 Tusha 2017, if this is your first talk, welcome. If this is not your first time, welcome as well. We're gonna talk today about command and control centers for malware and botnet systems and how you can attack those instead of having to patch your system all the time. This is the future. We are here now. The future is now. Yeah, exactly, the future is now. Welcome Senat Aruk for this talk and have a warm welcome for him, please. Okay, so thanks, everyone, for coming in today, tonight, I don't know, tonight, so. And this is a free solarium, right? So, too bright. So, I'm sorry about this, but I didn't know that I cannot use the white slide. So, a little bit about myself. So, I'm born in Macedonia. So, yeah, I survive rewards. So, I, like everyone else here, I believe, so I start hacking and I publish a lot of hacks so far, but most important ones and with a number, most of them are heavily for the command and control centers. Currently, I'm living and working in Amsterdam, in Netherlands. So, yeah, today we're going to, I'm going to speak about four famous botnets, even if there is more than 20 research, but we don't have a time, but you can find all of them in the SHA 2017 webpage so you can download the whole PDF and you have more info there. And also, I'm going to disclose the HoloFone Netherlands, the fiber optic internet router, which they call DryTech hack. So, basically, they close the option about the bridge mod, I don't know why, and yeah, I figure out how to open it again. So, I, of course, I report this, so they patch it, but if you have an older version of Fireware, then you can still trick them and you can put your router on the bridge port. So, yeah, first of all, family and friends, yeah, my son and daughter, because research requires a lot of time and I'm stealing always from their free time, so without them, it's not possible to make anything because if they are not forgiving their time, then there will be no research, right, like everyone else. So, oops, my clicker. Today, I'm going to speak again against the, so the botnets, I'm going to speak about why we still suck at malware infections. Then I'm going to speak about the cryptologue, right, the one of the first ransomware in the world since 2014, 15. So, where I managed to break in inside of this botnet, well, the attack was ongoing, right? So, we revealed a lot of stuff we share with community and stuff like that. Then I'm going to reveal also the man in the browser. So, all we know that to be able to make a credit card, steal or malware, you must have a man in the middle browser attack to bypass the second factor, right? So, right now in the underground, there is a man in the middle browser builder, right? So, you can build your own man in the middle browser attack against any bank you like in the world. It's so easy. Then I'm going to speak about the NAS botnet, which was very interesting, right? Full autopilot mode, where they were hacking the NAS devices, NAS devices from the vendor QNAP. They were hacking them, arming them, and then patching them again. So, to be sure that no one else was going to hack them again, right? So, it was an infinite loop. And then I'm going to speak about the Keynes family of malware, right? Especially for the banking version, which has a really interesting VEP, let's say, electronic banking application, right? Which is better than I'm using here, like from the ABN number, right? So, they build better VEP application for electronic banking. So, first of all, why we are still getting hacked and why all this ransomware is all set, right? Because what we all are doing is to, we are putting a defense in debt, right? So, we are putting a defense in debt liars in our companies or in our homes, et cetera, et cetera. So, we are trying to protect our endpoints from the malware attacks, right? But, we are missing something here. The defense in debt works with two fundamental logic. First one is, it allows the non-good files to pass in, and it blocks the non-bed files to get in, right? The biggest problem here is the unknown files. We know what happened with the WannaCry run somewhere. We know what happened with every single zero-day attack that came in like a fresh malware, right? Why? Because this piece of code was unknown. So, there was no disposition for this piece of malware. For that reason, all these defense technologies couldn't stop them, right? Did you guys ever saw a zero-day attack which is a non-good, which is a non-bed, right? Then it's not zero-day, right? Everything which is zero-day must be unknown. And unfortunately, these technologies today, if we don't have a proper sandboxing and if we don't have a proper good and real-time threat intelligence, we cannot fight them, right? Another reason why we are still behind of the bad guys is that we still believe that malware on the network is the malware. This is a pick-up of the malware, and this is the same malware which is active on the endpoint, right? So what do you think, guys? Which one is the malware here? Left one or right one? Come on, left, right? Perfect, yes. Malicious activity, malicious software, right? It must be active to do a malicious stuff, right? I don't know what is happening. More. Yes. So unfortunately, yes. We are trying to fight these zero-day attacks only from the network side, which will not help us. We must be on the endpoint. That's what we are seeing on the market last couple of years. So now coming to the botnets, I don't know why this is going so fast. So in 2013, there was a crypto locker, right? We all know one of the first, let's say, publicly run somewhere, right? That time when they start to deliver the malware, we received some intelligence that time and I had the CNC server. So what we are doing is like, we receive some threat intelligence and we are building our IP reputation tables to stop that CNC traffic. And then if we have the malware piece of code, we can do a reverse engineering and stuff like that to figure out what the malware is doing and based on that, we are building a signature to block it, right? So that's all the cybersecurity researchers are doing, right? Some of them, like me, I'm not interested too much about the malware, right? I'm interested in the CNC server that he's speaking about. That's what's my focus on all my researches, right? I really want to be inside their houses and to see what they are doing. That was my main aim on all my researches, right? I wanted to unlock their logic. I wanted to see how their CNC server looks like. I wanted to see the functionality. I wanted to see what they stole from the weak teams and stuff like that. So the infection process we all know about this specific malware, especially around somewhere. It was an email, right? It was coming with attachment and that attachment had macro code which was forcing the malware to connect to CNC server, et cetera, et cetera. But what's important is inside of the CNC server, right? So when I'm doing a botnet research, the first thing that I'm trying to figure out is where is the CNC server hosted, right? Mainly they're hosting on the compromised web server, right? No one will not buy a legal web server from Godede and to publish a CNC server, right? So they're hacking this shared host or dedicated host and they're deploying the CNC server, right? So to be able to figure out, first thing you need to do is to find the way, to find the same way how they hack the web server to deploy the malware, right? So they figure out some vulnerability on that server, web server, they deploy the CNC server and they're serving the CNC server, right? So first thing is you need to realize how they hack the web server so you can use the same techniques to hack their CNC server, right? So they are smart, right? Especially if it's a shared host, what they are doing is they're going to hack some web server which is a WordPress or some CMS system, right? But they are going to deploy the CNC server on another V host which has only HTML web server, right? So when you are going to check, you will say, okay, there is that HTML, there is nothing vulnerable on this web server, but basically that means that they didn't hack that virtual host, they hacked another virtual host but then they had a root access so they saw all hosted web pages on that shared host and they put the CNC server on the non-virtual web, right? So they're doing this kind of trust, that this kind of tricks to hide the traces. When I penetrated this CNC server, I saw that there is a two configuration. One was the admin and one was the user, right? The most important thing was that they have our own configuration files, right? Oh, this doesn't look good, but this is a form where they can configure about how much money they're going to ask from them, right? This is a configuration page, I'm logging in, I'm going to define my HTML file, you know, the ransom, where they're going to ask the ransom, I'm going to define which countries I'm going to attack, I'm going to define how much is my amount, that I'm going to request for the ransom, et cetera. And then I'm going to click Assume. Here on the right page, I can see how my attack looks like. On the second one, I'm going to configure the decryption, right? So I'm going to upload my decryption application, I'm going to define the main URL, the support, how they're going to log in, et cetera, et cetera. Right, so this is their backend, real backend from their CNC servers. Then, of course, to deliver the attack, I need to have email accounts, right? To make mass phishing attacks, right? So what I figured out inside, that there was a lot of mails, a lot, and they had mails from Dutch people, they had a mail from UK citizens, they had a mail from Germany, et cetera. They had all classified mail folders for every single country. And most important, they had already a lot of SMPP credentials stolen to use on the mass spam campaign. So this is infected users, right? So every single user here is a machine. Infected and encrypted, right? So far that time, there was a 2,000 and something infections, right? The, another thing was, is that the email addresses used for this phishing campaign for ES, Spain, there was 2,580 email addresses, for Great Britain there was 12,000, for Italy and for Netherlands, right? So they have a very nice and very narrow victim target, right? Based on the country and based on their language, et cetera, et cetera. And what also I saw inside is they're keeping support, right? When you're asking them to unlock your files, when you're telling them that you paid a ransom, et cetera, et cetera. So they have some kind of ticket in portal. But what I saw on the ticket in portal is was that a lot of people paid and they didn't receive the decryption, right? This is a proof from their side, from their data, that they are not providing a decryption case. So everything was there. So they built our own system for delivering the ransomware. Now, the second very interesting and very dangerous CNC server was the man in the middle browser builder, right? So we all know to steal a credit card information and to transfer our money, you really need to have a very good developer, right? You must have a man in the middle browser attack. You must bypass the second factor, right? You must have some zero day exploitation. You must have a privilege escalation to be able to steal a money from the user, right? And as for today, it was very tough job for underground guys to build a man in the middle browser attack, right? Because they must know the web application of the bank. They must analyze it very well and based on that to build a man in the middle browser plugin that they can deliver through the model, right? Today is very easy. So this is an indication of the compromise details which I will not bother you too much because, again, my focus is on the CNC server itself, right? So we know that this CNC server is used by Kins, by Zeus, and the blocks is supporting these two exploit kits, let's say. This was the login page of this CNC server, right? So they put a big bill of the money, right? So they're very, they love their job, right? I mean, he lost a time to find this kind of picture and to put it on the CNC login page, right? I don't know if you guys can see it. I'm really sorry from this white here, but this is their web application back end. Here, you can define the attack campaign. You can see how many online bot victims you have. You can see how many offline bot victims you have, right? So you can build for every specific bank, many in the middle browser attack who are going to bypass the second factor. Here, you can edit the functionality of the blocks, right? I don't know if you guys can see it or not. That's very bad. Then you need to read my PDF. So in these blocks here, basically, what they can do is that they can define which victim groups will belong for the which bank. So they can build the main in the middle browser attack for that bank and they can push that configuration to the malware itself, right? So it's full automatic, right? I mean, so they deploy the dropper, right? Dropper checks their bookmarks. It checks their geolocation. It says to see, hey, I have Italian PC here, Italian guy. He has a bookmarks for, I don't know, Intesa San Paolo Bank and some another bank, right? So give me, I'm in the middle browser attack for these banks and from here, they're pushing this kind of stuff, right? So he don't need to go and to do anything manual. It's just everything here. Everything is on the portal. Then what they are doing, right? So for every single block, they can generate a commands, right? So they have a go command. Is they're allowing the victim to reach the original banking application. They have a question. They can build a question. You know, they must delay. So they must show the victim that the money is transferred between the Bob and Alice, but in background is going to Bob the Joe, right? To do this, they're tricking everything. So you are asking a question. You can push your error questions. You can push your tan JavaScripts. You can hold the function, the transaction button, right? They can show you some error tricks. They can kick you out from the banking, right? Because they don't want you to log in and to see that money went somewhere else. So they can keep you on hold, right? And they can confirm with the fake messages and then you can forward you to the different page, right? So everything is configurable. Everything was configurable actually in this CNC server. You don't need to be a coder anymore, right? So just go here, pay them some fee. You have a mini-in-the-middle browser builder. Go somewhere else. I don't know, buy the milkers, deploy your malware and you are ready to go. And then what we have here, it was a custom injections, right? Because the most biggest problem that they are facing is the one-time passwords, right? The second factor. And to bypass that, they have a special section where they can trick you to enter your second password, OTP password. You know they're all one minute, right? Length, so for the one minute that you are designing here, the system will ask you the OTP. You are putting your OTP. You don't know why it's asking your OTP, right? And then they're taking that code and they're transferring the money. So we are not safe, right? Even with OTP, we are not safe with this kind of stuff. I can see very nice faces from the light here. So another botnet was the QNAP NAS, right? The network attack stories. We all know the Shell Shrug attack, right? Was famous. But using the Shell Shrug attack, they hacked, I don't know how many thousand of this QNAP NAS servers, right? But they build the attack in that way, that way it was fully automatic, right? They needed to infect just one QNAP device. And then that QNAP device was infecting other QNAP devices, right? It was really nice. So what was happening, it was that they were deploying the, first of all, they are making a massive Shell Shrug vulnerability attack, right? Then they are deploying the payload. Then they are patching against the Shell Shrug. They don't want this device to get hacked by somebody else, so they are patching them. They are putting a DDoS application inside, and they are deploying the scanner. We're going to scan, and we're going to hack other botnet devices, the QNAP devices, sorry. This is the IDS device alerts, right? When we saw the QNAP device, the QNAP alert, then this was the payload hosted on the compromised web server. Then from there, I came to the DDoS server itself. It's an Elf script, right? Learning, running from Linux, it's executable actually, right? Doing DDoS attacks. They put a HTML back there on CGI script, right? So they can control the infection. But most important was it was just automatic. Everything was going automatic. So of course we report the QNAP at that time, and they patched and stuff like that. But a lot of devices is still vulnerable because they patched the vulnerability, right? So they own the device and they're patching the vulnerability. So last CNC server, if you remember I mentioned, better than the ABN number, right? It was a Kinsmalware. By the way, this is the big teams here. You can see how much money they have in their accounts here, right? And what was the most dangerous thing of this CNC server was that you are deciding like, okay, take money from this weak team, send to my crook the dropper, let him to keep 20% and transfer the money back to my account. Here we can see how you can define the drops, right? So they have a full management of crocs, how much money they receive, which is their drop, the reason of the drop, et cetera, et cetera. It was a full, I mean, it's like an ABN number, you know, when I'm transferring the money to pay my bills, it's same, right? And it's faster than ABN number. Here, they can see all the error logs, right? They care about their system. They want to know why the transfer is not done, right? I'm really sorry that you guys cannot see this, but that's it. Here you can define all the transfer pages and most important, here you can add a new drop, a new crook, so you're putting his name, his ABN number, he's all his information and you are defining the split with him, how much you're going to give to him and then you are ready to go, right? Everything is full automatically. And here is the transfers. So basically you can see from which, you can say for this crook, take the amount, money from this, weak teams and then the reason for the money transfer was like a payment of rent. It was just random words that I found inside, like buying something, payment of rent, payment of holiday and stuff like that. But the actual user, he's not seeing that because of the middle of the roster attack because of the previous CSE server. So that was all for today, for tonight. There is more botnet research articles that I've done, which more details and better picture. So I encourage you guys to go and read them. They're really nice and very informative. So last thing for tonight was the Vodafone hack, right? So what happened a little bit, very fast. I purchased a Vodafone fiber optic internet at my home. So the device itself is nothing, right? It's keeping the net from me, it's rooting for me, right? Meanwhile, by the way, I work for Cisco. So meanwhile, I got hired by Cisco and they give me a free gear, right, at home. And what happened, that gear that I had at home, it has a sandboxing capability, and vast malware protection, all the good stuff this is fast. And I wanted to take the net to my Cisco device to put this router here on the bridge mode so I can have a control over my traffic. What happened, I went to the routers configuration page and under the nothing page, there was nothing about the bridge. I went to the Google, a lot of Google translate because I don't speak at Dutch. So I end up in a Dutch forum and I was Google translate all the time and I saw that the bridge mode functionality is active through IP, right? But Vodafone, Netherlands, disable it. But they don't want you to use a net, right? I don't know why they claim some security issues but I don't think so. And then, of course, for me was, it's time to start digging in, right? Let's see what is happening. So what happened, I log into my Britek, I went to the DMZ host, right? Here, as you can see, I don't have a place to define a MAC address, which will going to be my net. So what I done, it was simple. I just figure out the post get, post command, by the way. So as you can see here, this 7C0191, this is my MAC address. And the switch here, one, what is happening, okay? It's my true IP enabled. If you just want, make a one that, and just forward the intercepted post and you have a net, which Vodafone, Netherlands, don't want you to have it, right? For the guys who don't know what is a group suite and stuff like that, I have a better option. Just go, if you can go, just go to inspect elements. We all know this. This is Safari or anything else, right? Just figure out this delay here. As you can see here, this is the CJA script responsible for the updating, let's say, configuration of the route itself. Then, the strange thing is here that, you can see the MAC address of the true IPDNZ here, right? But it's not on the GUI. Why it's not on the GUI? Because it's display none. Just delete, just delete the display none. Come on, right? Then you will have a MAC address input, but it's disabled, so another security check, right? So they disabled, you cannot have the input, right? But we have a solution for that. So if you search again, you're going to see here that it's disabled, disabled, disabled, right? Just change the box to enabled and then you can put your MAC address, right? And just click OK and you just bypass there. Non-logical wish to not having you on, right? So, I mean, yeah, this was very easy besides of the breaking the button, I agree. But yeah, it's my fundamental right, right? To have my own connection and stuff like that. So then, of course, I reported to them a couple of mails back and forth. I think that they patched, but if you have an older version of the firmware, this will still works. Yeah, this is a disclosure and they send me some flowers at home and they give me some free packages. So I have more IPTV packages at home, more dot channels, which I don't understand unfortunately. So that was all for tonight. I'm really sorry again for the very white, bright display. So if you have any questions, guys, feel free to ask me or to reach me out with the email. Yes, you have the microphone here. For the questions, please go to the microphones right in front first. Is it enabled? It should be on. Yes. Oh, yeah. One, two. Yeah, it's okay. I can hear you. Yeah, so the Vodafone hack, it was the parameters in the post request, they were already existing without nothing? Yes, it's already there. They're just hiding from the CSS, from the rendering. Right, so if you just run like, when generally just checking for the Vodafone site for vulnerabilities, you just see that the parameters were there and you just modify it and you have your... Yes. Okay, and is there any way to exploit this in any way to gain further knowledge? So let me tell you, because this, basically what they've done is they didn't filter and they didn't make any kind of validation of my comment. Because my focus was only breach NAT, I didn't have a time to check, but maybe you can change the DNS, maybe you can do more harm, right? I didn't have a time, so I'm living for you guys to dig it in, right? But I'm sure that you can do more. But for my aim was just to have a NAT, just to have a breach and to record from NAT. Yes, only flowers. Thank you. So if you're leaving the room, please. Hey, yeah, thanks for your talk. It was impressive. So the malware interfaces, they all look really professional. These guys definitely know what they're doing. They spent lots of time in developing that stuff. So why do you think you could still compromise their servers? I mean, you expect that they spend some time in that as well, because they want to protect their assets, right? So that's a good question. Let me tell you. I try to figure out how they work. Let me put this way. I try to make a research against maybe 2,000 CNC servers. I managed to figure out only 20 of them. Okay. Right? So it's heavily researched, right? And sometimes it's like, sometimes they're, so you know what they were doing? So they're spending the money. They're putting on the drop zone. From the drop zone, they're pushing the money. They're pushing the hack and credit card numbers with a queue to another server, right? When I catch them two times, after that, they stop to doing that. So they put a Gmail account where they're using like a drop. So they're stopping. So basically, every time, every single research that we are publishing is improving their way of doing the stuff, right? So I agree with you. They are very good, but I mean, come on. It's not possible to breach all of them, right? So this is all I got, but they are very, very professional, right? This is a business model, right? This is a model where you can hire and you can build your perfect attack, right? Okay, thank you. Okay, again, if you're leaving early, please be quiet. It will show up on the recording and we don't want that. Are there any other questions left? Because we have time. How much time we have? Like 20 minutes. 20 minutes? Yeah. Okay. You show me 10. That was... Oh, okay. Any other questions, guys? Okay, then I hope that you enjoyed. And sorry again, please take the PDF. You have all this information inside more and reach me out. I have more stuff to show you, okay? Thank you. Thank you.