Home 
Watch live 
Watch on demand 
Chat 
Contact us 
CTA TIPS Lightweight emulation based IoC extraction for Gafgyt botnets
ANY.RUN - Interactive malware analysis sandbox
http://any.run/Get fast results in real-time! Intuitive interface. Convenient for any level analysts.
Join for free and start your malware hunting!
Avira Cloud Sandbox API. Completely private, unlimited-scale, automated malware analysis service
https://oem.avira.com/en/solutions/cloud-sandbox-apiAvira’s Cloud Sandbox API is built to ensure data privacy.
Receive detailed, file-specific threat intelligence reports containing actionable intelligence.
Supports MITRE ATT&CK™ framework.
Do APT Mercenary Groups Pose Real Threat to Companies?
https://businessresources.bitdefender.com/apt-as-a-service-webinarLearn about the recent Bitdefender investigation of a new attack attributed to a sophisticated actor offering advanced-persistent-threats-as-a-service.
Access the investigation
Be a part of the cyber resilience story - explore careers at
https://careers.opentext.com/Join the cybersecurity and data protection team at Carbonite + Webroot, OpenText companies.
We don’t just talk about sharing. We do it every day
https://www.cyberthreatalliance.org/our-sharing-model/Find out more about how threat intelligence sharing and collaboration through the Cyber Threat Alliance can function as a force multiplier to improve defenses across the ecosystem.
Map Malicious Infrastructures with Pure Signal™ Intelligence
https://partners.team-cymru.com/pure-signal-trialElite analyst teams use Team Cymru’s Pure Signal platform to access 50+ data types, including global network flow, PDNS, malware and more.
Start your 2-week trial now!
What is cyber threat intelligence (CTI) and how is it used?
Join the VB2020 Threat Intelligence Practitioners’ Summit (TIPS)Join the VB2020 Threat Intelligence Practitioners’ Summit, sponsored by the Cyber Threat Alliance,
to hear from leading industry voices on how CTI sharing can function as a force multiplier to strengthen defenses across the ecosystem.
Kaspersky Threat Intelligence Portal - find cyberthreats in files, URLs, IPs and domains
https://opentip.kaspersky.com/Know which alerts or incidents pose real threats, and prioritize them fast and effectively based on impact and risk levels.
No-Cost Threat Detection for ISPs and Hosting Providers
https://partners.team-cymru.com/nimbus-threat-monitorPartner with Team Cymru and get near-real-time threat detection, powered by our world-class IP Reputation data.
Join us now!
Outsource your Unwanted Software/PUA Work for Free
https://appesteem.com/avsAppEsteem’s feeds sort out the good apps from the Deceptors.
Our criteria are widely accepted. We’ll help with your disputes.
All for Free. Giving you more time to fight real malware.
Do you want to know how IT security products score in independent tests?
https://www.av-comparatives.org/enterprise/latest-tests/AV-Comparatives is an ISO certified independent organization offering systematic testing that checks whether security software lives up to its promises.
Results are available for free!
Defeating Application Fraud - Learn How
https://www.shapesecurity.com/solutionsWe protect more accounts from fraud than everyone else in the world combined.
Shape Security is now part of F5 (www.f5.com)
30+ years of experience in the anti-malware industry
www.virusbulletin.comVirus Bulletin is so much more than just a great conference.
Check out our website to see what more we have to offer.
DNSDB®: The DNS Super Power for Security Teams
https://www.farsightsecurity.com/get-started-guide/Farsight Security DNSDB®: the world's largest real-time and historical database of DNS resolutions.
Get your free DNSDB API key and use it in our newly updated web GUI, DNSDB Scout and your own environments.
Contextualize everything DNS related with one API key - DNSDB.
Tired of home office and in urgent need of some networking?
https://www.amtso.org/newsletter/Join the AMTSO community and meet security vendors, testers, journalists, and researchers to discuss cybersecurity trends, tests and standards!
Downloads
On the other side, Gafgyt botnets tend to be short lived, with most of our tracked botnets observed to be active for only a few days. To fight this type of fast-emerging while short-lived botnets, quick IoC extraction would play a very important role for later mitigation and tracking. Early Gafgyt variants usually store their IoCs (including C2 and register message) in plain text strings, thus IoCs could easily be extracted. However, things changed in later variants with C2s binary encoded and register messages updated in terms of format and content. While a sandbox could be used to handle those new variants, it faces the issues of evasion, longer runtime, and security risks caused by the scanning of capable Gafgyt variants. To overcome those issues, we came up with the idea of extracting IoCs with lightweight emulation, which has been used in malicious code detection for a long time. The final solution was verified to be effective with our data. While benefitting from the advantages of dynamic analysis, it has a shorter execution time with most samples able to be handled in a few seconds. Furthermore, since only the relevant code was emulated, the security risks caused by scanning capable variants could be totally removed.
In this paper I will introduce our solution and discuss the following aspects:
- How to effectively distinguish Gafgyt from Mirai. What is the most frequently used Mirai code in Gafgyt variants?
- What sets of fixed patterns, both static and dynamic, of IoC operations could be concluded from tens of hundreds of Gafgyt variants?
- How does LWE-based IoC extraction work? What are the general solutions for some common issues, e.g. foreign function dependence?
- Could the techniques learned in Gafgyt be generalized to other botnet families?
Back
