GF - Don't Bring Me Down: Are You Ready for Weaponized Botnets? - Cheryl Biswas

hi everybody thank you very much for putting up with the technical setup and thanks to the crew here for getting me set up I really appreciate it okay so who here loves a really good scary story one that's even yeah with sci-fi maybe binky Lovecraft and Poe together yeah exactly and you know when something seemingly insignificant happens but it's actually a foreshadowing of doom because that's how they always begin right there was a router but unbeknownst to this hapless device the firmware embedded within it was infected okay so quick introduction I'm Sheryl Biswas I go by encrypted on Twitter I'm from Canada and you're all welcome anytime I work as a strategic threat Intel analyst I like saying it that way

with a bank I have a degree in political science as you can see I'm interested in a few things and I am very excited to be part of the Diana initiative happening this Thursday and Friday and so very proud of our team and the work that we are doing okay so this of course is the obligatory disclaimer these are my views my views alone not those of my employer past or present so let's talk about the evolution of evil yes there are many good stories to be told will question our choices around IOT we'll find out who's out there someone's knocking at the door someone's ringing the bell we'll take a quick look at the

monetization and then a deeper look perhaps at the money trail and then we're going to play a little game of what if okay I wrote a little ditty about this but botnets have been steadily evolving particularly noticeable since the beginning of 2018 there was no question so what we need to do is to work with the blue team in order to help them understand better what needs to be defended and with the red team to help them understand what the attackers are leveraging to shore up those defenses and my goal here today is to share with you what I've been seeing what makes me scared and afraid to fall asleep at night and maybe to help you go

back and revisit and review your systems and see what it is you might be missing because something wicked this way comes so let's get started shall we when I think of botnets and I think when all of us think of botnets it's more in terms of an outage an inconvenience a nuisance factor am i right it used to be it generally it was a temporary issue something that we could recover from I'm gonna leave that thought with you all right so three back to February of this year I wish I had candy cuz I would offer to you who here can tell me what happened February of this year it was big who here uses github a very bad

thing happened to get up in February it happened at the size of one point three five terabytes per second it was a freaky awesome DDoS outage that's a distributed denial-of-service that is a botnet attack of epic frickin proportions and we had never seen that that was twice the size of the Mirai outage and there wasn't just the one on the heels of that first one there was a second one now it happened to target a particular group of servers these were memcached servers I'm going to guess that most people may not know what memcached is am i right would you let me just give you a quick explanation okay I had to learn this one at the time as well so

basically a sh means memory memcache was something it's a it's the setup on these servers to enable them to respond more quickly so it's caching the problem with this was that well I'm gonna move to the next slide the problem with the memcache servers was a configuration issue and my job in threat Intel is to be following the trends and seeing all the things that happen on a daily basis I read a lot of Twitter I read a lot of news so I see a lot of things and then I get to connect the dots I'm weird and I find it fascinating and then I make a report every day to tell people who don't find

it quite so fascinating however there have been some major misconfigurations and that has been at the heart of some pretty bad attacks I would call that a trend and a trend that we have control over this is something that we can yes mitigate but more importantly address and prevent up front something we need to be aware of along the lines of default passwords being left on servers that are being exposed to the Internet or it should not even be on the Internet case in point DB and CouchDB which got massive leap owned by ransomware not so long ago hard lessons learned if you do a showdown search they're still out there so are a freaking lot of these

memcache servers and they are out there too and they're not supposed to be internet face how did that happen so we are in 2018 and we have discovered the meaning of volumetric attacks the bigger the better this is bang for your buck and my concern is it's not just about an outage and it's not just oh it's a bunch of stupid servers that got left open I have to take it the next level I have to play the what-if game and I have to say so what if somebody wanted to bring somebody down in a very bad way you find a group of these servers you go after them and you have the eastern seaboard

go down for a good hour half a day possibly more let me remind you that we are an e-commerce driven society and we feel the pain in terms of dollars this is a very real attack this is hard impact so in the terms of those memcache servers instead of boosting performance not enabled the attackers to hit at an impact of 51,000 times the spike was as I showed you ridiculous it was off the charts that's not the only time that's going to happen the people who are tracking this watching us the security researchers who know a hell of a lot more even than I ever will are very concerned about this because they know this can happen again

and they worse know that it's not just cyber criminals who are looking to monetize it potentially sell it on the dark web and part of my job is going down there and taking a look at what's for bottom being bought and sold it's nation-states and it's the games that nation-states love to play when something like this gets weaponized at that level well we all know what happens with shadow brokers right yeah

pretty much everybody here should know what the CIA triangle is right confidentiality integrity availability it all matters equivalently in the case of a denial of service attack you're losing your availability that you know uptime is everything in business that's profit and loss right there especially when you're talking in terms of internet and e-commerce and losing transactions and losing customers very very big so the destruction of your network by a massive DDoS DDoS attack or the destruction of availability is significant my question though is what if you were able to leverage those botnets to come after the other two sides what if something's messing around with the integrity of your data and I'm talking financial data you do not want

there to be an issue with financial records not ever that's why they run those things pretty much on mainframes but if you found a way and I know people who know how to do this to get in and breach those systems leveraging a botnet we have a big problem or what about confidentiality that may not necessarily seem like an issue right now but that's your data your information about you and you do not want that out in the open for everybody because you got breached by a botnet and that well I'm gonna I'm gonna just point the finger right back at Equifax and we'll talk a little bit about the Apache thing Apache struts anybody there's a lot that can go wrong

here there's a cable that connects Europe to the United States under the ocean if that had to suffer a hit of one point three five terabytes per second it would shut right down it would be like putting gum in there and then you'd have a big issue we can't really weather that kind of an outage there'd be a lot of cost oh yes imagine a zombie apocolypse of crockpots welcome to the hell that is IOT right oh my god yes but it's true this is our world now and default passwords are de rigueur right embedded system vulnerabilities the firmware it's it's everywhere and you can't fix this you sure can't ask your neighbor next door

to go online and download the new firmware patch ahaha you've tried bad oh my god I'd rather pull my hair out I'm sorry No and interestingly enough for a disposable society people don't throw these damn things out people hold onto routers and use them for five years that is why there are unpatched routers d-link and tp-link and i only learned how to say this yesterday huawei don't you and a whole host of other wonderful things that people bring into their homes to get better signal strength and connect to the internet all of these are unpatched and they got them from their friend or they got them from their sister or they got them from somebody and these are four and five

years old and hopelessly out of date and a hopelessly insecure but wait there's more we have not factored in the number of devices that are exploding in our developing nations right we're not just thinking of the Western world and North America and Europe we ought to think up the whole world everybody is in on the action here botnets are no longer an inconvenience and something that script kitties played with at Christmas time when they were being the Grinch and they were knocking down Xboxes and Playstations we are so far past that point but I am afraid that in many people's minds they're still seeing it as oh it is it you know it's a DDoS it's

a done denial of service attack it's really it's it's a pain but it's not that bad no no no I'm telling you today I mean it is that bad and I'm hoping I can show you why because these have become one more weapon and what I consider to be a digital arsenal for the games that nation-states play where there are no referees and there are no rule books I thought these were a couple of very well chosen quotations about just what we're looking at these are these are people who are significantly concerned about what we face and we we have experienced the impact of DDoS attacks that are a hundred million to a million strong in terms of devices just

think about it for a minute how do you harness a million connected devices that's staggering but that's now become the new normal for us we live in a society where it's consumer driven everything needs to connect the manufacturers are only too happy to comply that is dollars in their pockets and the the race to the finish line leave security so far behind it's not even an afterthought what do we do to be regulated we can't regulate it who wants to be a regulator put your hands up I don't think so no these devices are essentially unmanaged like I said they're they're old they're unpatched and they're still in use and how in God's name are we going to track all of

them they're in every house there's three or four of them or five of them so what we're seeing is a playground a playground for criminals and attackers to take advantage of what we are not able to secure not willing to acknowledge not prepared to deal with the Mirai botnet let loose unleashed an avalanche of insecurity and threat that we're just now beginning to realize we have and I'm going to present to you a group of them botnets one of which is wicked which leverages the Mirai code to a whole new level and is layer upon layer of botnets it's not just one and we have given the attackers the tools and the freedom to be able to create new threats that we're

not anticipating and therefore really not prepared for we talked about ransomware evolving and then becoming modular it's sold it's it's ransomware as a service I can tell you for a fact botnets are the same I've gone digging and probing yes they are monetized to the hilt they are available for service and it is at the lowest common denominator for people to get in and use them you do not want this if you're on Twitter somebody that I like to follow is BA Brutus he goes by Harbormaster and he is a data scientist works with rapid seven tracks things like crazy ins shows some fascinating findings he's also for me anyway a canary in the coal mine a threat he does show some

things as they are coming up and says listen people get off your asses pay attention so I'm suggesting him calling him out now is a it's a good source to be following alright let's see who's out there shall we so do you remember where you were in October of 2016 who here remembers how they were impacted by Mirai were you using Facebook or trying to maybe Twitter or trying to maybe Amazon eBay trying to send an email wait mom the Internet's down I heard that one it's injured it's broken it's broken the internet is broken and actually really was there were a whole lot of people all of a sudden saying the Internet's broken because it didn't come

back and the whole eastern seaboard was down for a prolonged period of time that was a watershed moment we had three waves of attacks I remember following this because it was unprecedented and it was all over and when I got my internet back up and I'm in Canada we were we were briefly impacted as well deine has a lot of email accounts with it some of them under rogers there were a hundred thousand malicious endpoints identified in this series of attacks and then it came in at a strength of 1.2 terabytes per second this was noteworthy as they tried to mitigate the attack the attackers were able to respond and react are we prepared for something like this

when they come at us at a much higher level that is something I want to hammer home it isn't just about an ordinary tech it's when they really know and I'm sorry I'm a huge fan of diehard for fire sales and big fat scary nation-state problems but they happen and I'd much rather we were prepared for it now than trying to figure out what to do with it during I present to you botnets his weapons only this was Mirai but could you imagine if this happened tomorrow and it looked like this all at once we can't talk to each other we can't Nate a response businesses massive businesses that really aren't designed to suffer lengthy outages but believe

they are because that's what a DDoS attack like this port ends I have sat in on sessions trying to show people disaster recovery and business continuity rationale to explain to them why you don't just have a once-a-year let's all get in the boardroom let's have donuts and let's make sure that you've got the call tree and you we're all gonna meet at this place and is that barbeque on for Saturday Bob yeah ok great no I want to talk about where we sit down and we actually have a playbook and we don't just dust it off once a year but we updated on a regular basis because we use the damn thing we use the

damn thing because things will go wrong and this is one of the things that will go wrong that will really mess us up if you've got a playbook and you have a disaster recovery and a business continuity plan in place and you're actively using it that is preparation I'm preaching it I present to you the wall of fame these are a lot of these are from this year alone and I'm going to show you the ones that I think have the most impact and damage are the ones that we need to be learning from what they're carrying forward hide-and-seek botnet there's a red word there persistence this was a game changer because up until this point you could

flush botnet malware out of your system by resetting things have you unplugged it plugged it back in again it's a great solution or it was anyway for things like botnet malware heck even with the VPN filter did we all not get that notice from the FBI to please how are often power our our routers only it doesn't work with this particular botnet this one figured out how to achieve persistence so when you power it back up its there it comes back the cat came back the very next day not my friends is a weapon now hi mystique botnet had a few other really clever tricks up its sleeve persistence was just one of them but it

represented to me the evolution of botnets in terms of offering attackers more than just the chance to monetize or drop crypto miners in the right hands these could be used in a very bad way in a very targeted attack it was complex and it was decentralized it had anti tampering built into it so you couldn't easily take it back down what was also interesting about hide-and-seek was it appeared first in January but then it came back new and improved in May with the ability for persistence ah but then it came back in June only this time and this is what I think is important it could go after database servers it's not just going after the usual

run-of-the-mill I of the T stuff right if you are an enterprise and you have servers and you do you need to worry about stuff like this and you need to be saying what am i what are my mitigations in place how am i watching for this what am i monitoring for against this do I have a right the right IOC is put into the sim that's what I want to be able to get across oh and there's Milo bot has has anybody heard of these ones as I'm bringing them up by the way feel free to chime in if you have ok how I said all that holy when I saw my Lobot again it's the sophistication that is being

built into these that makes it totally weaponize ibill to me so Andy VMware anti sandbox anti debug they already know what we're going to try and do they're on one step ahead of us obfuscation huge right if if we can't see you we can't find you so it's wrapping things in encrypted files I'm thinking like remember Stuxnet and layers of wrapping exactly people were paying attention I see using this it doesn't have to call back home for 14 days it can be quiet stealth mode three frickin layers of malware run on top of the other to engage and activate but the last one this one is juicy memory resident has filed a smell where is a

very bad thing ah but this one is also interesting because it's a hunter-killer it doesn't want anybody on its turf so it obliterates other botnets if we forgot the idea in our head to deploy a defensive botnet it would already know how to get rid of it and it is multifunctional this can deliver any payload you wish very nasty stuff they're nuts brings me to one of our most recent ones VPN filter but this one changed the game in terms of being a weapon leveraged designed by a nation-state for use against another nation state now I'm thinking in terms of Stuxnet weaponization at the digital level we know that Russia has a campaign against the Ukraine we understand this they've

gone after them with black energy they've gone after the power grid and ICS Mis botnet I believe is a foreshadowing of the kind of capabilities that they are developing that are putting us at very serious risk and yes our critical infrastructure and those warnings I I cannot stress them enough I I can't predict enough about what could go wrong there but yeah they are absolutely targeting it and what if what if you had a botnet loaded with the right things that we could not bring down that could go after our critical infrastructure water not just power water what's interesting about VPN filter is that they knew to go after the shitty little routers in our

homes where there were tons of vulnerabilities that already existed and they knew they were unpatched easy to leverage and then they loaded this up and this is why I think the weaponization is so important why / where and persistance because for me VIPRE where means you never have to say you're sorry it Scott smallman Rio and I hope I said that right came in at the beginning of January and that's when I was like awakened to what this year was going to be because I saw that and I thought holy crap why is nobody else getting excited about this it wasn't just that it was a freaking massive botnet and that that is a freaking

massive botnet by any terms this was a miner this was dropping crypto mining malware in places that it didn't belong it wasn't just you know going after Joe and Bill and Jane's devices to load it up it wasn't at the level of the individual it was at enterprise level and at this point enterprises were like that's not going to happen to me my servers are safe you get this on your enterprise servers you're definitely going to have an impact in terms of efficiency it's a huge resource hog but it's also got the potential to bring more than just crypto mining malware and that's why we need to pay attention well what was interesting is in terms of defense it avoided sink

hauling you couldn't just bring it down and another thing is living we're talking a lot about living off of and you know using things natives say to windows and to the operating systems to avoid detection this knew how to harness the windows management infrastructure to its benefit and I bring to you proudly this was such a great graphic I just thought I'd share with you but it's advanced and it was scary here I'll go back sign this one after a lot of devices web servers and modems and all kinds of connected IOT devices it leveraged multiple vulnerabilities which comes back to the fact that we're just not on top of patching things but we don't have control over the things that

don't get patched if it's living in somebody's house it had which was interesting it had an SSH scanner they could guess the username and the password of devices to expose their SSH port it had a worm now a worm is a self-replicating piece of malware you put it out there and it just continues on its own and carries through things we're going to talk about where's in a little bit and it went after content management service platforms and there are a lot of those out there and they are for whatever reason great targets because they seem to be very vulnerable all right I'm just gonna talk briefly about banking botnets because this is probably one of the things that most

people have associated with botnets and this is this is rooted in tradition and I've seen a lot of them currently we have something new on and it's called the black botnet it's leveraging remnant which is a very notorious banking malware it's powerful stuff it goes after it goes after the credentials it's able to get in and it's a persistent threat for us in the banking world we had the dark web the dark cloud botnet that had gozi banking Trojan and from my experience anyway botnets and Trojans go together like horse-and-carriage bank bought Anubis is a concern because it went after androids we know how vulnerable and vulnerable androids are they're also prevalent there so widely dispersed and hard to

maintain trick bought there isn't a day that goes by that I don't see a warning notification about trick bought and then lock you bought which again is persistent perennial very good at stealing credentials this is typical this is where we think in terms of monetization but now we've moved into the realm of miners I present you mining malevolence and this was out of the gate from 2018 I had a bad feeling about this actually the increase in miners is significantly more than this it just continues to rise what's very interesting is that we went from being threatened by ransomware to being threatened by crypto miners there's been a significant drop in terms of ransomware pretty much because it's it's easier for

the attackers to get the crypto miners out there they're making money by doing it they don't have to ask somebody for a ransom they don't have to engage with people it's not an uncertainty it's it's a certain it's a certainty you are using somebody else's resources and making money from it guaranteed guaranteed return on investment and they don't necessarily know you're there most of the time they don't know you're there a firm that I know of reported that they had blocked 2.5 billion attempts in six months yet they're coming at it hard and heavy because they know they can make that money one of the crypto miners that caught my attention was Ella and I'm

gonna talk about that a little bit later why well you saw the word Apache struts in there right if you don't know about Apache struts the new use the word Equifax for and breach also it leveraged two of our well shadow brokers vulnerabilities when you leverage old CIA digital weapons in your attempts you know you're gonna go someplace you know you're serious all right so let's talk a little bit more about zealot and this for me is an indication of where we can be trending now in terms of crypto miners because if you get a nation-state or somebody who can be hired as a proxy who does as a high-level cyber criminal gang who's willing to work for a nation-state as a

third party they can do something like this Apache struts is a widespread web framework that's used at enterprise level and I have had to issue advisories about it to my corporation because when that goes down we know it's very serious we know it's serious because 20 2017 there were three warnings issued for it and for whatever reason that whofox didn't get the memo and it didn't hatch it and then there was this freaking massive breach and it was staggering because Equifax doesn't just get your personal information it's got your banking data you do not want that stuff out there that's damaging very very damaging and you don't get it back once it's out there either so these were the

two CDs that were being leveraged eternal blue well it was used in wanna cry it's assigned to help you gain lateral movement through a network once you gain access in a network you want to be able to go through the whole thing and gather all the credentials and all the data so that you win the deck of cards you own it it's interesting because it's able to utilize both PowerShell and what we're seeing from an attack trend perspective is it hackers have been living off of the land so they for about the past two years there's been a ton of talk about PowerShell it's a really great tool for defenders but also for attackers and if

you're using something that's on the land it's not going to be as easily detected your systems aren't looking for that Empire as well it's a post exploitation tool now this affected servers but the fact is you can collect compromised servers into a botnet and wreak very powerful damage we have to be thinking forward mikrotik mount routers let's talk about the routers of choice here mikrotik is a latvian company it's used so much over in Europe that's not inconsequential to us we might not use mikrotik over here but will be impacted by the botnets and the damage they create globally and these were collected in massive numbers on several occasions and there's currently a campaign as you

can see from the date on there to be worried about in this attack you can see this they're concerned about sophistication I worry when I see the word sophistication because we've usually associated denial of service attacks is something that is a more simplified level once you get sophistication in there you know somebody is targeting you somebody is going to come at you and do some very serious damage you may not be able to detect it you may not be able to mitigate it all right are we warmed up shall we play a game of what if all right so my jury was where the attackers going to go with this what do we make may come of it there's a bunch of

devices out there that can be recruited into their army we need to be looking at the questions in terms of much damage could they do and how are we prepared to step in at the time of attack if we can't catch it beforehand do we know how to prepare our systems to really monitor and look for things ahead of schedule are we prepared to deal with it after the fact so botnets are designed with a purpose at hand they need to call home so they are usually grouped with a command and control server but not all the time some botnets have been designed to do a peer-to-peer organization why is that important it's easier to find the ones

that are in a command and control setup peer-to-peer they're just talking to each other and it's much harder to truck that's a problem they're designed with one role they have you had one one job they do their job very well go forth and in fact one of the things that they are leveraging in some cases is were mobile botnets so again we talked about worms and being able to propagate without our interference we don't have to worry about it we set it out there and it goes and it does what it's told more effectively than any human employee ever could so while botnets for now seem to have been used for the purposes of creating denial of service attacks for

creating monetization through dropping crypto miners on things we've already seen with VPN filter that they can be used as a weapon and we are expecting more of the same in the case of Mirai for example the people who wrote Mirai went after Brian Krebs the security researcher now it was a weaponized attack now with 2016 so I present to you great worms in history this was interesting to research some of us we may know one or two of these the morris worm was interesting because it was supposed to be a prank but it was a it was a prank based out of pride so this is human fallibility and it went terribly horribly wrong in a

hell of a fast time and the brilliant student who produced it had to deal with the fallout and he was scared to death he did get arrested eventually he did try to bring it under control but kind of like in The Sorcerer's Apprentice only he was a sorcerer he couldn't bring it under control not directly not right away and trying to warn the people who were in the direct line of fire the worm beat him to it and they were unable to receive the SOS messages we have very damaging words Michelangelo these wiped discs these were highly destructive and that was the 1990s so 20 years ago Code Red and co2 were among the most damaging in terms of

I think a billion dollars at the end all told then we have conficker which is notorious within ICS so ICS is industrial control systems critical infrastructure that's very specialized equipment that is often very old and run to failure and hard to maintain you get something in in there it's an unpatched system that's just ripe for the picking now configure isn't known necessarily for doing damage but it spreads like crazy and it has the potential to do damage and be loaded you can mess with that code and then of course the big one is Stuxnet I'm just gonna say there's a lot of great reading on Stuxnet I told it to my kids as a bedtime story

so I present to you a very interesting perfect storm and this is real we've got something called the a DB minor that's been active and it works on Android devices we know Android is inherently insecure and that it's everywhere it's everywhere because it is cheap people buy Androids it's been going after port five five five five and bah Brutus which I mentioned earlier put out an alert on August a second to everybody coming out here to please make sure before you leave to set your systems up and monitor it because he had seen a spike in activity of this thing maybe the bad guys knew that we were gonna be away again miss configuration is at the heart

of the matter this is something that we have to understand better as a community to work on because it is an Achilles heel for us and the thing with this minor is that it can be quietly silently uploaded to remote access how do you tell that you're being hit until it's too late

now if I wanted to bring something to play I would definitely bring in zealot if I wanted to build something at a nation state level to weaponize I would take the ad b-minor and I would take what I could borrow from zealot I would be looking at enterprise level of vulnerabilities like Apache struts because I know that their unpatched their global and that my payoff is gonna be much bigger and the beauty of it is I don't have to eat load crypto minor malware I can I can load my malware of choice because I can get into that code are we playing these games on are we thinking really thinking like an attacker in this case if I want to pick

my botnet I definitely look at hide and seek because of the persistence the ability to utilize peer to peer over C and C for obfuscation I want the ability to set it forth and not have to worry about managing it I need that worm replication built-in I don't want somebody to be able to mess around with it once it's out there so I'm going to have anti tampering anti evasion and yes I want this to be multi-purpose so that it is going to drop whatever I need and have the ability to bring down the eastern seaboard if I so choose I'm not going to do that though really I present you Franken bought so I'm really not

technical and I've just played a lot of what if I'm not encouraging you to go forth and make your own botnets if you wanted your botnet this was my project to do this talk right down.i I joined some darkened seedy places that nice moms like me don't really belong on that's okay I have several proxy it's nuts I went and looked at stuff that you know I had to wash my eyes out from after but it was really interesting and I'll share some of it with you and I looked to the people who do this for a living to say how would I go about building about it me because we're going to reduce this to

the lowest common denominator because that's where we should be scared nation states might know what they're doing but script kiddies who want to do it for the money don't and as we know if you put somebody who has no license behind the wheel of a car an accident is going to happen and an accident at this level is going to be very costly to possibly even more damaging alright so we talked about you need to look at things like peer-to-peer networking we want to find a loader to be able to infect systems you need to have a good hosting source you can't just go to your you know cogeco or in my case Rogers you have to

go to a place that nobody knows your name and preferably overseas they offer something called bulletproof hosting for that reason bulletproof means nobody knows who you are because you pay them enough money and they are silent they pretty much are in Russia then you go to set yourself up on google translator and google russia that's why you're gonna build something interesting called a stub but that's you're infecting file you need to have a net builder to do this but I've got great news for you there's lots of interesting places that you can access online to find these things I found them I didn't even get in trouble doing so you will use a krypter for your stabbing because you're going

to evade detection from antivirus this is just a given you do not want to be caught fresh out of the gate it's it's like when you play hide and seek with your friends right you don't want to be the first one tagged you're in it for the long run this makes sense you're gonna go hunting for vulnerabilities you're gonna use showdown to go hunting for vulnerabilities that seems to work like a charm and there's a lot of vulnerabilities listed on a daily basis that you can look for you're looking for the ones that are like CVE 2016-2017 because those are guaranteed wins and then you need a remote at the administration tool a rat that's going to help you deliver

the payload these are pretty much the typical components it's kind of like a recipe for a cake just different so this was one of the forms I was on that has a lot of really good stuff in it yes thank you these are not just can you find the things you need you can find people to teach you now I've also gone on the dark web and they are big on teaching each other stuff better at it even than we are you can get the botnet Bible it costs money I didn't want it you can find out more about who should host you and why I did go looking and I found good stuff on hey spin building that

stuff and then how do you build something UFO net this is an entire guide to building a botnet and walks you step-by-step through the process and it works and if you build this botnet you can load it with these very bad things but it works this I've included is a very interesting description on how you compromised a router because the bottom line is you're going to be compromising a router to get in and understanding how that compromise works was nicely laid out here more fun stuff did you know you can find my source code on pastebin it was released it's it's been used in a number of variants since the release and that's why when somebody releases the

code we should be scared there's a satori source code the story is a very nasty botnet - I didn't get to talk about it cuz there's only so much time but you can get the code and do very interesting things huh this was another interesting forum Sora is very nasty very efficient source code for enhancing your botnet features do you want to put coin hive on coin hive is the biggest distributor it is the biggest source of mining malware out there and mines monaro and it gets dropped on everything that's how you find it that's how it works and that's how you can load it so high must bid you all adieu I hope that this was

entertaining as well as educational I

will leave you with these suggestions based on what we talked about and when I upload my slides these are some of the resources that I used that I hope will be helpful to you thank you very very much for sharing this talk are there any questions questions okay on one of the slides you mentioned something called black energy could you elaborate what that is yes black energy is malware used designed by Russia apt 28 I believe when they went after the Ukrainian power grid that was used to help bring it down so it is a nation state level malware

when we're mostly talking about botnets again we're talking about DDoS and where most ISPs are edge could drop the traffic if they saw DNS requests coming from IPS that are not specifically in a range this has been going on for like two or three years now and again the increments of gun you know have you seen any of the ISPs or any of the edge providers or actually saying hey we're going to stop this because it really takes a a one entry to to basically stop or at least significantly decrease the effective of DDoS I can say that when when they went after github people who had Akamai in place were protected it took a hit but it was a brief hit how

come I was on it quick to respond however not everybody was able to afford Akamai and not all ISPs are able to respond at that level either big ones yes the smaller ones and there are a number of them they would fall victim any other questions cool thanks Cheryl okay [Applause]