Lightweight emulation based IoC extraction for Gafgyt botnets

Wednesday 30 September 14:00 - 14:30, Red room

Ya Liu (Qihoo 360)

In recent years we have seen a proliferation of IoT botnets. Our data shows that Gafgyt (also known as BASHLITE and Qbot) has always been in the top three most active families in the game, with hundreds of thousands of Gafgyt samples collected and tens of hundreds of variants concluded. While that proliferation could mainly be explained by the abundance of vulnerable IoT devices and by the fact that Gafgyt code was leaked as early as 2014, it has also been driven a lot by the leaked Mirai code, as Mirai code can be detected in more and more Gafgyt variants. That code combination deepens the problem of family identification and following up botnet tracking.

On the other side, Gafgyt botnets tend to be short lived, with most of our tracked botnets observed to be active for only a few days. To fight this type of fast-emerging while short-lived botnets, quick IoC extraction would play a very important role for later mitigation and tracking. Early Gafgyt variants usually store their IoCs (including C2 and register message) in plain text strings, thus IoCs could easily be extracted. However, things changed in later variants with C2s binary encoded and register messages updated in terms of format and content. While a sandbox could be used to handle those new variants, it faces the issues of evasion, longer runtime, and security risks caused by the scanning of capable Gafgyt variants. To overcome those issues, we came up with the idea of extracting IoCs with lightweight emulation, which has been used in malicious code detection for a long time. The final solution was verified to be effective with our data. While benefitting from the advantages of dynamic analysis, it has a shorter execution time with most samples able to be handled in a few seconds. Furthermore, since only the relevant code was emulated, the security risks caused by scanning capable variants could be totally removed.

In this paper I will introduce our solution and discuss the following aspects:

  • How to effectively distinguish Gafgyt from Mirai. What is the most frequently used Mirai code in Gafgyt variants?
  • What sets of fixed patterns, both static and dynamic, of IoC operations could be concluded from tens of hundreds of Gafgyt variants?
  • How does LWE-based IoC extraction work? What are the general solutions for some common issues, e.g. foreign function dependence?
  • Could the techniques learned in Gafgyt be generalized to other botnet families?



Ya Liu

Ya Liu has been working on botnet detection and tracking for over 10 years. Now he is a botnet researcher at Ya's work is mainly on malware reverse engineering and botnet tracking, with a focus on IoT botnets. In the past years, he has researched a lot on popular Linux botnets, including XOR.DDOS, Elknot, Mayday, Gafgyt, Dofloo and Mirai. Before that, he developed high-interaction honeypot software and reverse engineered Windows malware.


We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.