Botnets are everywhere and play a crucial part in the kill-chain process in our world of cyber security. “EarthLink Spammer,” the 1st publicly recorded Botnet, is dating back to 2000, built for spam by Khan K. Smith. This Botnet aimed to deliver phishing-spam emails with the hope of collecting credit card information. Smith was caught and sued for $25 million, when he only earned $3 million.
A giant botnet publicly revealed was the Bredolab Russian Botnet, with an estimated 30 million bots (victims). It sent malicious emails that included malware attachments that would infect a computer when opened, effectively turning the laptop into another zombie controlled by the Botnet. At its peak, the Botnet could send 3,6 billion infected emails daily. The other form of propagation was drive-by downloads, which exploit software security vulnerabilities. This method allowed the Botnet to bypass software protection to facilitate downloads without the user being aware of them.
Passion
Malware attacks and botnets behind this massive illegal industry drain our pockets and even take our lives. These criminal organizations have rules and secrets they don’t want to be revealed. They like to infect, hack and control victims without getting caught by law enforcement. End-point security is not enough to prevent zero-day malware attacks, so research has been focusing on their command and control centers. In 2013, I started to bust advanced botnets to see how they operate and what they steal from victims. Very fast, this became my passion with the hope that we can provide in-depth intelligence to the cyber security community. With this aim, I managed to bust over 20 unique C&C/Botnet servers and reveal their dirty secrets.
Presentation outline
In this presentation, we will reveal the famously neutralized botnets from inside and outside, with all the source code, files, and logic behind those criminals. By showing these busted C&C servers, we will see and learn how seriously they take this illegal business, and we will have a chance to peek inside them.
- Inside Cryptolocker C&C server
- Revealing Unique MitB Builder C&C Server
- NAS Botnet Revealed
- Kins origin malware acting like a real E-banking web app
- Are 2-factor authentications enough to protect your money?
Takeaway!
Non-encrypted Botnet can be detected by network security solutions such as IDS and NGFW, but today, botnets are getting more sophisticated as they can use legitimate encrypted networks traffic for their C&C, like Twitter or DropBox, and they are also immune against SSL offloading by implementing certificate pinning on the payload by itself. This technique leaves traditional network security solutions blind if they cannot process and detect encrypted data using AI and ML.
With AIONIQ, Gatewatcher can process and detect “DGA “unknown C&C traffic within encrypted traffic using AI and supervised ML. AionIQ, is a recent network detection and response platform that can confidently identify malicious actions and suspicious behavior by mapping all assets on the network. Combining this capability with unique performance in analyzing even encrypted network flows, AionIQ provides a 360-degree view of the level of cyber risk associated with each connection between assets and users, for an unparalleled level of detection and visibility.

Another unique capability of AIONIQ over other competing NDR solutions is the integration of a sandbox module called AIONBYTES that can help detect unknown malware samples using legitimate domains/services such as DropBox, Twitter, Slack and TOR for secret botnet traffic. This capability allows us to link the malware (sha256) to the domain or IP that is carrying the botnet traffic.

LastInfoSec is the latest gem integrated into the Gatewatcher detection framework. This CTI platform pushes real-time cyber intelligence to help our customers be alerted to threats around the world.

Author: Senad ARUC