Loading…
Botconf 2018 has ended
Back To Schedule
Wednesday, December 5 • 16:40 - 17:20
Collecting Malicious Particles from Neutrino Botnets

Log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
Neutrino Bot (also known and detected as Win/Kasidet) is a rapidly changing threat. It first became known around December 2013. It has been actively developed ever since resulting in version 5.4 at the very beginning of 2018. From the early times, when the bot’s commands were focused on various DDoS attacks, it evolved into something quite different. Its current state allows to remotely execute commands, files, scan the infected system and both modify and monitor network traffic while keeping some of the old tricks as well.
In the talk, we would like to look at different versions of the bot and their specifics and describe the changes that are being made. We will also explain its current functionality and transition into a fully functional banking trojan.
The malware is affordable and relatively cheap which leads to many independent actors operating their botnets in a very different way. That said, it is much more interesting to learn what each group leverages the bot for rather than tracking it as a whole.
Identifying similar configurations is not always easy, but there are several ways to do so. We want to demonstrate the methods of how to detect which samples belong to each other in order to identify different botnets. We will show the botnets that have been discovered during the last year, what is typical for them, how do they use the bot and what have they delivered through it. We will also lighten the mood with several examples of situations, when operators failed to execute their malicious activities properly by utilizing wrong configuration or harmless webinjects.
No centralized distribution method is offered, that means every botnet operator has to distribute the bot on his own. The discovered methods include malvertising, trojanized installers or the Ammyy supply chain attack.



Speakers
avatar for Jakub Souček

Jakub Souček

Malware Analyst, ESET
Jakub Souček works at ESET as malware analyst since 2015. He specializes in deep analysis of malware and botnet activity tracking. In his free time, he likes to play games, watch movies or listen to some good old music.
avatar for Jakub TOMANEK

Jakub TOMANEK

Malware analyst, ESET
Jakub Tomanek is a malware analyst at ESET. He has no conference experience so far. His work consists of analyzing recent malicious samples and monitoring their activity. In his free time, he enjoys playing the violin and riding a bike.


Wednesday December 5, 2018 16:40 - 17:20 CET
Auditorium Marthe Condat 118 Route de Narbonne, 31400 Toulouse, France