Defensive security is a rat race. We detect new threats, we reverse engineer them and develop defenses while the bad guys just make new threats. We often just document a new threat and stop when the blog post is published. This talk will take it a step further on how to proactively disrupt threats and threat actors, not just from your organization but completely. As a case study, Operation Tovar and whatever else I take down between now and THOTCON will be used as examples of how this can be accomplished without a large legal team and without massive collateral damage (i.e. the No-IP incident). Tools will be demonstrated that are used for near-time surveillance of criminal networks.

1. Going Kine)c on Electronic
Crime Networks
THOTCON0x06
John Bambenek, Fidelis Cybersecurity

2. Introduc)on
• Sr. Threat Researcher with Fidelis Cybersecurity
• Faculty at the University of Illinois at Urbana-
Champaign
• Producer of open-source intelligence feeds
• Run several takedown-oriented groups for various
malware families

3. Problem Statement
• Right now we are on the losing
end of an arms race
• The adversaries produce more malware than we can
possibly analyze.
• We have to operate in the open while they operate in
secret.
• Their core business is exploitation, security for us is a
cost center.
• We operate in a global economy without an effective
means of global law enforcement.

4. TL;DR
Bad News: We’re Doomed
Good News: Unlimited Job Security

5. What to do…
• You could keep playing defense:
• Firewall Rules
• IDS/IPS Rules
• AV Signatures
• IoCs
• Etc etc etc

6. The problem of “sufficiency”
• Once we “detect” a threat work occurs until some
“defense” is developed.
• Once a threat is “blocked”, the work tends to stop.
• The threat actor can operate with impunity and just
has to tweak tactics occasionally.
• Those in most need of security are least likely to
have it / afford it.

7. What to do…
• Or you can take the fight to the
adversary and go kinetic?
• Why kinetic?
• No, I’m not talking about predator
drones…
• Or hacking back…

8. What to do…

9. What is a takedown?
• An attempt to disrupt an ongoing electronic
crime operation with the intent of ending it
entirely.
• Successful takedowns: Operation Tovar,
Conficker
• Unsuccessful takedowns: Kelihos (all 4)
• Complete disasters: No-Ip

10. Aren’t takedowns just media ploys?

11. Aren’t takedowns just media ploys?
• Right now there is far too much media
pimping in our industry by <insert company
name here>.
• There have been plenty of takedowns for PR
purposes. And white papers. And blog
posts… etc.
• Doesn’t mean to stop trying to have an
impact.

12. How to tell difference?
• Takedowns, like all security related activity
requires OPSEC.
• What’s the first rule of OPSEC?

13. Do takedowns do any good?
• Some argue because crime doesn’t stop
takedowns don’t do any good.
• Sure, stupid takedowns don’t do much
good.
• But arrests haven’t stopped rape,
murder and theft in a few thousand
years either.

14. Do takedowns do any good?
• Writing detection rules don’t stop
criminals from adapting either.
• Key is to do things in a thoughtful way
to maximize impact and minimize risk.
• Hopefully along the way an indictment
can be had.

15. How to do takedowns…
• Largely depends on the threat and the
complexity.
• Can be as simple as asking a provider
to shut someone down.
• Can be as complicated as involving
dozens of organizations, law
enforcement across multiple countries.

16. The Easy Way
• Getting things taken down for criminal
activity can be time-consuming.
• Getting things taken down for “brand
damage” / DMCA is generally easy.
• Seriously, ICANN has minimal
security rules for domains, but they
are all over brand damage /
impersonation.

17. The Easy Way
• That only works for “small” threats…
the kind of threats that are easy to come
back anyway.
• Most threats are too big for one
organization to handle.
• There are shared threats and unique
threats. Most are shared threats.

18. Building the Intel for Takedowns
• Have to build the “what” before you can
answer the “how”.
• Almost all malware wants to talk
“somewhere”.
• Enumerate *ALL* avenues an adversary
can contact an infected machine.

19. Example #1
• Example #1: Domain Generation
Algorithms
• Based on some math, a pseudo-random
but predictable list of domains are
generated.

20. Example #1
• If you can RE a DGA, you can use it to
build intel.
• See Johannes Bader’s blog:
johannesbader.ch
• Create a domain list, use adns-tools to
resolve large numbers of them on a
routine basis, instant SIGINT tool

21. Example #1
tmabjkeyftudpk.com , Domain used by Cryptolocker - Flashback DGA for
11 May 2015
eiavquoeipblqq.net , Domain used by Cryptolocker - Flashback DGA for
11 May 2015
rvyqndcrbqsxqu.biz , Domain used by Cryptolocker - Flashback DGA for
11 May 2015
fjccjegtytxxsh.ru , Domain used by Cryptolocker - Flashback DGA for 11
May 2015
swbwgmthrupkju.org , Domain used by Cryptolocker - Flashback DGA
for 11 May 2015
gqfoopfpkaxjjf.co.uk , Domain used by Cryptolocker - Flashback DGA for
11 May 2015

22. Example #1
• You could use this list to find what
resolves and where the adversary is
sitting…
50.63.202.25 , IP used by matsnu C&C
54.228.194.98 , IP used by matsnu C&C

23. Example #1
• Or you could take all the domains current and
future in a legal action.
• If there is no other path to access, you have
severed the adversary’s ability to control.
(Operation Tovar did this).
• You could also buy all the domains…
• Expensive, unless you are a registrar which is
cheaper than you think to do.
• Or you could ask registrar to suspend. Many will
take action (some won’t).
• AlienSpy example

24. Example #2
• Example 2
• Mine malware for C2 information
• https://github.com/kevthehermit/RATDecoders
• Python scripts that will statically rip configurations
out of 32 different flavors of RATs.
• Disclaimer: I had nothing to do with the
development of these tools; they just fit my need
and Kevin Breen deserves mad props.

25. Sample DarkComet config
Key: CampaignID Value: Guest16
Key: Domains Value: ######.ddns.net:1234
Key: FTPHost Value:
Key: FTPKeyLogs Value:
Key: FTPPassword Value:
Key: FTPPort Value:
Key: FTPRoot Value:
Key: FTPSize Value:
Key: FTPUserName Value:
Key: FireWallBypass Value: 0
Key: Gencode Value: 3yHVnheK6eDm
Key: Mutex Value: DC_MUTEX-W45NCJ6
Key: OfflineKeylogger Value: 1
Key: Password Value:
Key: Version Value: #KCMDDC51#

26. Sample njRat config
Key: Campaign ID Value: 1111111111111111111
Key: Domain Value: #####.ddns.net
Key: Install Dir Value: UserProfile
Key: Install Flag Value: False
Key: Install Name Value: svchost.exe
Key: Network Separator Value: |'|'|
Key: Port Value: 1177
Key: Registry Value Value:
5d5e3c1b562e3a75dc95740a35744ad0
Key: version Value: 0.6.4

27. Processing DNS/IP Info
• Config takes FQDN or IP in free-form field.
• The only configuration item any processing is done
on is here.
• If RFC 1918 IP, then drop config.
• If FQDN resolves to RFC1918 IP, keep it.
• If it doesn’t resolve, keep it.

28. Sample Output
0739b6a1bc018a842b87dcb95a73248d3842c5de,150213,Dark Comet Config,Guest16,######.ddns
.net,,1604,,,,o1o5GgYr8yBB,DC_MUTEX-4E844NR
0745a4278793542d15bbdbe3e1f9eb8691e8b4fb,150213,Dark Comet Config,Guest16,######.noip.me,,1604
,,,,aWUZabkXJRte,DC_MUTEX-TX61KQS
07540d2b4d8bd83e9ba43b2e5d9a2578677cba20,150213,Dark Comet Config,FUDDDDD,######.no-ip.biz,
204.95.99.66,1604,,,,qZYsyVu0kMpS,DC_MUTEX-8VK1Q5N
07560860bc1d58822db871492ea1aa56f120191a,150213,Dark Comet Config,Victim,######.no-ip.biz,,1604
,,,,sfAEjh4m1lQ7,DC_MUTEX-F2T2XKC
07998ff3d00d232b6f35db69ee5a549da11e96d1,150213,Dark Comet Config,test1,,192.116.50.238,90,,,,4A
2xbJmSqvuc,DC_MUTEX-F54S21D
07ac914bdb5b4cda59715df8421ec1adfaa79cc7,150213,Dark Comet Config,Guest16,######.ddns.net,31.13
2.106.94,1604,1.#######.z8.ru,######60,######2012,zwd8tEC0F0tA,DC_MUTEX-W3VUKQN
NOTE – Redacted entries are username and password for FTP drop for
keylogs.

29. So you have data. Now what?
• You have four options for takedown
related actions:
• Use the criminal justice system
• Use civil litigation
• Work with providers directly (AUP/
ToS/Contract enforcement)
• Other “less legal” means which we
will not discuss here.

30. Criminal Jus)ce System
• The ideal result… someone gets arrested.
• Generally, work for big online crime cases
starts with private sector research.
• Very time consuming but low cost.
• LE in almost every country willing to work
with anyone who can help build cases.
• Yet cooperation between countries can be
problematic.

31. Criminal Jus)ce System
• Important tool to motivate law enforcement
is to enumerate harm.
• Sinkhole domains (if possible) to build victim
information.
• Before LE will act they want to know how
their citizens are impacted.
• Possible to get cooperation even in “hostile”
jurisdictions.

32. Civil li)ga)on
• Involves an aggrieved party (or
regulatory body) going to court for some
remedy.
• Generally not available to most people
for lack of “standing”.
• Can also lead to some collateral damage.

33. Work with providers directly
• Some are more cooperative than others.
• Many go from uncooperative to cooperative.
• Takes time to build a relationship and trust.
• Bypasses “foreign policy” issues and gets
results.
• As example, I’ve gotten cooperation inside
Russia and China on security issues.

34. Risk assessment
• Before any takedown is taken, a “risk
assessment” should be done.
• What collateral damage could be done?
• Is action being taken against a third-party
and not the target?
• Will less aggressive means accomplish the
mission without resorting to heavy-handed
tactics?

35. Post-­‐Takedown ac)vity
• Just because you takedown the C2 network,
it doesn’t necessarily mean you have cleaned
up infected machines.
• Operative Tovar created a mechanism for
people to recover files and to see if they were
infected to make private individuals “whole”.
• This is the most neglected part of takedowns.

36. The Key to All of This…
• Most threats are too big for one
organization to tackle.
• Many organizations have unique data or
skillsets.
• Key is to have a group of people across
organizations all contributing to a
reasonable amount to the goal.

37. The Key to All of This…
• Private working groups aren’t exclusive
to big companies or security companies.
• Takes willingness to contribute
something to get something in return.
• Added benefit is access to information
to protect your organization you
wouldn’t have otherwise.

38. Venues to par)cipate in takedown ac)vity
• Microsoft CME Program
• Private working groups (some are more
open than others)
• I run 4.

39. The Upshot
• There is more work than could possibly be done.
• If you want to contribute effort, find a venue to do
so.
• Reverse-engineering
• Tooling
• OSINT research
• Etc.
• Much of the work is not as high-skill as you would
think, just takes time, motivation and a willingness
to learn.

40. Call to Ac)on
• There is more work than could possibly be done.
• If you want to contribute effort, find a venue to do
so.
• Reverse-engineering
• Tooling
• OSINT research
• Etc.
• Much of the work is not as high-skill as you would
think, just takes time, motivation and a willingness
to learn.

41. Bocom Line
“The infosec industry doesn’t need
another white paper.
What we need is bodies in the streets.”

42. This is here just because it amuses me

43. QUESTIONS?
THANK YOU
John.bambenek@fidelissecurity.com / 217 493 0760
@bambenek