The smallest element in a botnet is a bot. The behavior of a bot can change dynamically based on the decision of the botmaster. Botnets are driven by profit, consequently, bots are expected to be profitable. If goals are not as expected, the bots can be instructed to switch their behavior to serve a better purpose. The aim of this talk is to present a detailed analysis of a network traffic capture of a machine originally infected by a Gamarue variant. The analysis will uncover the behavior of the bot since the initial infection, inactivity period, delivery of new payloads and the following switch of behavior of the bot. Additionally, we will present details on a barely known new botnet capable of performing horizontal brute-forcing of WordPress-based websites.

1. Insights of a brute-forcing botnet
Veronica Valeros
Cognitive Threat Analytics
Cisco Systems, Czech Republic

2. About me
Malware Researcher
Cognitive Threat Analytics (cognitive.cisco.com)
What I do?
• Analysis of network traffic
• Behavioral analysis of malware
• Threat categorization
• Malware sandboxing
Also:
• Quadcopters, lockpicking, gaming, traveling
Twi$er: @verovaleros
LinkedIn: /in/veronicavalerossaracho
Github: /verovaleros
Cisco: blogs.cisco.com/author/valeros

3. Hunting threats:
what do we know about malware?

4. Intelligence
gathering
Threat
identification
Blogs
reports
trackers
Real traffic
sandboxing
twi$er
forums

5. Most of what we know about malware
is from 1-5 minutes sandbox executions
Most sandbox solutions
(1-5 minutes)

6. How does the malware behave after 5
minutes? After 1 hour?

7. There is just one way to know:
to try it.

8. Experiment Setup
Gamarue sample
Sanboxing environment:
• VirtualBox
• WindowsXP
• No guest additions
• No user interaction
• No hardening measures for
VM-aware malware

9. Infection Overview

10. Gamarue C&C
CharacterisEcs:
• HTTP Based C&C
• HTTP POST requests
• Encrypted data sent/received
• Custom User-Agent “Mozilla/4.0”
• Contacted C&C servers:
• okiijlijlili.eu
• w4gvnlw4kjbvrbvshkvbsd.ru
• f34234f234f2sdcsv.info

11. The main C&C is the one in charge of
shaping the infection scenario

12. The main C&C is the one in charge of
shaping the infection scenario
X
X
X
X
X
X
X
X
X
X
X
X
X = no change on the behavior of the botnet
New malware
9583ad7f17aa0d63a48aac802d08a7e

13. Brute-forcing botnet behavior
1. Obtain a list of target WordPress sites to
attempt to login from the C&C server.
2. Attempt to login to the next site on the list
with chosen credentials in order to gain
access.
3. If the login attempt was successful, report it
to the C&C server.
4. If the login attempt was unsuccessful,
iterate from step 2) until exhausting the
targets.

14. Brute-forcing C&C requests
(1) REPORT STATUS
http://g.commandocenter.ru/default.aspx ?guid=dca94d1f-
f7eb-487f-ad24- 923cd1b4f946&gate=1&good=-
1&bad=0&unlucky=1&ip=&fn=
(2) RETRIEVE TARGETS
http://g.commandocenter.ru/files/2/9d753bd0-33a5-
46ac-841d-f99d9ace3446.txt
(3) SEND SUCCESS DATA
http://g.commandocenter.ru/col.aspx ?t=wp b&g=1&gid=1

15. Brute-forcing C&C: report status

16. Brute-forcing C&C: retrieve targets

17. Brute-forcing C&C: send successful data

18. Brute-forcing C&C overview
REPORT STATUS RETRIEVE TARGETS SEND SUCCESS DATA

19. +86k custom passwords used
techno
sciento
biblioteka
wroclaw
media
momb
biblioteca
teens
cafe
benessere
playground
helena
guide
mullion-shop
albers-wende
svenska-spelautomater
survivalb
raumklimadecke
dana
capavle
bondage
bibliotheque
modeistanbul
virgulina
svenskaspelautomater
stephanierhea
ravenna
playgroundmusic
pierrederoche
pierre
svet
guidedtherapy
galaktika
enflick
dajuroka
teentalk
charlesmyrick
businesscoaching
business
advertising
advertise
zorgverzekering
xmarkstheearth
xlgirls
williampopp
williammillsagency
teens-generation
tausend-moeglichkeiten
sverigemastareiseo2011
surveyquest
socialanna
sochy-14
shawnewbank
shawkeller
scienceofsexy
rgb
rautenstrauch
playguitar
ohiohypnosiscenter
modedesign-studium
mode-estah
mode-b
modculture
merkur
mediacube
mediaclipsaustralia
mediabiz-group
marihuana

20. Highly aggressive botnet: thousands of
targets attempted per day

21. +160k attempted logins
23 success cases

22. 1 bot
Every 7000 sites, 1 success
1 access every ~3.5 hours
6 accessed sites per day

23. Not a targeted attack: well distributed

24. Conclusions
• Running malware for long term periods is
worth trying.
• Realistic sandbox environment is vital:
without internet access we wouldn’t
discovered this behavior.
• The weakest link in security are still
humans.
• Education is the only long term solution.

25. Questions?
Veronica Valeros
vvaleros@cisco.com
Cognitive Threat Analytics
Cisco Systems, Czech Republic

26. Thank you.

27. Cisco Cognitive Threat Analytics (CTA) is a cloud-based breach detection and analytics
technology focused on discovering novel and emerging threats by identifying C&C
activity of malware. CTA processes web access logs from the Cisco Cloud Web Security
(CWS), Cisco Web Security Appliance (WSA), or 3rd party web proxies such as Blue
Coat ProxySG. CTA reduces time to discovery (TTD) of threats operating inside the
network. It addresses gaps in perimeter-based defenses by identifying the symptoms of
a malware infection or data breach using behavioral analysis and anomaly detection. The
technology relies on advanced statistical modeling and machine learning to
independently identify new threats, while constantly learning from what it sees and
adapting over time. Through additional careful correlation, CTA presents 100%
confirmed breaches to keep security teams focused on the particular devices that
require a remediation. Focusing on C&C activity detection, CTA addresses a security
visibility gap by discovering threats that may have entirely bypassed web as an infection
vector (infections delivered through email, infected USB stick, BYOD).
About Cisco Cognitive Threat Analytics