Having the possibility to track a specific threat or cybercriminal group, be it through sinkholes, honeypots or trackers, is paramount for researcher to gather data points to better understand the threats they are facing. In some cases, sinkholes can provide an exhaustive list of infected devices in real time, providing a clear view of the threat’s prevalence and allowing notification and remediation efforts. In other cases, trackers can provide updates on command and control servers’ location as well as new malicious binaries. This data can then be used to fight back and ensure that end-users are protected from this threat in a timely fashion.
Creating an efficient sinkhole or tracking system requires a deep understanding of the malware and especially how it communicates back to the criminals. This presentation will detail two different case studies where ESET researchers have exploited weaknesses in the criminals' infrastructure to gather supposedly inaccessible information. We will also show how the malicious actors have implemented (or not) countermeasure to mitigate our "attacks".
The first case study is TorrentLocker, a ransomware first seen in 2014. Through our analysis, we discovered that TorrentLocker’s C&C servers generated predictable user codes when newly infected systems are added to their database. This user code uniquely identifies the victims in order to sell them the decryption software. We will show how understanding this algorithm allowed us to fetch information about the victims from the C&C servers by sending crafted HTTP queries to them. This experiment resulted in the acquisition of an exhaustive list of all victims’ country, Bitcoin wallet addresses, the percentage of victims who ended up sending money to the criminals and other useful information.
The second case study is Ebury, an OpenSSH backdoor that infected more than 25,000 servers worldwide. It is the core component of Operation Windigo. Every day, Windigo redirects 500,000 HTTP requests and send millions of spam messages. We will explain how we performed traffic capture on live, infected, production servers, allowing us to measure the amount of infected systems and the volume of malicious web redirections and spam sent. Collaboration with other parties including law enforcement was crucial to perform these captures. This has led to notification of the victims and partial cleaning of the botnet. We will also present how we set up a custom honeypots with live transparent SSH man-in-the-middle. This setup allowed us to track key servers used in Operation Windigo and obtain new versions of the various malware components. You will see how the criminals operate Linux servers both in an automated and in a manual manner.
Finally, this presentation will discuss actions we have decided not to take because they were either ethically questionable or plain illegal. Although informal, malware researchers tend to adhere to a personal or institutional code of ethics when dealing with counterattacks. Based on the case study we present, we will explain the reasons behind the decision we took and poll the audience to have a general idea about what other researchers see as being acceptable whenever counterattacks are possible.