Wednesday 30 September 14:00 - 14:30, Red room
Ya Liu (Qihoo 360)
In recent years we have seen a proliferation of IoT botnets. Our data shows that Gafgyt (also known as BASHLITE and Qbot) has always been in the top three most active families in the game, with hundreds of thousands of Gafgyt samples collected and tens of hundreds of variants concluded. While that proliferation could mainly be explained by the abundance of vulnerable IoT devices and by the fact that Gafgyt code was leaked as early as 2014, it has also been driven a lot by the leaked Mirai code, as Mirai code can be detected in more and more Gafgyt variants. That code combination deepens the problem of family identification and following up botnet tracking.
On the other side, Gafgyt botnets tend to be short lived, with most of our tracked botnets observed to be active for only a few days. To fight this type of fast-emerging while short-lived botnets, quick IoC extraction would play a very important role for later mitigation and tracking. Early Gafgyt variants usually store their IoCs (including C2 and register message) in plain text strings, thus IoCs could easily be extracted. However, things changed in later variants with C2s binary encoded and register messages updated in terms of format and content. While a sandbox could be used to handle those new variants, it faces the issues of evasion, longer runtime, and security risks caused by the scanning of capable Gafgyt variants. To overcome those issues, we came up with the idea of extracting IoCs with lightweight emulation, which has been used in malicious code detection for a long time. The final solution was verified to be effective with our data. While benefitting from the advantages of dynamic analysis, it has a shorter execution time with most samples able to be handled in a few seconds. Furthermore, since only the relevant code was emulated, the security risks caused by scanning capable variants could be totally removed.
In this paper I will introduce our solution and discuss the following aspects:
Ya Liu has been working on botnet detection and tracking for over 10 years. Now he is a botnet researcher at netlab.360.com. Ya's work is mainly on malware reverse engineering and botnet tracking, with a focus on IoT botnets. In the past years, he has researched a lot on popular Linux botnets, including XOR.DDOS, Elknot, Mayday, Gafgyt, Dofloo and Mirai. Before that, he developed high-interaction honeypot software and reverse engineered Windows malware.