Welcome to the VB2021 conference!

The keksec’s botnets we observed in the past year

Ye Jin (Qihoo 360) & Lingming Tu (Qihoo 360)
partner message

QI-ANXIN Technology Group Inc. Leader of New Generation Cybersecurity

https://ti.qianxin.com/marketing/vb2021/

QI-ANXIN Technology Group Inc. offers next generation enterprise-class cybersecurity products

and services to government and businesses. QI-ANXIN is the Official Cyber Security Services and

Anti-Virus Software Sponsor of the Olympic and Paralympic Winter Games Beijing 2022.

partner message

VirusTotal: Actionable crowdsourced threat intelligence

https://www.virustotal.com/

Comprehensive context and cutting-edge functionality to proactively protect from cybersecurity threats.

partner message

Ransomware prevention starts with zero

https://www.zscaler.com/solutions/security-transformation/ransomware-protection

Ransomware attacks are increasing 500% year-over-year.

Learn how Zscaler's Zero Trust Exchange helps minimize exposure, damage, and risk

at every stage of a ransomware attack.

partner message

Amazon Information Security - come build the future with us!

https://www.amazon.jobs/en-gb/team/infosec

Do you want to work on privacy and security challenges at unprecedented scale?

We have Privacy and Information Security opportunities available now across

the United States, Dublin, Ireland, and Sydney, Australia.

partner message

Looking for performance validation for your product?

https://www.virusbulletin.com/testing/

Get an edge over your competitors with Virus Bulletin’s anti-malware & email security certification

programmes, supported by 30+ years of experience. Or take advantage of our bespoke testing service

offering valuable performance feedback for R&D. Email [email protected].

partner message

We don’t just talk about sharing. We do it every day.

https://www.cyberthreatalliance.org/about-cta

Learn how to collaborate with the Cyber Threat Alliance to improve your overall cyber resilience.

We are a greater team when we work together; our collective efforts magnifies our success and

ensures that we are and remain cyber resilient.

partner message

Stay ahead of threats with VirusTotal

https://www.virustotal.com/

Stay ahead of the next generation of threats and get relevant insights to solve

the most critical security challenges.

partner message

Threat Intelligence and Cyber Resilience

https://vblocalhost.com/programme/#TIPS

Join the VB2021 Threat Intelligence Practitioners' Summit (TIPS), sponsored by the Cyber Threat Alliance,

and learn how investment in threat intelligence builds cyber resilience, allowing you to be more effective

when addressing today's dynamic threat landscape.

partner message

Calling all Hackers!

https://www.ise.io/careers/#op-470256-hacker-midseniorprincipal

We are hiring mid-senior-principal level hackers!

Remote option • Flex schedule • Unlimited vacation • Opportunities for research and publication

partner message

Farsight Security DNSDB® is the world's largest real-time and historical database of DNS resolutions

https://www.farsightsecurity.com/get-started-guide/

DNSDB 2.0 introduces Flexible Search support, unlocking both Regular Expressions and Globbing syntaxes for more granular and accurate search results. Get your free DNSDB API key and use it in our newly updated

web GUI, DNSDB Scout as well as your own existing environments. Contextualize everything that is DNS related with one API key - DNSDB.

partner message

Do you like doing work that matters to you… and really frustrates the bad guys?

https://talosintelligence.com/careers

At Talos, our mission is to make the internet a safer place and fight the good fight for our customers

and users. If you think you have the expertise and attitude to help lead the world in cutting-edge security,

we’d like to talk.

partner message

IoT security begins with your Smart TV

https://chomar.link/smarttv

CHOMAR Smart TV Security.

Protect your Android Smart TV against malicious activities and use your IoT devices without any worries.

partner message

F5 helps find malware hiding in plain sight

https://www.f5.com/company/blog/half-the-world-s-malware-is-now-encrypted

Encrypted malware is becoming increasingly common, and daisy-chaining security devices is neither

cost-effective, nor efficient. Detecting and stopping malware doesn’t have to be overwhelming with

F5’s innovative products.

We have seen a rapid proliferation of Linux malware/botnets in recent years. While it's not uncommon at all to find that many of them were actually created by script kiddies with easily obtained malware kits (e.g. Mirai and Gafgyt source code), over 50% of them, according to our data, were from a relatively small number of professional actors who have persistence in operating Linux botnets. Compared with script kiddies, they usually have more resources and are more skilful, thus worthy of more attention.

The keksec group is one such threat actor. It became known for building the Necro/Freakout botnet early this year. Further digging shows that it has a long history of running DDoS botnets, with the first one traced back to 2016. It’s interesting that the keksec group was very open in showing off their attacking activities. For example, they used to publicize their invasion of a public billboard on social media. They also created an open directory in pastebin.com to hold their source and attack tools. As a result, the open information has helped us summarize the high-profile group as follows:
  1. keksec group was created in 2016 by a few experienced botnet actors.

  2. They preferred DDoS and miner types of botnets.

  3. They had a rich set of popular botnet kits targeting both Windows and Linux machines.

For unknown reasons, the group kept silent for a period of time in 2020. Our data shows that their hacking activities were not resumed until August 2020. Nearly 20 botnet campaigns have been detected by us after that time. Detailed studies have been carried on the collected data in terms of samples, exploits and C2 servers. With the help of passive DNS some interesting results were obtained, which make us believe that it is possible to depict the big picture of keksec botnets since August 2020. We think the analysis will help to better detect and mitigate against future botnet threats from keksec.

Some preliminary findings (more details to be added later):

  • Whether keksec attacked both Linux and Windows machines. What vulnerabilities were exploited.

  • How 1-day exploits were used by keksec.

  • What botnet families have been built by keksec.

  • Whether keksec reused code instead of writing from scratch.

  • How IRC protocol was reused across different botnet families and variants.

  • What patterns exist in keksec sample delivering and updating.

  • How DGA and Tor mechanisms were used to hide the real C2s.

  • What set of C2 infrastructure was owned by this group.


Got a question about this presentation? To get in touch with the speakers, contact Ye Jin on Twitter at @SethKingHi.
Ye Jin
Qihoo 360

Ye Jin is a senior botnet researcher from 360netlab. His main job is to analyse and track botnet malware and develop lightweight simulation technology to extract IoC information. He has eight years of experience in malware reverse analysis. Before that, he was a virus analysis engineer in Kaspersky's Anti-Virus Lab. He participated in the XCon 2020 conference .

Lingming Tu
Qihoo 360

Lingming Tu used to work at KingSoft and Kaspersky as a malware analyst and kernel developer. Now he is a botnet researcher at 360netlab. His work is mainly focused on malware reverse engineering and botnet tracking, with a focus on IoT botnets. In the past years, he has done a lot of research on classic Linux botnets, including Elknot, Gafgyt, Dofloo, and Mirai. During this period, he also discovered some new botnets, including Ngioweb (Linux version), Godlua, Mozi, Moobot, Fbot, Zhtrap, Matryosh and Bigviktor.