Missed those talks at VB2011? A few notes on a first set of talks I attended.
A look at the cybercrime ecosystem and the way it works, Dmitry Bestuzhev
On the underground market, it is possible to find plenty of things such as clones of real ID documents (shipping with your own picture) and even with real biometric information. You can also find real policeman cards. To access the undergroutnd market, you should however be a 'certified' cybercriminal.
There are geographic differences between cybercriminals. In Europe, cybercriminals make quite sure to hide themselves to be more difficult to find. For instance, they like to use Jabber because that IM has no logs whatsoever. In Latin America, on the contrary, they seem not to fear of anybody and they do some PR on themselves, showing videos of their activities without any fear of showing their faces, the faces of their children, wife, their cell phone number, and whereabouts.
Countries with many cybercriminals are typically Brazil (where the cybercrime law dates back to the 40s), Russia (which does not allow citizens to be extradicted). France unfortunately can also be noted.
Dmitry's final point is that writing signatures is good, but in the end, it is not going to make a difference. What's going to make a difference is to stop & sentence the cybercriminals.
Same botnet, same guys, new code, Pierre-Marc Bureau
W32/Kelihos appeared at Christmas time last year in 2010. It seems it was first propagating through faking greeting cards, that would redirect you to a fake website asking you to download a new Flash Player. During the very first versions, the malware authors released a very preliminary version with plenty of debugging information. This was very helpful to the reversing engineering of the malware. It also gave the probable information that the coder was not a native English speaker (bad grammar, spelling mistakes opening with two Ns etc). The next versions did not include those debug part.
The malware is bundled with a spam engine. It has been noted to send_ stock exchange_ related spam, recommending the victims to buy a given stock and then make money out of pump-and-dump schemes. The spamming for stock exchange did actually work and have impact on some actions they were recommending.
On an implementation point of view, Kelihos uses TCP port 80, probably to be more stealthy. They also use a strange combination of crypto algorithms: DES with K1, Blowfish with another key, and again DES with K1. If we compare Nuwar, Waledac and Kelihos, some parts of the code are really different implying that there were certainly some new coders in the project. But on the other hand, there are numerous similarities including mostly the same functionalities. All 3 are using fast flux, and although the technique is well known it is still not used that much in botnets.
A Survey of Contemporary Chinese DDoS malware, Jeff Edwards (presenting), Jose Nazario
Chinese DDoS means the C&C is hosted in the chinese IP space an that the malware contains substantial DDoS capability.
There are currently ~40 different families of such malware. The malware are sometimes actually pretty unsophisticated with little or low encryption. Most of the time, they are written using Visual Studio, in C++. They usually attack a single target at a time, with the attack lasting only for 2 hours.
To study the botnet, the authors wrote fake bots to log/monitor activity of those malware. The DDoS attack engines usually mostly used WinSock2 based HTTP flood. There hasn't been much of them using slow HTTP attacks where the GET request gets broken in several small packets.
Most of these malware attack chinese websites (64%) or USA (27%). For example, darkshell is dedicated to attacking chinese manufacturers of industrial food processing. Also, they seem to be sharing their code among other DDoS writers (which for instance does not happen for Russian based DDoS that tend to keep their code private).
-- the Crypto Girl