 So, yeah, so, as was just said, my name is David de Carriensu, my background is actually in criminology, so I have a PhD in criminology, and I've been listening and looking and investigating illicit markets online for the past almost 10 years now, and most of my research really tries to understand what is the impact of technologies on crime, and very often it will gear towards the dark web, the dark net, and anonymity technologies. So I'm a co-founder and chief research officer at Flare Systems, and what I'm talking about today is part of a report that we published on botnets and proxies in Canada. So one of the things that I try to do is to focus more on the Canadian market since most of the research is international or even American or European, so it's nice to have some data and some content about Canada. So most likely today we're only going to get to the first part of this talk, so we're going to be talking about botnets basically, and more specifically, a market that is reselling access to bots. There's also a part about proxies, we'll see how things go, and if we have some time for it, then we'll talk about it. So of course there's a lot of debate in the research community about kind of naming the target of the investigation. In this case, we're going to be talking about a very specific market today, it's called Genesis Market, and I know there's some pros and cons, but in this case because it is a market that has been extensively researched, and something that is very known in the community, we decided we're going to publish a name of the market that we're going to be studying, and this will help you kind of understand what kind of threat it poses for your organization, and if it's something that you should care about. So while I start, a very quick and basic kind of introduction to botnet, just to make sure everyone understands what we're talking about. Today I'll be talking about botnets, which are basically just networks of infected computers who are under the control of a botmaster. So the botmaster is the person or the group of people running a botnet of infected computers, which we're going to call bots, and very often these bots are going to be used either as proxy or they're going to be using proxies, which is basically just a device or something that allows you to run your traffic around somewhere on the internet. Now the fight against botnet is growing and it's a major problem for organizations, so just to give you a very high level view, when we're looking at how much companies are spending to fight botnets, it's expected to grow up to a billion dollars in 2023, so it's something that is a very big and growing concern for organizations. Now when we're looking at Canada more specifically, is botnet a problem in Canada? Well, one of the things that we can look at, and this is data from Spenhouse, is where are the botnets come in control centers located? So basically where are the computers controlling the spotnets located? And it was quite interesting to see that actually Canada is in 12th place in terms of location. States, Russia, China, Europe are the main places where you're going to find these command control centers, but Canada doesn't seem to be at the core or the center of this industry based just on this information. Now another important thing to understand is that the botnets they used to be about many, many things, but what you see over here is a description of what botnets are being used for today. And basically you see that there's two things that they're mostly used for, it's either credential stealer or it is remote access tool. So in most cases, what botmasters and what people who are taking advantage or using these botnets are looking for, is to steal some credentials. And today we're going to be talking about one of these botnets. So analysis by other research teams have pointed that the Genesis market is actually reselling the Azor Road botnet, so the bots infected by Azor Road. And so what we're going to be talking about today mostly because this is a credential stealer is the reselling or the using of stolen credentials. Now when we're looking at where these command control centers kind of, where they're being web hosted, you have the list of countries over here and the list of networks. And once again, Canada is not part of that list. So if we want to focus more a bit on Genesis market more specifically, which is kind of the aim of this presentation. First, just a very brief overview of how the market works. Basically, when you log into the market, you're going to get a list of all the bots that are available with the number of bots per country. And so if you look at the bottom of your screen, what you're going to see is in Canada, we have about 20, there was about 2600. That's kind of concurrent. So there's always a bit around 2500, maybe a bit more bots for sale from Canada. And the market is actually pretty generous in that it provides us with a lot of information about all of the bots that you can rent out on this market. So one of the things that you're going to get is for example, the country where the bot that you want to rent is going to be located. You're going to see the number of resources which are kind of the credentials that you can purchase that you're going to get access to the bot. You actually get when the bot was installed, which means when was the computer overtaken by this botnet. When was it last updated? So this is when was the last information sent from the bot to the bot to the botnet. And you even have partial IP addresses and the OS version. So all of this is pretty interesting because as an organization, you can actually see some actual intelligence that you can look at and say, well, this is an IP range that's part of my network. We see the OS, for example, it could be Windows Enterprise. And so it becomes kind of, it will help you to kind of understand if one of these bots belong actually to your corporate network. Now on the market itself, this is what it looks like. So you see the menu on the left as always. And there's a bunch of stuff going on over there. But maybe more interesting is actually the fact that you can get for every single bot that you can rent out, all of the information about the cookies and the credentials that you actually get when you rent out these bots. So basically, you're going to see a list of websites that everyone's familiar with, Facebook, Amazon, and whatever. And you're going to get exactly the cookies and you're going to see all the information that you're going to get if you were to rent out this bot. And so it's pretty specific. And in terms, for research, it's extremely valuable because you can actually see everything that is for sale. And it allows us to do some projections and some calculations. I'll be talking about those pretty briefly. Now searches, well, of course, you can search for content. But maybe the most interesting thing is this notion of generating fingerprints. So as was said at the beginning of my talk, many organizations, including banks, will fingerprint their users, which means they're going to look at the IP address they're using, what kind of browser they're using, the language, they're going to be even looking at the plugins that are installed, the resolution. So they build a profile for what normal access to their service looks like. And with Genesis, what you're actually getting when you're renting out these bots, you're actually getting the credentials that were stolen from the bot, but also a fingerprint. And this allows you to very, very, very precisely mirror the victim that you want to impersonate. And so this is extremely powerful because if you're a company and you want to detect fraud or someone who's hacking through an account, well, basically, because of this fingerprint, it's going to be extremely difficult to do so. Now, the market does give out for free two things, either their own browser, or you can actually get a plugin they can install on your browser. So in both cases, what these plugins or this browser do is they're actually there to let you import the fingerprint, and you can even get live updates from the bots with new credentials that have been stolen. So basically, this makes it extremely seamless to get, to impersonate anyone that you want, as long as their computer is for sale on this Genesis market. Now, you do have to provide your own proxy. So this is something that you have to add to the service. And it allows you, as you can see over here, to kind of configure your your proxy that you want to use to impersonate the victim. So very kind of high level. This is what the Genesis market looks like. And if we look a bit more closely at what's going on on the market, and this is kind of the whole point of this conversation today, is to look at how many bots are for sale. And what you're seeing over here, and this each number represents the number of bots that were active that were for sale from Canada on Genesis market on a given day, what you're seeing is some sort of a downward trend. And you see that these numbers are slowly decreasing. And so that's kind of interesting to see that over time, we don't see an increase necessarily for Canadian bots. And we've been watching the market for the past now, maybe five or six months. And what we've always seen is that the number of bots for sale in Canada is going down slowly, but surely every single day. Now, when we're looking at the number of new Canadian bots that are posted for sale per day, what we're seeing, and this is once again, just a couple of days, the number of bots, of course, it's going to vary depending on the day. But what you're getting on any given day is about 15, maybe 20 new bots being sold on Genesis market from Canada. And so what we see is that there's a surprisingly constrained supply of Canadian bots on Genesis market. And this is pretty, so this means that the bot net is not infecting vast numbers of computers in Canada. It's, you know, a kind of a steady grind of maybe 15 to 20 bots that are getting infected every single day. Now, one of the big surprises that we got when we were looking at Genesis market was the fact that when you analyze the bots that are for sale, you come to realize that many of these bots were not infected in 2021, or in 2020, they were most of them were actually infected in 2018 and 2019. And so when you get down to it, what you realize is that Genesis market is enabling or facilitating the sale of bots that are actually pretty old, and that you can actually question if they're even working at all, or if the information you're going to get from these bots is going to be relevant. And so this was kind of a big shot because we expected, you know, the bots to be quite fresh, but to see stuff that's, you know, two, three years old was pretty surprising. And when we look at the last update, it's kind of the same thing. So it's one thing to have a bot that was, you know, infected in 2018 for sale. Maybe it's been infected for three years, maybe it's been around, and you're going to get some quality data. But actually what we're seeing is that in many cases, the bots didn't send out an update for three years or even two years. And so when you go on Genesis market, you see thousands of bots for sale, yeah, perhaps, but at the same time, what you're, what you can actually buy is something that hasn't sent out any new credential in two years. And at that point can actually question the quality of what you're getting, and whether it's really significant or something that you would like to buy. Now there's quite a few that have been updated in 2021, and those are going to be probably the ones that you're going to get and the one that, you know, the most malicious actors who want to purchase or rent out. Finally, when we look at the Windows versions, which we see for these Canadian bots, is that most of them are running the latest version of Windows. Now, Windows 10 has been around for quite some time, but basically the botnet is not targeting, you know, old crappy boxes that have been forgotten somewhere for years. It's basically stuff that, you know, that's with Windows 10, which is once again the latest Windows. You do have some, you know, weird people still running Windows Vista for an unknown reason, but, you know, for in most cases, it's going to be newer ones. Now that we see kind of what is the supply on Genesis market, now we can look at the demand and try and understand exactly how the sales in Genesis markets are operating. So one of the things that we see, if we look at the number of bots from Canada that are going to be sold every single day, what we're seeing is that it's about, you know, 30 to 35 bots being sold every single day on Genesis market. And once again, this number is pretty low. And this is kind of interesting. So it means that the supply is kind of constrained, as we said, with about maybe 15, 20 new bots every day. But we also see that the demand is pretty low with, you know, only a couple of bots being both every single day from Canada. And so what we're seeing is that these bots actually hold credentials. And here you have kind of the main credentials or the most commonly sold credentials with these bots. Of course, it's kind of no surprise to see that, you know, Google, Facebook, Microsoft with Live.com, Netflix and Amazon are going to be kind of the most common credentials that are going to be sold on these botnets. But later on, we'll also see that there's actually a bit more to it. So, you know, when you're buying these bots, you're actually getting access to, in many cases, to these credentials. Now, one of the things that we wanted to better understand is how do people make their purchasing decision? And so what we wanted to build is actually a model that would predict which bot is going to sell on Genesis market. And so the way to analyze this is to look at the bars and to understand that if a bar is going to be yellow, it means that it will increase the odds of a bot being sold. And if you look at the blue lines, it means that it will decrease the odds of a bot being sold on Genesis. And of course, the length of the bar is going to indicate the strength of the relationship between one variable and the fact that the bot is going to sell on Genesis market. And so we tested for a number of variables that you can see in the graph over here. So we looked at the time since the last update. So how long had it been since the bot had been updated? We looked at the invention length. So how long ago was the bot infected? We looked at the number of cookies that were sold with the bot. We looked at the price. We also looked at the number of credentials that were being offered with the bot, the Windows version, whether it's enterprise and whether it's new or old version of Windows. And what you see in this model is that there are four variables that are connected with sales on Genesis market. And the biggest predictor of a sale, well, it's going to be the time since the last update. And as you can see by the length of the bar, it really is the biggest factor here. So basically, when people log into Genesis market, what they're going to be looking at for is a bot that was recently updated, which means that provided new credentials, something that was fresh pretty recently. Invention length is important, but not as much. The price is important, but once again, not that much. But the number of cookies was relevant and important. So basically malicious actors appear to be looking for bots that are going to have more cookies. And of course, when you get the cookie, you can actually just log into an account. So it makes it much more easier to impersonate someone and to get their data. So this model was really interesting to better understand. And when you're working for an organization, well, you know, if you determine that on Genesis market, one of your computer is actually for sale. Well, the fact that it hasn't sent anything for a couple of months, couple of years, basically mean that the odds of it being sold to someone are extremely low. So there is a problem, but the problem may not be as big as someone who has a computer that just sent out some fresh information to the bot. Now, we also wanted to look at the pricing of bots on Genesis market. And here you have the price of bots overall, as well for every year, depending on when they were last updated. And it's pretty interesting to see that, whether we look at the median or the average price, what you see is that the fresher bots or the bots that were last dated are going to fetch a much higher price than the ones that were that were infected and updated a long time ago. So if you're wondering about the price of a bot, so on average, if you want a bot that was infected recently and updated recently, on average, the cost is going to be $58. And if you're looking to the right, the median is even lower at $35. So most of these bots, when you rent them out, they're only going to cost you a few tons of dollars in most cases, though there are some bots that are going to fetch in the hundreds of dollars. And if you go down the list, you're going to see, for example, that a bot that's a couple of years old, well, it's only going to cost you five or $6 probably, or perhaps as little as $10, or even $1. So basically, most of these bots are sold for pretty cheap. And it's kind of interesting, and we'll get back to this in the discussion at the end, to see that nobody sells gold for the price of silver. And it really kind of makes you wonder as to how much can you really get out of these bots and how good are these fingerprinting services working if these bots are selling for some cheap, basically. So it's a question that we can talk about later on in the discussion. Now, the other thing that we wanted to look at was the prices of bots. So we actually built another model that would predict this time around the pricing of each of these bots, not whether they would sell. And we have kind of the same logic here to look at this graph. So if you look at the yellow bar, this is something that will increase the price of a bot. If you're looking at the blue bar, you're going to see something that decreases the price of a bot. And the length of the bar shows the strength of the relation between the variable and the pricing of bots. And what you see over here is actually the number of credentials is the lead variable, has the strongest relationship for the pricing of bots. And so it's kind of interesting to see that when the malicious actors, they're pricing their bots because, as I showed just before, there's a wide range between $1 and $350. They actually have to set a dynamic price for each of these bots. Well, they're going to take into account the number of credentials, and that's going to be kind of the strongest predictor of the pricing of bots. And we're also going to see the time since the last update. So the older the bot is, the cheaper it's going to be. And it was quite interesting to see that the newer version of Windows were actually fetching a lower price. And so it was kind of interesting and probably because the newer version of Windows may be more difficult to hack or to maintain your presence or to get new credentials from them. And so they are a bit cheaper than the other ones that you're going to get. So here, the goal was really to understand, so how are these bots priced? And what we see over here is that the number of credentials is really the leading factor. Now, the last part of this analysis was to estimate and try to understand exactly what is the impact of Genesis Market on the Canadian economy. So that's a pretty big goal to have. So what we did is we actually built scenarios and we tried to assess the impact of Genesis Market depending on each of these scenarios. And so for the scenarios, what we figured was that the optimistic model is the model where you're going to have the last impacts. We're optimistic that there's going to be very little damage by Genesis Market. And so in this case, what we're looking at is perhaps 15 bots being sold every single day. That these bots are going to cost on average $71. That maybe 60% of these bots are going to work out and you're going to be able to do something with them. And that each fraud per bot is going to be around $300 when it works. And at the other end of the spectrum, what you find is the pessimistic model. And in this case, what you're seeing is actually a lot more bots being sold every day, so around $60. These bots cost pretty cheap, so only $8. 90% of these bots are going to work out. And then the impact of the fraud for each bot is going to be about $1,000. So these are numbers that we can talk about later on in the discussion if you guys want to. But we tried to model the impact on the economy. And in this case, what you see here, so in the blue line is the pessimistic model. And what you see is the impact over 12 months. And what you're seeing is that Genesis market in the worst kind of scenario that we could figure out, the impact was around $19 million. And optimistically, it was more around $1 million. And so in this case, it was really interesting to kind of evaluate the impact that you can have and to consider to think about how Genesis market in Canada only represents about 1% of all the bots out there. And so it's pretty difficult to determine exactly what the impact is going to be on all these bots. And we didn't even try to come up with a scenario for the international and the whole world. But you can play with the numbers in your mind. You can pretty quickly see that the impact of Genesis market on the economy around the world could be quite significant when we're looking at these numbers. Now, just because I only have a very short time left, I'll skip that part and I'll be wrapping up with my conclusion. So basically, what we found out when we're looking at Genesis market, and that was perhaps one of the really interesting point was that there's a lot of false publicity to attract the customers, but also vendors. And that's something that we see on many forums and many markets. So if you look at the criminal underground, you're going to see people boasting to have zero days, people claiming to sell pretty much anything. And in the end, if they really have what they say they have, probably not. And in this case, what we saw was a lot of false publicity. So if you log into Genesis market, you can think that there's actually thousands of bots that you could buy from Canada. But in reality, there's only a handful of them, perhaps a couple of hundreds that are still active that are interesting to anyone, and that the buyers are likely to buy. The rest is probably there just to inflate the numbers. And this shows you the importance of really digging into the data to analyze it and to really better understand the threat landscape that this threat poses. Now, the place of Canada in the botnet and account takeover come on the ground. The place of Canada appears to be quite small. So we're talking about one percent of all the bots on Genesis market coming from Canada. And what we're seeing is the number of bots, therefore, is pretty low. And we see other countries. So if you're looking at France, Australia, which are probably the closest in terms of GDP per person, as well as the size of the population. And we see a lot more bots attacking those other countries. So Canada for some reason is somewhat protected against this threat. And that is a pretty good news. Now, Genesis market is, as I said before, a really generous platform. And that it really shares a lot of information. And following the release of our report on Genesis market, we actually saw a banner on the market with the administrators asking their members, and do you know if there's anyone investigating us, if there's something going on, do let us know. And one thing that we do expect is that the platform is not going to remain like it is right now, just because it is giving out way too much information. And this allows researchers and organizations to see if one of their computer has been taken over and to look, for example, in the list of credentials for internal domains or services or websites that no one outside of their employees should have. And just because you get a list of all the credentials, well, it kind of helps you to understand whose computer is being taken over, because you have the partial IP, but you also have the list of websites they're going to. So you're going to have music sites and other forms that will help you kind of identify and know who the person is. Now, my main point and question with all of this was the fact that nobody sells gold for the price of silver. And that was a title of a paper by Microsoft researchers almost a decade ago now, maybe a bit more. And in this case, I mean, you get so much every time you're getting a bot on Genesis Market. So it is pretty surprising to see that people are not willing to pay more than $50 or $60. In some cases, yes, $200. But on average, the price of the bots is going to be pretty low. And so this really questions kind of the worth of these bots, and whether you can actually get that much information out of them and how easy it is to use them. Now, the practices, I kind of skipped that part. And basically, and the fact is that when you're a company and you're facing challenges such as the Genesis Market one, well, you're going to have perhaps a hard time to identify the fraudsters because of the fingerprinting techniques, but at the same time, just because they're being sold for so low, maybe it is not such a problem in the end.