseasytoreverse- “strings”
![Page 9: Automation Of Internet-of-Things BotnetsTakedownBy An ISP · Automation Of Internet-of-Things BotnetsTakedownBy An ISP Sébastien Mériot @smeriot](https://reader035.vdocuments.us/reader035/viewer/2022081521/5e595111be395f0dd6519bbd/html5/thumbnails/9.jpg)
WORKFLOWBOTCONF2017
Scan Challenge-Response
Recoverthesample
Sampleanalysis
RecovertheC&C Connection Abuse
notification Action
BotsLoaders Honeypots SampleAnalyzer Abuse
![Page 10: Automation Of Internet-of-Things BotnetsTakedownBy An ISP · Automation Of Internet-of-Things BotnetsTakedownBy An ISP Sébastien Mériot @smeriot](https://reader035.vdocuments.us/reader035/viewer/2022081521/5e595111be395f0dd6519bbd/html5/thumbnails/10.jpg)
SAMPLE ANALYSISBOTCONF2017
Unpack+
UnXOR
Staticanalysis• strings• constants
Dynamicanalysis•DNS&flows
![Page 11: Automation Of Internet-of-Things BotnetsTakedownBy An ISP · Automation Of Internet-of-Things BotnetsTakedownBy An ISP Sébastien Mériot @smeriot](https://reader035.vdocuments.us/reader035/viewer/2022081521/5e595111be395f0dd6519bbd/html5/thumbnails/11.jpg)
SAMPLE ANALYSISBOTCONF2017
Unpack+
UnXOR
Staticanalysis• strings• constants
Dynamicanalysis•DNS&flows
![Page 12: Automation Of Internet-of-Things BotnetsTakedownBy An ISP · Automation Of Internet-of-Things BotnetsTakedownBy An ISP Sébastien Mériot @smeriot](https://reader035.vdocuments.us/reader035/viewer/2022081521/5e595111be395f0dd6519bbd/html5/thumbnails/12.jpg)
SAMPLE ANALYSISBOTCONF2017
Unpack+
UnXOR
Staticanalysis• strings• constants
Dynamicanalysis•DNS&flows
Obfucated Unxor’ed
![Page 13: Automation Of Internet-of-Things BotnetsTakedownBy An ISP · Automation Of Internet-of-Things BotnetsTakedownBy An ISP Sébastien Mériot @smeriot](https://reader035.vdocuments.us/reader035/viewer/2022081521/5e595111be395f0dd6519bbd/html5/thumbnails/13.jpg)
SAMPLE ANALYSISBOTCONF2017
Unpack+
UnXOR
Staticanalysis• strings• constants
Dynamicanalysis•DNS&flows
![Page 14: Automation Of Internet-of-Things BotnetsTakedownBy An ISP · Automation Of Internet-of-Things BotnetsTakedownBy An ISP Sébastien Mériot @smeriot](https://reader035.vdocuments.us/reader035/viewer/2022081521/5e595111be395f0dd6519bbd/html5/thumbnails/14.jpg)
SAMPLE ANALYSISBOTCONF2017
Unpack+
UnXOR
Staticanalysis• strings• constants
Dynamicanalysis•DNS&flows
![Page 15: Automation Of Internet-of-Things BotnetsTakedownBy An ISP · Automation Of Internet-of-Things BotnetsTakedownBy An ISP Sébastien Mériot @smeriot](https://reader035.vdocuments.us/reader035/viewer/2022081521/5e595111be395f0dd6519bbd/html5/thumbnails/15.jpg)
SAMPLE ANALYSISBOTCONF2017
Unpack+
UnXOR
Staticanalysis• strings• constants
Dynamicanalysis•DNS&flows
![Page 16: Automation Of Internet-of-Things BotnetsTakedownBy An ISP · Automation Of Internet-of-Things BotnetsTakedownBy An ISP Sébastien Mériot @smeriot](https://reader035.vdocuments.us/reader035/viewer/2022081521/5e595111be395f0dd6519bbd/html5/thumbnails/16.jpg)
SAMPLE ANALYSISBOTCONF2017
Unpack+
UnXOR
Staticanalysis• strings• constants
Dynamicanalysis•DNS&flows
![Page 17: Automation Of Internet-of-Things BotnetsTakedownBy An ISP · Automation Of Internet-of-Things BotnetsTakedownBy An ISP Sébastien Mériot @smeriot](https://reader035.vdocuments.us/reader035/viewer/2022081521/5e595111be395f0dd6519bbd/html5/thumbnails/17.jpg)
SAMPLE ANALYSISBOTCONF2017
Unpack+
UnXOR
Staticanalysis• strings• constants
Dynamicanalysis•DNS&flows
![Page 18: Automation Of Internet-of-Things BotnetsTakedownBy An ISP · Automation Of Internet-of-Things BotnetsTakedownBy An ISP Sébastien Mériot @smeriot](https://reader035.vdocuments.us/reader035/viewer/2022081521/5e595111be395f0dd6519bbd/html5/thumbnails/18.jpg)
STATISTICSBOTCONF2017
sept-15
oct-1
5no
v-15
déc-15
janv-16
févr-16
mars-16
avr-16
mai-16
juin-16
juil-16
août-16
sept-16
oct-1
6no
v-16
déc-16
janv-17
févr-17
mars-17
avr-17
mai-17
juin-17
juil-17
août-17
sept-17
oct-1
7no
v-17
AbuseReportConcerningIOTMalwares
AbuseReport AVGBefore AVGAfter
B e f o r e t h e w o r k f l o w
A f t e r t h e w o r k f l o w
![Page 19: Automation Of Internet-of-Things BotnetsTakedownBy An ISP · Automation Of Internet-of-Things BotnetsTakedownBy An ISP Sébastien Mériot @smeriot](https://reader035.vdocuments.us/reader035/viewer/2022081521/5e595111be395f0dd6519bbd/html5/thumbnails/19.jpg)
RESPONSIVENESSBOTCONF2017
Detectedin3daysafterthevpscreation
![Page 20: Automation Of Internet-of-Things BotnetsTakedownBy An ISP · Automation Of Internet-of-Things BotnetsTakedownBy An ISP Sébastien Mériot @smeriot](https://reader035.vdocuments.us/reader035/viewer/2022081521/5e595111be395f0dd6519bbd/html5/thumbnails/20.jpg)
LESS C&C HOSTED BUT UPWARDS TRENDBOTCONF2017
0,00%10,00%20,00%30,00%
PercentageOfIOTC&CHostedByOVH
0100200300
MonthlyDetectedIOTC&C Trend
![Page 21: Automation Of Internet-of-Things BotnetsTakedownBy An ISP · Automation Of Internet-of-Things BotnetsTakedownBy An ISP Sébastien Mériot @smeriot](https://reader035.vdocuments.us/reader035/viewer/2022081521/5e595111be395f0dd6519bbd/html5/thumbnails/21.jpg)
GLOBALISATIONBOTCONF2017
- Beingmorereactivetogether- DetectingIOTC&C- Detectingbots
- Let’shopemanufacturerwilllearnfromtheirmistakes…
02/2017 03/2017 04/2017 05/2017 06/2017 07/2017 08/2017 09/2017 10/2017 11/2017
#1 Virgin OVH Nuclearfallout
Comcast OVH OVH OVH OVH OVH OVH
#2 SkyUK Comcast Comcast OVH Cloudflare
Comcast Comcast Cloudflare
Comcast Comcast
#3 OVH Qwest GHOSTnet Nuclearfallout
Internap Marbis Cloudflare
Comcast AT&T Cloudflare
#4 TelecomItalia
Dotsi OVH AT&T Dotsi Cloudflare
AT&T AT&T Cloudflare
SkyUK
RankingOfTheMostTargetedAutonomousSystemByIOTC&COverTheMonths
![Page 22: Automation Of Internet-of-Things BotnetsTakedownBy An ISP · Automation Of Internet-of-Things BotnetsTakedownBy An ISP Sébastien Mériot @smeriot](https://reader035.vdocuments.us/reader035/viewer/2022081521/5e595111be395f0dd6519bbd/html5/thumbnails/22.jpg)
CONCLUSIONBOTCONF2017
- Strongpotentialtocauseharm(still)- But… Easytodetectandtotakedown!
- ManagingAbuseisahardjob!
- Howtosharedata?- AbuseReportFormat(ARF/X-ARF)- Botconf 2015:TheMissingPieceOfThreatIntel,FrankDenis
![Page 23: Automation Of Internet-of-Things BotnetsTakedownBy An ISP · Automation Of Internet-of-Things BotnetsTakedownBy An ISP Sébastien Mériot @smeriot](https://reader035.vdocuments.us/reader035/viewer/2022081521/5e595111be395f0dd6519bbd/html5/thumbnails/23.jpg)
T H A N K Y O U