Are attackers using automation more efficiently than defenders?

No ratings

Presented at CSAWthreads 2014 by

Marc-etienne M.léveillé

Operation Windigo is a large, server-side, malware campaign that targets Unix systems (BSD, Linux, OS X, etc.). Its actors operate more than 25,000 compromised servers. Every day, they use this infrastructure to redirect more than 500,000 Internet users to malicious content and send millions of spam messages. The malicious actors run their infrastructure on an unreliable network of compromised hosts running a wide range of operating systems. Nonetheless, they manage to maintain a stable operation, used to deliver malicious content and expand their network. Throughout our investigation of Operation Windigo, we've discovered highly automated tactics, ranging from the deployment phase to the monitoring. This allows the operators of this botnet to spawn new backend services and assess the status of their network efficiently. In this talk, we will describe in details a number of ingenious techniques used by malware operators, how they evade most detection techniques and how they evolved over time. We will then detail the tools and tactics we used to track the entire operation and spy on the malicious actors' activities. Finally, we will discuss the defensive mechanisms that system administrators can use to defend against such threats and what could potentially be automated (or not?). Marc-Etienne is a malware researcher at ESET since 2012. He specializes in malware attacks on unusual platforms, whether it's fruity hardware or software from south pole birds. Lately, Marc-Etienne was mostly reverse engineering server-side malware. He enjoys participating in CTF competitions like a partying gentleman and playing the clarinet.