A Moose Once Bit My Honeypot - Botconf 2018 · $ whoami Malware Researcher at ESET Infosec lecturer...

97
A Moose Once Bit My Honeypot A Story of an Embedded Linux Botnet by Olivier Bilodeau ( ) @obilodeau

Transcript of A Moose Once Bit My Honeypot - Botconf 2018 · $ whoami Malware Researcher at ESET Infosec lecturer...

Page 1: A Moose Once Bit My Honeypot - Botconf 2018 · $ whoami Malware Researcher at ESET Infosec lecturer at ETS University in Montreal Previously infosec developer, network admin, linux

AMooseOnceBitMyHoneypot

AStoryofanEmbeddedLinuxBotnetbyOlivierBilodeau( )@obilodeau

https://twitter.com/obilodeau
Page 2: A Moose Once Bit My Honeypot - Botconf 2018 · $ whoami Malware Researcher at ESET Infosec lecturer at ETS University in Montreal Previously infosec developer, network admin, linux

$aproposEmbeddedLinuxMalwareMooseDNA(description)MooseHerding(theOperation)What’sNew?TakeAways

Page 3: A Moose Once Bit My Honeypot - Botconf 2018 · $ whoami Malware Researcher at ESET Infosec lecturer at ETS University in Montreal Previously infosec developer, network admin, linux

$whoamiMalwareResearcheratESETInfoseclectureratETSUniversityinMontrealPreviously

infosecdeveloper,networkadmin,linuxsystemadmin

Co-founderMontrehack(hands-onsecurityworkshops)FounderNorthSecHackerJeopardy

Page 4: A Moose Once Bit My Honeypot - Botconf 2018 · $ whoami Malware Researcher at ESET Infosec lecturer at ETS University in Montreal Previously infosec developer, network admin, linux

EmbeddedLinuxMalwareWhatmarketinglikestocall"InternetofThingsMalware"

Page 5: A Moose Once Bit My Honeypot - Botconf 2018 · $ whoami Malware Researcher at ESET Infosec lecturer at ETS University in Montreal Previously infosec developer, network admin, linux

MalwareRunningOnAnEmbeddedLinuxSystem

Page 6: A Moose Once Bit My Honeypot - Botconf 2018 · $ whoami Malware Researcher at ESET Infosec lecturer at ETS University in Montreal Previously infosec developer, network admin, linux

LikeconsumerroutersconsumerroutersDVRSmartTVsIPCameramonitoringsystems…

Page 7: A Moose Once Bit My Honeypot - Botconf 2018 · $ whoami Malware Researcher at ESET Infosec lecturer at ETS University in Montreal Previously infosec developer, network admin, linux

CaracteristicsofEmbeddedLinuxSystems

SmallamountofmemorySmallamountofflashNonx86architectures:ARM,MIPSWide-varietyoflibcimplementations/versionsSameABI-compatibleLinuxkernel(2.4<x<4.3)SupportELFbinariesRarelyanintegratedUINetworked

Page 8: A Moose Once Bit My Honeypot - Botconf 2018 · $ whoami Malware Researcher at ESET Infosec lecturer at ETS University in Montreal Previously infosec developer, network admin, linux

WhyThreatsOnTheseSystemsMatters?

HardtodetectHardtoremediateHardtofixLowhangingfruitforbadguys

Page 9: A Moose Once Bit My Honeypot - Botconf 2018 · $ whoami Malware Researcher at ESET Infosec lecturer at ETS University in Montreal Previously infosec developer, network admin, linux

It’sRealSeveralcasesdisclosedinthelasttwoyearsAlotofsame-oldbackgroundnoise(DDoSer)Thingsareonlygettingworse

Page 10: A Moose Once Bit My Honeypot - Botconf 2018 · $ whoami Malware Researcher at ESET Infosec lecturer at ETS University in Montreal Previously infosec developer, network admin, linux
Page 11: A Moose Once Bit My Honeypot - Botconf 2018 · $ whoami Malware Researcher at ESET Infosec lecturer at ETS University in Montreal Previously infosec developer, network admin, linux
Page 12: A Moose Once Bit My Honeypot - Botconf 2018 · $ whoami Malware Researcher at ESET Infosec lecturer at ETS University in Montreal Previously infosec developer, network admin, linux
Page 13: A Moose Once Bit My Honeypot - Botconf 2018 · $ whoami Malware Researcher at ESET Infosec lecturer at ETS University in Montreal Previously infosec developer, network admin, linux
Page 14: A Moose Once Bit My Honeypot - Botconf 2018 · $ whoami Malware Researcher at ESET Infosec lecturer at ETS University in Montreal Previously infosec developer, network admin, linux
Page 15: A Moose Once Bit My Honeypot - Botconf 2018 · $ whoami Malware Researcher at ESET Infosec lecturer at ETS University in Montreal Previously infosec developer, network admin, linux
Page 16: A Moose Once Bit My Honeypot - Botconf 2018 · $ whoami Malware Researcher at ESET Infosec lecturer at ETS University in Montreal Previously infosec developer, network admin, linux

Wait,isIoTmalwarereallyaboutthings?

Page 17: A Moose Once Bit My Honeypot - Botconf 2018 · $ whoami Malware Researcher at ESET Infosec lecturer at ETS University in Montreal Previously infosec developer, network admin, linux

No.Notyet.No.Notyet.

Page 18: A Moose Once Bit My Honeypot - Botconf 2018 · $ whoami Malware Researcher at ESET Infosec lecturer at ETS University in Montreal Previously infosec developer, network admin, linux
Page 19: A Moose Once Bit My Honeypot - Botconf 2018 · $ whoami Malware Researcher at ESET Infosec lecturer at ETS University in Montreal Previously infosec developer, network admin, linux
Page 20: A Moose Once Bit My Honeypot - Botconf 2018 · $ whoami Malware Researcher at ESET Infosec lecturer at ETS University in Montreal Previously infosec developer, network admin, linux

Sowhatkindofmalwarecanwefindonsuchinsecuredevices?Linux/AidraLinux/BassoboChinaZfamily(XOR.DDoS,…)Linux/DoflooLinux/DNSAmp(MrBlack,BillGates)Linux/Gafgyt(LizardStresser)Linux/HydraLinux/Tsunami…

Page 21: A Moose Once Bit My Honeypot - Botconf 2018 · $ whoami Malware Researcher at ESET Infosec lecturer at ETS University in Montreal Previously infosec developer, network admin, linux

LessonLearned#0LessonLearned#0Statically-linkedstrippedbinaries

Page 22: A Moose Once Bit My Honeypot - Botconf 2018 · $ whoami Malware Researcher at ESET Infosec lecturer at ETS University in Montreal Previously infosec developer, network admin, linux

Static/strippedELFprimerNoimports(librarycalls)presentAllthecodebundledtogetherdowntokernelsyscallDisassembler(ifavailableforarch)doesn’thelpmuch

Page 23: A Moose Once Bit My Honeypot - Botconf 2018 · $ whoami Malware Researcher at ESET Infosec lecturer at ETS University in Montreal Previously infosec developer, network admin, linux

Linux/MoosebinaryinIDA

Page 24: A Moose Once Bit My Honeypot - Botconf 2018 · $ whoami Malware Researcher at ESET Infosec lecturer at ETS University in Montreal Previously infosec developer, network admin, linux

printffamily

Page 25: A Moose Once Bit My Honeypot - Botconf 2018 · $ whoami Malware Researcher at ESET Infosec lecturer at ETS University in Montreal Previously infosec developer, network admin, linux
Page 26: A Moose Once Bit My Honeypot - Botconf 2018 · $ whoami Malware Researcher at ESET Infosec lecturer at ETS University in Montreal Previously infosec developer, network admin, linux
Page 27: A Moose Once Bit My Honeypot - Botconf 2018 · $ whoami Malware Researcher at ESET Infosec lecturer at ETS University in Montreal Previously infosec developer, network admin, linux
Page 28: A Moose Once Bit My Honeypot - Botconf 2018 · $ whoami Malware Researcher at ESET Infosec lecturer at ETS University in Montreal Previously infosec developer, network admin, linux

Ecosystemmakesitworst[forreversers]

GCCandGNUlibcarealwayschangingsocompiledbinariesalwayschangeLittleIDAFLIRTsignaturesavailable(ifany)VariousClibraries:µClibc,eglibc,glibc,musl,…

Page 29: A Moose Once Bit My Honeypot - Botconf 2018 · $ whoami Malware Researcher at ESET Infosec lecturer at ETS University in Montreal Previously infosec developer, network admin, linux

AFailedAttemptMapsyscallswithIDAscriptButlibcistoobigStilltoomuchcodetoREProvidedtool:https://github.com/eset/malware-research/blob/master/moose/ida/mips_identify_syscalls.py

https://github.com/eset/malware-research/blob/master/moose/ida/mips_identify_syscalls.py
Page 30: A Moose Once Bit My Honeypot - Botconf 2018 · $ whoami Malware Researcher at ESET Infosec lecturer at ETS University in Montreal Previously infosec developer, network admin, linux

BetterSolutionReproduceenvironment(arch,libc/compilerversions)Buildlibrariesw/symbolsundersameconditionsUsebindifftomaplibraryfunctionsFocusonmalwarecode

Page 31: A Moose Once Bit My Honeypot - Botconf 2018 · $ whoami Malware Researcher at ESET Infosec lecturer at ETS University in Montreal Previously infosec developer, network admin, linux
Page 32: A Moose Once Bit My Honeypot - Botconf 2018 · $ whoami Malware Researcher at ESET Infosec lecturer at ETS University in Montreal Previously infosec developer, network admin, linux

Lesson#0Lesson#0GoingdowntosyscallsistoolonginlargebinariesFindaclosematchofClibraryBuildwithsymbolsBindiffit(ormaybeFLIRTit)

Page 33: A Moose Once Bit My Honeypot - Botconf 2018 · $ whoami Malware Researcher at ESET Infosec lecturer at ETS University in Montreal Previously infosec developer, network admin, linux

LessonLearned#1LessonLearned#1BecarefulofstringsandAVvariantnames

Page 34: A Moose Once Bit My Honeypot - Botconf 2018 · $ whoami Malware Researcher at ESET Infosec lecturer at ETS University in Montreal Previously infosec developer, network admin, linux

Anti-VirusVariants

Page 35: A Moose Once Bit My Honeypot - Botconf 2018 · $ whoami Malware Researcher at ESET Infosec lecturer at ETS University in Montreal Previously infosec developer, network admin, linux
Page 36: A Moose Once Bit My Honeypot - Botconf 2018 · $ whoami Malware Researcher at ESET Infosec lecturer at ETS University in Montreal Previously infosec developer, network admin, linux
Page 37: A Moose Once Bit My Honeypot - Botconf 2018 · $ whoami Malware Researcher at ESET Infosec lecturer at ETS University in Montreal Previously infosec developer, network admin, linux

andStrings$stringsmoose_mips.elf[...]cat/proc/cpuinfoGET/xx/rnde.php?p=%d&f=%d&m=%dHTTP/1.1Host:www.getcool.comConnection:Keep-Alive127.0.0.1[...]

Page 38: A Moose Once Bit My Honeypot - Botconf 2018 · $ whoami Malware Researcher at ESET Infosec lecturer at ETS University in Montreal Previously infosec developer, network admin, linux

Lesson#1Lesson#1BecarefulwithdetectionnamesDon’trequestdomaintakedownbasedonoutputofstringsanddon’tdosoforotherpeople’sresearch!

Page 39: A Moose Once Bit My Honeypot - Botconf 2018 · $ whoami Malware Researcher at ESET Infosec lecturer at ETS University in Montreal Previously infosec developer, network admin, linux

MisleadingStrings

Page 40: A Moose Once Bit My Honeypot - Botconf 2018 · $ whoami Malware Researcher at ESET Infosec lecturer at ETS University in Montreal Previously infosec developer, network admin, linux

MooseDNAMooseDNAakaMalwaredescription

Hangtight,thisisarecap

Page 41: A Moose Once Bit My Honeypot - Botconf 2018 · $ whoami Malware Researcher at ESET Infosec lecturer at ETS University in Montreal Previously infosec developer, network admin, linux

Linux/MooseDiscoveredinNovember2014Thoroughlyanalyzedinearly2015PublishedareportinlateMay2015

Page 42: A Moose Once Bit My Honeypot - Botconf 2018 · $ whoami Malware Researcher at ESET Infosec lecturer at ETS University in Montreal Previously infosec developer, network admin, linux

Linux/Moose…Namedafterthestring"elan"presentinthemalware

executable

Page 43: A Moose Once Bit My Honeypot - Botconf 2018 · $ whoami Malware Researcher at ESET Infosec lecturer at ETS University in Montreal Previously infosec developer, network admin, linux

ElanisFrenchfor

Page 44: A Moose Once Bit My Honeypot - Botconf 2018 · $ whoami Malware Researcher at ESET Infosec lecturer at ETS University in Montreal Previously infosec developer, network admin, linux

TheLotusElan

Page 45: A Moose Once Bit My Honeypot - Botconf 2018 · $ whoami Malware Researcher at ESET Infosec lecturer at ETS University in Montreal Previously infosec developer, network admin, linux

ElánTheSlovakrockband(from1969andstillactive)

Page 46: A Moose Once Bit My Honeypot - Botconf 2018 · $ whoami Malware Researcher at ESET Infosec lecturer at ETS University in Montreal Previously infosec developer, network admin, linux
Page 47: A Moose Once Bit My Honeypot - Botconf 2018 · $ whoami Malware Researcher at ESET Infosec lecturer at ETS University in Montreal Previously infosec developer, network admin, linux

SampleStaticallylinkedstrippedELFbinaryARM(GNUEABIandEABI5)MIPS(littleandbigendian)Nox86samplefoundC&CIPinintegerformburiedinallthiscode

Page 48: A Moose Once Bit My Honeypot - Botconf 2018 · $ whoami Malware Researcher at ESET Infosec lecturer at ETS University in Montreal Previously infosec developer, network admin, linux

MIPS/ARM+staticallylinked+stripped+nox86

Page 49: A Moose Once Bit My Honeypot - Botconf 2018 · $ whoami Malware Researcher at ESET Infosec lecturer at ETS University in Montreal Previously infosec developer, network admin, linux

Stringsnotobfuscated

Page 50: A Moose Once Bit My Honeypot - Botconf 2018 · $ whoami Malware Researcher at ESET Infosec lecturer at ETS University in Montreal Previously infosec developer, network admin, linux

NetworkcapabilitiesPivotthroughfirewallsHome-madeNATtraversalCustom-madeProxyservice

onlyavailabletoasetofauthorizedIPaddressesRemotelyconfiguredgenericnetworksnifferDNSHijacking

Page 51: A Moose Once Bit My Honeypot - Botconf 2018 · $ whoami Malware Researcher at ESET Infosec lecturer at ETS University in Montreal Previously infosec developer, network admin, linux

LessonLearned#2LessonLearned#2Don’tassumeit’scustomwhenitcanbeastandard

protocol

Page 52: A Moose Once Bit My Honeypot - Botconf 2018 · $ whoami Malware Researcher at ESET Infosec lecturer at ETS University in Montreal Previously infosec developer, network admin, linux
Page 53: A Moose Once Bit My Honeypot - Botconf 2018 · $ whoami Malware Researcher at ESET Infosec lecturer at ETS University in Montreal Previously infosec developer, network admin, linux

ProxywithaccessfromC&CauthorizedIPsonly

Page 54: A Moose Once Bit My Honeypot - Botconf 2018 · $ whoami Malware Researcher at ESET Infosec lecturer at ETS University in Montreal Previously infosec developer, network admin, linux

C&CIPishardcodedNofallbackdomainsorDGA

Page 55: A Moose Once Bit My Honeypot - Botconf 2018 · $ whoami Malware Researcher at ESET Infosec lecturer at ETS University in Montreal Previously infosec developer, network admin, linux
Page 56: A Moose Once Bit My Honeypot - Botconf 2018 · $ whoami Malware Researcher at ESET Infosec lecturer at ETS University in Montreal Previously infosec developer, network admin, linux

AttackVectorTelnetcredentialsbruteforceWordlistof304user/passentriessentbyserver

Page 57: A Moose Once Bit My Honeypot - Botconf 2018 · $ whoami Malware Researcher at ESET Infosec lecturer at ETS University in Montreal Previously infosec developer, network admin, linux

CompromiseProtocol

Page 58: A Moose Once Bit My Honeypot - Botconf 2018 · $ whoami Malware Researcher at ESET Infosec lecturer at ETS University in Montreal Previously infosec developer, network admin, linux

Canperformcross-archinfections

Page 59: A Moose Once Bit My Honeypot - Botconf 2018 · $ whoami Malware Researcher at ESET Infosec lecturer at ETS University in Montreal Previously infosec developer, network admin, linux

NofurtherspreadingifC&Cisdown

Page 60: A Moose Once Bit My Honeypot - Botconf 2018 · $ whoami Malware Researcher at ESET Infosec lecturer at ETS University in Montreal Previously infosec developer, network admin, linux

Missing:Persistence

Page 61: A Moose Once Bit My Honeypot - Botconf 2018 · $ whoami Malware Researcher at ESET Infosec lecturer at ETS University in Montreal Previously infosec developer, network admin, linux

Literallykillscompetition

Page 62: A Moose Once Bit My Honeypot - Botconf 2018 · $ whoami Malware Researcher at ESET Infosec lecturer at ETS University in Montreal Previously infosec developer, network admin, linux
Page 63: A Moose Once Bit My Honeypot - Botconf 2018 · $ whoami Malware Researcher at ESET Infosec lecturer at ETS University in Montreal Previously infosec developer, network admin, linux

LessonLearned#3LessonLearned#3LessRE,morehoneypot!

Page 64: A Moose Once Bit My Honeypot - Botconf 2018 · $ whoami Malware Researcher at ESET Infosec lecturer at ETS University in Montreal Previously infosec developer, network admin, linux

Stuck

Page 65: A Moose Once Bit My Honeypot - Botconf 2018 · $ whoami Malware Researcher at ESET Infosec lecturer at ETS University in Montreal Previously infosec developer, network admin, linux

SolutionLaunchthebinaryinadebianMIPSqemuimageReachablefromtheInternetWatchitbehaveFirewallit

Page 66: A Moose Once Bit My Honeypot - Botconf 2018 · $ whoami Malware Researcher at ESET Infosec lecturer at ETS University in Montreal Previously infosec developer, network admin, linux

HintsAurelimages:

Qemucommand:https://people.debian.org/~aurel32/qemu/mips/

qemu-system-mips-Mmalta\-no-reboot-nographic\-kernelvmlinux-3.2.0-4-4kc-malta\-hdadebian_wheezy_mips_standard.qcow2\-append"root=/dev/sda1console=ttyS0"\-redirtcp:10073::10073-redirtcp:22::22-redirtcp:23::23

https://people.debian.org/~aurel32/qemu/mips/
Page 67: A Moose Once Bit My Honeypot - Botconf 2018 · $ whoami Malware Researcher at ESET Infosec lecturer at ETS University in Montreal Previously infosec developer, network admin, linux

Lesson#3Lesson#3WeweretoocarefulEverythingwelearnedoperationallywasbecauseofinfectedhost

Page 68: A Moose Once Bit My Honeypot - Botconf 2018 · $ whoami Malware Researcher at ESET Infosec lecturer at ETS University in Montreal Previously infosec developer, network admin, linux

Hardtotrackmalware

Page 69: A Moose Once Bit My Honeypot - Botconf 2018 · $ whoami Malware Researcher at ESET Infosec lecturer at ETS University in Montreal Previously infosec developer, network admin, linux

MooseHerdingTheMalwareOperation

Page 70: A Moose Once Bit My Honeypot - Botconf 2018 · $ whoami Malware Researcher at ESET Infosec lecturer at ETS University in Montreal Previously infosec developer, network admin, linux

ViaC&CConfigurationNetworksnifferwasusedtostealHTTPCookies

Twitter:twll,twidFacebook:c_userInstagram:ds_user_idGoogle:SAPISID,APISIDGooglePlay/Android:LAY_ACTIVE_ACCOUNTYoutube:LOGIN_INFO

Page 71: A Moose Once Bit My Honeypot - Botconf 2018 · $ whoami Malware Researcher at ESET Infosec lecturer at ETS University in Montreal Previously infosec developer, network admin, linux

SniffingHTTPSCookies

Page 72: A Moose Once Bit My Honeypot - Botconf 2018 · $ whoami Malware Researcher at ESET Infosec lecturer at ETS University in Montreal Previously infosec developer, network admin, linux

ViaProxyUsageAnalysisNatureoftrafficProtocolTargetedsocialnetworks

Page 73: A Moose Once Bit My Honeypot - Botconf 2018 · $ whoami Malware Researcher at ESET Infosec lecturer at ETS University in Montreal Previously infosec developer, network admin, linux
Page 74: A Moose Once Bit My Honeypot - Botconf 2018 · $ whoami Malware Researcher at ESET Infosec lecturer at ETS University in Montreal Previously infosec developer, network admin, linux
Page 75: A Moose Once Bit My Honeypot - Botconf 2018 · $ whoami Malware Researcher at ESET Infosec lecturer at ETS University in Montreal Previously infosec developer, network admin, linux
Page 76: A Moose Once Bit My Honeypot - Botconf 2018 · $ whoami Malware Researcher at ESET Infosec lecturer at ETS University in Montreal Previously infosec developer, network admin, linux

75%+HTTPSbut…

Page 77: A Moose Once Bit My Honeypot - Botconf 2018 · $ whoami Malware Researcher at ESET Infosec lecturer at ETS University in Montreal Previously infosec developer, network admin, linux
Page 78: A Moose Once Bit My Honeypot - Botconf 2018 · $ whoami Malware Researcher at ESET Infosec lecturer at ETS University in Montreal Previously infosec developer, network admin, linux

AnExample

Page 79: A Moose Once Bit My Honeypot - Botconf 2018 · $ whoami Malware Researcher at ESET Infosec lecturer at ETS University in Montreal Previously infosec developer, network admin, linux

AnExample(cont.)

Page 80: A Moose Once Bit My Honeypot - Botconf 2018 · $ whoami Malware Researcher at ESET Infosec lecturer at ETS University in Montreal Previously infosec developer, network admin, linux

AnExample(cont.)

Page 81: A Moose Once Bit My Honeypot - Botconf 2018 · $ whoami Malware Researcher at ESET Infosec lecturer at ETS University in Montreal Previously infosec developer, network admin, linux

AnExample(cont.)

Page 82: A Moose Once Bit My Honeypot - Botconf 2018 · $ whoami Malware Researcher at ESET Infosec lecturer at ETS University in Montreal Previously infosec developer, network admin, linux

FraudhiddeninHTTPS

Page 83: A Moose Once Bit My Honeypot - Botconf 2018 · $ whoami Malware Researcher at ESET Infosec lecturer at ETS University in Montreal Previously infosec developer, network admin, linux

ExceptInstagramfirsthit

Page 84: A Moose Once Bit My Honeypot - Botconf 2018 · $ whoami Malware Researcher at ESET Infosec lecturer at ETS University in Montreal Previously infosec developer, network admin, linux
Page 85: A Moose Once Bit My Honeypot - Botconf 2018 · $ whoami Malware Researcher at ESET Infosec lecturer at ETS University in Montreal Previously infosec developer, network admin, linux

LatestDevelopmentsLatestDevelopments

Page 86: A Moose Once Bit My Honeypot - Botconf 2018 · $ whoami Malware Researcher at ESET Infosec lecturer at ETS University in Montreal Previously infosec developer, network admin, linux

WhitepaperImpactFewweeksafterthepublicationtheC&Cserverswentdark

Afterareboot,allaffecteddevicesshouldbecleanedButvictimscompromisedviaweakcredentials,sotheycanalwaysreinfect

Page 87: A Moose Once Bit My Honeypot - Botconf 2018 · $ whoami Malware Researcher at ESET Infosec lecturer at ETS University in Montreal Previously infosec developer, network admin, linux

Aliveordead?

Page 88: A Moose Once Bit My Honeypot - Botconf 2018 · $ whoami Malware Researcher at ESET Infosec lecturer at ETS University in Montreal Previously infosec developer, network admin, linux

Aliveordead?(cont.)OnthelookoutforMoosev2Lookedatover150newsamplestargetingembeddedLinuxplatforms

Page 89: A Moose Once Bit My Honeypot - Botconf 2018 · $ whoami Malware Researcher at ESET Infosec lecturer at ETS University in Montreal Previously infosec developer, network admin, linux

FoundUpdateNewproxyserviceport(20012)C&CselectiononCLIC&Cserverreturns404onunknownbotsStillunderanalysisStilltryingtogetinfected

Page 90: A Moose Once Bit My Honeypot - Botconf 2018 · $ whoami Malware Researcher at ESET Infosec lecturer at ETS University in Montreal Previously infosec developer, network admin, linux

Readingresearchpapersandadapting

Page 91: A Moose Once Bit My Honeypot - Botconf 2018 · $ whoami Malware Researcher at ESET Infosec lecturer at ETS University in Montreal Previously infosec developer, network admin, linux
Page 92: A Moose Once Bit My Honeypot - Botconf 2018 · $ whoami Malware Researcher at ESET Infosec lecturer at ETS University in Montreal Previously infosec developer, network admin, linux
Page 93: A Moose Once Bit My Honeypot - Botconf 2018 · $ whoami Malware Researcher at ESET Infosec lecturer at ETS University in Montreal Previously infosec developer, network admin, linux

TakeAwaysTakeAways

Page 94: A Moose Once Bit My Honeypot - Botconf 2018 · $ whoami Malware Researcher at ESET Infosec lecturer at ETS University in Montreal Previously infosec developer, network admin, linux

Researchartifactsreleased

PythonandShellScriptsProtocoldissectors,fakeservers,tsharkwrappers

YararulesIOCshttps://github.com/eset/malware-research/tree/master/moose

https://github.com/eset/malware-ioc/tree/master/moose
https://github.com/eset/malware-research/tree/master/moose
Page 95: A Moose Once Bit My Honeypot - Botconf 2018 · $ whoami Malware Researcher at ESET Infosec lecturer at ETS University in Montreal Previously infosec developer, network admin, linux

EmbeddedmalwareNotyetcomplexToolsandprocessesneedtocatchupalowhangingfruitPreventionsimple

Page 96: A Moose Once Bit My Honeypot - Botconf 2018 · $ whoami Malware Researcher at ESET Infosec lecturer at ETS University in Montreal Previously infosec developer, network admin, linux

Questions?Questions?

Page 97: A Moose Once Bit My Honeypot - Botconf 2018 · $ whoami Malware Researcher at ESET Infosec lecturer at ETS University in Montreal Previously infosec developer, network admin, linux

Questions?Thankyou!

andspecialthankstoThomasDupuy(@nyx__o)@obilodeau

https://twitter.com/obilodeau

Whoami conte

Whoami conte

Bypassing Sanboxes for fun - Botconf 2020 · • Hyper V • Qemu 9. BotConf ... • Multi core CPU’s 19 ... Find the Jump 43 DLL PEB kernel32 DLL ntdll PROG Process memory ENV

Bypassing Sanboxes for fun - Botconf 2020 · • Hyper V • Qemu 9. BotConf ... • Multi core CPU’s 19 ... Find the Jump 43 DLL PEB kernel32 DLL ntdll PROG Process memory ENV

Cisco InfoSec Brochure

Cisco InfoSec Brochure

Infosec Audit Lecture_4

Infosec Audit Lecture_4

2014 guestlecture-infosec

2014 guestlecture-infosec

Impact 2013, whoami

Impact 2013, whoami

National INFOSEC Organisations and INFOSEC Management in Hungary.

National INFOSEC Organisations and INFOSEC Management in Hungary.

Low Business Interest in Botnet - Botconf

Low Business Interest in Botnet - Botconf

root@labla/# whoami

root@labla/# whoami

Getting Into InfoSec · Daniel Bohannon @danielhbohannon Getting Into InfoSec via pen Source

Getting Into InfoSec · Daniel Bohannon @danielhbohannon Getting Into InfoSec via pen Source

Hunting Attacker Activities - Botconf 2021

Hunting Attacker Activities - Botconf 2021

COBIT5 and InfoSec

COBIT5 and InfoSec

Jose Miguel Esparza - Botconf 2017 · $ whoami Jose Miguel Esparza Lead Threat Analyst at Fox-IT InTELL (NL) •Malware, Botnets, C&Cs, Exploit Kits, … Security Researcher at home

Jose Miguel Esparza - Botconf 2017 · $ whoami Jose Miguel Esparza Lead Threat Analyst at Fox-IT InTELL (NL) •Malware, Botnets, C&Cs, Exploit Kits, … Security Researcher at home

InfoSec Syllabus V7.3

InfoSec Syllabus V7.3

FELICIES-INFOSEC 4011

FELICIES-INFOSEC 4011

Social Psychology & INFOSEC

Social Psychology & INFOSEC

The InfoSec Avengers

The InfoSec Avengers

Glossary InfoSec

Glossary InfoSec

Botconf ppt

Botconf ppt

Whoami Powerpoint 3

Whoami Powerpoint 3