Thursday 6 October 10:00 - 10:30, Red room
Jarosław Jedynak (CERT Poland)
Maciej Kotowicz (CERT Poland)
Over the course of the last few months, we have observed a new Nymaim campaign, on a larger scale than usual. According to other researchers, Nymaim has caused over 2.8 million infections recently. More than 270 Polish banks have been targeted (many of which are our customers). They haven’t been particularly happy about their customers being robbed, so we have had to do something.
In this talk, we will describe our findings. We will discuss Nymaim's technical details – in particular, we will cover:
During our analysis, we focused mainly on the network protocol. We have observed typical P2P botnet behaviour – as far as we know, this is something that hasn't been described publicly before. We will describe obfuscation and encryption methods used in communication, various internal resource formats, and we will highlight a few peculiar similarities to Gozi ISFB. We will also share snippets and tools we created – a packet dissector, and DGA implementation.
We will conclude by presenting the main result of this research - our Nymaim tracker written in Python. We are currently crawling through the Nymaim botnet, scrapping IPs and downloading everything we can. We are able to automatically download new configs, binaries and web injects from C&Cs and peers as soon as they are released.
Jarosław Jedynak is a security engineer working at CERT Polska. His research interests focus on malware and botnets, especially P2P ones. In his free time, he is a passionate CTF player.
Maciej Kotowicz is Principal Botnet Pwner at CERT.pl with a special interest in reverse engineering and exploit development as well as automation of both. Occasional speaker. In his free time he like to drink beer and play CTFs, in no particular order.