SlideShare ist ein Scribd-Unternehmen logo

Travelling to the far side of Andromeda

J
Jose Miguel Esparza

Talk about Andromeda at Botconf 2015. Abstract: Andromeda, also known as Gamarue by some Antivirus vendors, is a popular and modular bot active since 2011. It is normally used to spread additional malware, but sometimes, depending on the criminals, the main objective could be just stealing user credentials. After almost five years of life its development has not stopped. The people behind it keep maintaining it and adding functionalities, like new anti-analysis routines, changes in the communication encryption, new request formats, etc. This talk will not give just details about the latest changes in the Andromeda binary and control panel, but it will also respond some interesting questions about this botnet. Which are the most popular versions used nowadays? Are most of the botnets spreading malware or just using its plugins? What are the most popular plugins? How and where is Andromeda sold? Who is selling it? What criminal groups are using Andromeda? It is not just a talk about malware reversing but about the whole Andromeda ecosystem.

Internet
1 von 61
Downloaden Sie, um offline zu lesen
Travelling to the far side of Andromeda Jose Miguel Esparza
$ whoami  Jose Miguel Esparza  Lead Threat Analyst at Fox-IT InTELL (NL) • Malware, Botnets, C&Cs, Exploit Kits, …  Security Researcher at home ;) • peepdf, NFC, malware (again)  http://eternal-todo.com  @EternalTodo on Twitter
Agenda  Introduction  Evolution of Andromeda  The Dark Side of Andromeda  Statistics  Interesting use cases  Conclusions
Introduction  Developed during 2011 (probably 2010 too)  First advertised in July 2011  Modular and versatile bot  Pings C&C periodically asking for “tasks” • Executes additional malware (and updates) • Executes plugins • Capability to send tasks to specific countries/bots/build_ids  Spread via spam campaigns, loaders and Exploit Kits  Current version: 2.10
Evolution of Andromeda  Binary  Plugins  Panel
Evolution of Andromeda  Binary • Request parameters • Response encryption • Plugins decryption • Anti-analysis (and bypass!)
Evolution of Andromeda  Binary • References - http://eternal-todo.com/blog/yet-another-andromeda-gamarue-analysis - http://eternal-todo.com/blog/andromeda-gamarue-loves-json - http://blog.fortinet.com/post/andromeda-2-7-features - http://blog.fortinet.com/post/new-anti-analysis-tricks-in-andromeda-2-08 - http://stopmalvertising.com/spam-scams/cve-2013-2729-and-andromeda- 2.9-a-massive-hsbc-themed-email-campaign/andromeda-botnet.html
Evolution of Andromeda  Binary • Request parameters - <= 2.06  id:%lu|bid:%lu|bv:%lu|sv:%lu|pa:%lu|la:%lu|ar:%lu - 2.07/2.08  id:%lu|bid:%lu|bv:%lu|os:%lu|la:%lu|rg:%lu - 2.09  id:%lu|bid:%lu|os:%lu|la:%lu|rg:%lu - 2.10  {"id":%lu, "bid":%lu, "os":%lu, "la":%lu, "rg":%lu}  {"id":%lu, "bid":%lu, "os":%lu, "la":%lu, "rg":%lu, "bb":%lu}
Evolution of Andromeda
Evolution of Andromeda  Binary • Anti-analysis - Previous versions  BP detection  Custom exception handler  Comodo / Sandboxie  Process blacklist (custom hash)  VM detections  Time check (RDTSC)
Evolution of Andromeda  Binary • Anti-analysis - Newer versions  Just blacklisted processes (CRC32)
Evolution of Andromeda
Evolution of Andromeda avpui.exe (Kaspersky)
Evolution of Andromeda  Binary • Bypassing anti-analysis - Hardcoded system drive volume hash (previous versions)  0x20C7DD84 (CKF81X) - Special registry key (current version)  HKEY_LOCAL_MACHINESOFTWAREPolicies • is_not_vm =botid
Evolution of Andromeda  Binary • They want to fool you - Fake payload (old versions) - Fake URL - Overwritten code - RC4 algorithm modified - Fake RC4 key
Evolution of Andromeda  Binary • They want to fool you - Fake payload (old versions)  Cmd.exe in port 8000
Evolution of Andromeda
Evolution of Andromeda  Binary • They want to fool you - Fake URLs  thisshitismoresafethanpentagonfuckyoufedsbecausethisisaf.com/im age.php (2.06)  http://www.chudakov.net/goto.php?num=146897 (2.07)  http://s28.postimg.org/wmsgw5s23/image.jpg (2.08)  http://img4.joyreactor.cc/pics/post/... (2.08)
Evolution of Andromeda  Binary • They want to fool you - Code to decrypt URLs removed (since 2.07)
Evolution of Andromeda
Evolution of Andromeda  Binary • They want to fool you - RC4 algorithm modified (2.07/2.08)  Replacing 1 byte (add/sub)  Craziness trying to decrypt
Evolution of Andromeda
Evolution of Andromeda
Evolution of Andromeda
Evolution of Andromeda  Binary • They want to fool you - Fake RC4 key  MD5("go fuck yourself")  754037e7be8f61cbb1b85ab46c7da77d
Evolution of Andromeda  Base plugins (older versions) • Socks4 • Formgrabber • Keylogger • Ring3 Rootkit
Evolution of Andromeda  Base plugins • Socks5 • Formgrabber • Keylogger • TeamViewer
Evolution of Andromeda  Additional plugins • Tutorial/Help on how to write your own plugins
Evolution of Andromeda  Additional plugins • Pony • Powershell + Embedded dlls • Spam • Proxy • …
Evolution of Andromeda  Panel • Show bot information / stats • Create tasks • Check received logs (Formgrabber / Keylogger)
Evolution of Andromeda
Evolution of Andromeda
Evolution of Andromeda  Panel • No too many changes in last version • Just added support for: - TeamViewer - JSON
The Dark Side of Andromeda  Who is behind Andromeda?
The Dark Side of Andromeda d40e75961383124949436f37f45a8cb6
The Dark Side of Andromeda  Business model • Selling bot licenses • Charging per rebuild (bot) • Payment - BTC, Perfect Money
The Dark Side of Andromeda  Builder • Used to create the binaries - URLs - RC4 key - Builder id
The Dark Side of Andromeda  Jabber bot • Fully active since Feb 2012 • Connected to customer DB • Refill credit • Build binaries - Command sent to bot - Bot responds with links to the binaries
The Dark Side of Andromeda  Jabber bot • resident: If the bot will remain installed in the system or not • plugins: Can be disabled if you do not plan on using plug-ins • integrity: Add privilege elevation • services: Add functionality to stop and disable security services • vm: Add functionality to detect the virtual machines and "bad" software • dns: Specifies if the bot will use Google DNS servers to resolve domains • relocs: Relocation of sections in the executable
The Dark Side of Andromeda  Jabber bot • ! set | resident | off • ! build | 123ABC | http://first.com/gate.php | http://second.com/gate.php
The Dark Side of Andromeda  Prices Product Old price Bot v1.* $300 Bot v2.* $500 Socks4 Included Formgrabber $500 Keylogger $200 Ring3 Rootkit $300 Product Current price Bot v2.* $500 Rebuild (bot) $10 Socks5 Free Formgrabber $500 Keylogger $200 TeamViewer $500
Statistics
Statistics
Statistics
Statistics
Statistics
Statistics
Interesting use cases  The Anunak group  Smilex  GamaPOS  Andromeda + TOR  Andromeda + PDF  Andromeda loving AV industry
Interesting use cases  The Anunak group • Report published in December 2014 (Fox-IT+GroupIB) • Russian banks and POS breaches • Andromeda botnet - Gozi/ISFB variant dropping Andromeda - Andromeda dropping Anunak
Interesting use cases  Smilex • Dridex operator • Arrested some months ago in Cyprus • Using Andromeda to distribute spambot (FortDisco) • Spambot distributing Dridex via doc+macro
Interesting use cases  GamaPOS • TrendMicro (July 2015) • Andromeda spread via DOC+Macro and Rig EK • PsExec & Mimikatz • GamaPOS in certain bots
Interesting use cases  Andromeda + TOR • Weird case • Spotted by Jaime Blasco (AlienVault) • Dropper on Malwr • Setting up proxy in the registry…
Interesting use cases  Andromeda + PDF • Curious case • Binary executing Andromeda • Opening decoy PDF file
Interesting use cases
Interesting use cases  Andromeda loving AV industry
Interesting use cases  Veronica´s botnet ;) • Distributed same plugin, different hashes • Spam bot (Jahoo/Otlarda) - S:_src_bor_softJSS_kitJahooReleaseJahoo32.pdb • Documented by Kafeine 5 days ago
malware.dontneedcoffee.com
malware.dontneedcoffee.com
Conclusions  Andromeda is far from dying  Alive “project” and business  Used by serious criminal gangs  Interesting custom plugins
Acknowledgements  Fox-IT InTELL • Ronaldo Vasconcellos • Alberto Ortega • Frank Ruiz  The Honeynet Project  Malware research community • Alexandru Maximciuc (Bitdefender)  Botconf
Thanks!! Jose Miguel Esparza http://eternal-todo.com @EternalTodo

Empfohlen

Sopelka VS Eurograbber - Really 36 million EUR?
Sopelka VS Eurograbber - Really 36 million EUR?Sopelka VS Eurograbber - Really 36 million EUR?
Sopelka VS Eurograbber - Really 36 million EUR?Jose Miguel Esparza
 
Taking the Attacker Eviction Red Pill (v2.0)
Taking the Attacker Eviction Red Pill (v2.0)Taking the Attacker Eviction Red Pill (v2.0)
Taking the Attacker Eviction Red Pill (v2.0)Frode Hommedal
 
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensionsZoltan Balazs
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...panagenda
 
Hitbkl 2012
Hitbkl 2012Hitbkl 2012
Hitbkl 2012F _
 
EKFiddle: a framework to study Exploit Kits
EKFiddle: a framework to study Exploit KitsEKFiddle: a framework to study Exploit Kits
EKFiddle: a framework to study Exploit KitsJerome Segura
 
Thrombus Training Dec. 2013
Thrombus Training Dec. 2013Thrombus Training Dec. 2013
Thrombus Training Dec. 2013CREATIS
 
Eradicate the Bots in the Belfry - Information Security Summit - Eric Vanderburg
Eradicate the Bots in the Belfry - Information Security Summit - Eric VanderburgEradicate the Bots in the Belfry - Information Security Summit - Eric Vanderburg
Eradicate the Bots in the Belfry - Information Security Summit - Eric VanderburgEric Vanderburg
 

Empfohlen

Sopelka VS Eurograbber - Really 36 million EUR?
Sopelka VS Eurograbber - Really 36 million EUR?Sopelka VS Eurograbber - Really 36 million EUR?
Sopelka VS Eurograbber - Really 36 million EUR?Jose Miguel Esparza
 
Taking the Attacker Eviction Red Pill (v2.0)
Taking the Attacker Eviction Red Pill (v2.0)Taking the Attacker Eviction Red Pill (v2.0)
Taking the Attacker Eviction Red Pill (v2.0)Frode Hommedal
 
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensionsZoltan Balazs
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...panagenda
 
Hitbkl 2012
Hitbkl 2012Hitbkl 2012
Hitbkl 2012F _
 
EKFiddle: a framework to study Exploit Kits
EKFiddle: a framework to study Exploit KitsEKFiddle: a framework to study Exploit Kits
EKFiddle: a framework to study Exploit KitsJerome Segura
 
Thrombus Training Dec. 2013
Thrombus Training Dec. 2013Thrombus Training Dec. 2013
Thrombus Training Dec. 2013CREATIS
 
Eradicate the Bots in the Belfry - Information Security Summit - Eric Vanderburg
Eradicate the Bots in the Belfry - Information Security Summit - Eric VanderburgEradicate the Bots in the Belfry - Information Security Summit - Eric Vanderburg
Eradicate the Bots in the Belfry - Information Security Summit - Eric VanderburgEric Vanderburg
 
Rainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectRainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectPeter Hlavaty
 
Mozilla chirimen firefox os dwika v5
Mozilla chirimen firefox os dwika v5Mozilla chirimen firefox os dwika v5
Mozilla chirimen firefox os dwika v5Dwika Sudrajat
 
amrapali builders @@ hacking challenges.pdf
amrapali builders @@ hacking challenges.pdfamrapali builders @@ hacking challenges.pdf
amrapali builders @@ hacking challenges.pdfamrapalibuildersreviews
 
Puppet at DemonWare - Ruaidhri Power - Puppetcamp Dublin '12
Puppet at DemonWare - Ruaidhri Power - Puppetcamp Dublin '12Puppet at DemonWare - Ruaidhri Power - Puppetcamp Dublin '12
Puppet at DemonWare - Ruaidhri Power - Puppetcamp Dublin '12Puppet
 
IPv6 Security Talk mit Joe Klein
IPv6 Security Talk mit Joe KleinIPv6 Security Talk mit Joe Klein
IPv6 Security Talk mit Joe KleinDigicomp Academy AG
 
New Botnets Trends and Threats (BH Europe 2007)
New Botnets Trends and Threats (BH Europe 2007)New Botnets Trends and Threats (BH Europe 2007)
New Botnets Trends and Threats (BH Europe 2007)André Fucs de Miranda
 
Hacking your Droid (Aditya Gupta)
Hacking your Droid (Aditya Gupta)Hacking your Droid (Aditya Gupta)
Hacking your Droid (Aditya Gupta)ClubHack
 
Malware cryptomining uploadv3
Malware cryptomining uploadv3Malware cryptomining uploadv3
Malware cryptomining uploadv3Setia Juli Irzal Ismail
 
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...Felipe Prado
 
Securing your Cloud Environment v2
Securing your Cloud Environment v2Securing your Cloud Environment v2
Securing your Cloud Environment v2ShapeBlue
 
Virus Bulletin 2016: A Malicious OS X Cocktail Served from a Tainted Bottle
Virus Bulletin 2016: A Malicious OS X Cocktail Served from a Tainted BottleVirus Bulletin 2016: A Malicious OS X Cocktail Served from a Tainted Bottle
Virus Bulletin 2016: A Malicious OS X Cocktail Served from a Tainted BottlePeter Kálnai
 
Kalnai_Jirkal-vb-2016-malicious-osx-cocktail
Kalnai_Jirkal-vb-2016-malicious-osx-cocktailKalnai_Jirkal-vb-2016-malicious-osx-cocktail
Kalnai_Jirkal-vb-2016-malicious-osx-cocktailMartin Jirkal
 
Exploring the Labyrinth: Deep dive into the Lazarus Group's foray into macOS
Exploring the Labyrinth: Deep dive into the Lazarus Group's foray into macOSExploring the Labyrinth: Deep dive into the Lazarus Group's foray into macOS
Exploring the Labyrinth: Deep dive into the Lazarus Group's foray into macOSMITRE ATT&CK
 
Zombie browsers spiced with rootkit extensions - DefCamp 2012
Zombie browsers spiced with rootkit extensions - DefCamp 2012Zombie browsers spiced with rootkit extensions - DefCamp 2012
Zombie browsers spiced with rootkit extensions - DefCamp 2012DefCamp
 
Defcon
DefconDefcon
DefconOpenDNS
 
A Botnet Detecting Infrastructure Using a Beneficial Botnet
A Botnet Detecting Infrastructure Using a Beneficial BotnetA Botnet Detecting Infrastructure Using a Beneficial Botnet
A Botnet Detecting Infrastructure Using a Beneficial BotnetTakashi Yamanoue
 
44CON 2013 - Browser bug hunting - Memoirs of a last man standing - Atte Kett...
44CON 2013 - Browser bug hunting - Memoirs of a last man standing - Atte Kett...44CON 2013 - Browser bug hunting - Memoirs of a last man standing - Atte Kett...
44CON 2013 - Browser bug hunting - Memoirs of a last man standing - Atte Kett...44CON
 
Evolving Threat Landscapes Web-Based Botnet Through Exploit Kits and Scripts ...
Evolving Threat Landscapes Web-Based Botnet Through Exploit Kits and Scripts ...Evolving Threat Landscapes Web-Based Botnet Through Exploit Kits and Scripts ...
Evolving Threat Landscapes Web-Based Botnet Through Exploit Kits and Scripts ...Julia Yu-Chin Cheng
 
Luiz eduardo. introduction to mobile snitch
Luiz eduardo. introduction to mobile snitchLuiz eduardo. introduction to mobile snitch
Luiz eduardo. introduction to mobile snitchYury Chemerkin
 
Sthack 2015 - Ramon Vicens & Victor Acin - Cyber threats "the reality"
Sthack 2015 - Ramon Vicens & Victor Acin - Cyber threats "the reality"Sthack 2015 - Ramon Vicens & Victor Acin - Cyber threats "the reality"
Sthack 2015 - Ramon Vicens & Victor Acin - Cyber threats "the reality"StHack
 
Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.krishnachandrapal52
 
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查ydyuyu
 

Weitere ähnliche Inhalte

Ähnlich wie Travelling to the far side of Andromeda

Rainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectRainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectPeter Hlavaty
 
Mozilla chirimen firefox os dwika v5
Mozilla chirimen firefox os dwika v5Mozilla chirimen firefox os dwika v5
Mozilla chirimen firefox os dwika v5Dwika Sudrajat
 
amrapali builders @@ hacking challenges.pdf
amrapali builders @@ hacking challenges.pdfamrapali builders @@ hacking challenges.pdf
amrapali builders @@ hacking challenges.pdfamrapalibuildersreviews
 
Puppet at DemonWare - Ruaidhri Power - Puppetcamp Dublin '12
Puppet at DemonWare - Ruaidhri Power - Puppetcamp Dublin '12Puppet at DemonWare - Ruaidhri Power - Puppetcamp Dublin '12
Puppet at DemonWare - Ruaidhri Power - Puppetcamp Dublin '12Puppet
 
IPv6 Security Talk mit Joe Klein
IPv6 Security Talk mit Joe KleinIPv6 Security Talk mit Joe Klein
IPv6 Security Talk mit Joe KleinDigicomp Academy AG
 
New Botnets Trends and Threats (BH Europe 2007)
New Botnets Trends and Threats (BH Europe 2007)New Botnets Trends and Threats (BH Europe 2007)
New Botnets Trends and Threats (BH Europe 2007)André Fucs de Miranda
 
Hacking your Droid (Aditya Gupta)
Hacking your Droid (Aditya Gupta)Hacking your Droid (Aditya Gupta)
Hacking your Droid (Aditya Gupta)ClubHack
 
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...Felipe Prado
 
Securing your Cloud Environment v2
Securing your Cloud Environment v2Securing your Cloud Environment v2
Securing your Cloud Environment v2ShapeBlue
 
Virus Bulletin 2016: A Malicious OS X Cocktail Served from a Tainted Bottle
Virus Bulletin 2016: A Malicious OS X Cocktail Served from a Tainted BottleVirus Bulletin 2016: A Malicious OS X Cocktail Served from a Tainted Bottle
Virus Bulletin 2016: A Malicious OS X Cocktail Served from a Tainted BottlePeter Kálnai
 
Kalnai_Jirkal-vb-2016-malicious-osx-cocktail
Kalnai_Jirkal-vb-2016-malicious-osx-cocktailKalnai_Jirkal-vb-2016-malicious-osx-cocktail
Kalnai_Jirkal-vb-2016-malicious-osx-cocktailMartin Jirkal
 
Exploring the Labyrinth: Deep dive into the Lazarus Group's foray into macOS
Exploring the Labyrinth: Deep dive into the Lazarus Group's foray into macOSExploring the Labyrinth: Deep dive into the Lazarus Group's foray into macOS
Exploring the Labyrinth: Deep dive into the Lazarus Group's foray into macOSMITRE ATT&CK
 
Zombie browsers spiced with rootkit extensions - DefCamp 2012
Zombie browsers spiced with rootkit extensions - DefCamp 2012Zombie browsers spiced with rootkit extensions - DefCamp 2012
Zombie browsers spiced with rootkit extensions - DefCamp 2012DefCamp
 
A Botnet Detecting Infrastructure Using a Beneficial Botnet
A Botnet Detecting Infrastructure Using a Beneficial BotnetA Botnet Detecting Infrastructure Using a Beneficial Botnet
A Botnet Detecting Infrastructure Using a Beneficial BotnetTakashi Yamanoue
 
44CON 2013 - Browser bug hunting - Memoirs of a last man standing - Atte Kett...
44CON 2013 - Browser bug hunting - Memoirs of a last man standing - Atte Kett...44CON 2013 - Browser bug hunting - Memoirs of a last man standing - Atte Kett...
44CON 2013 - Browser bug hunting - Memoirs of a last man standing - Atte Kett...44CON
 
Evolving Threat Landscapes Web-Based Botnet Through Exploit Kits and Scripts ...
Evolving Threat Landscapes Web-Based Botnet Through Exploit Kits and Scripts ...Evolving Threat Landscapes Web-Based Botnet Through Exploit Kits and Scripts ...
Evolving Threat Landscapes Web-Based Botnet Through Exploit Kits and Scripts ...Julia Yu-Chin Cheng
 
Luiz eduardo. introduction to mobile snitch
Luiz eduardo. introduction to mobile snitchLuiz eduardo. introduction to mobile snitch
Luiz eduardo. introduction to mobile snitchYury Chemerkin
 
Sthack 2015 - Ramon Vicens & Victor Acin - Cyber threats "the reality"
Sthack 2015 - Ramon Vicens & Victor Acin - Cyber threats "the reality"Sthack 2015 - Ramon Vicens & Victor Acin - Cyber threats "the reality"
Sthack 2015 - Ramon Vicens & Victor Acin - Cyber threats "the reality"StHack
 

Ähnlich wie Travelling to the far side of Andromeda (20)

Rainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectRainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could Expect
 
Mozilla chirimen firefox os dwika v5
Mozilla chirimen firefox os dwika v5Mozilla chirimen firefox os dwika v5
Mozilla chirimen firefox os dwika v5
 
amrapali builders @@ hacking challenges.pdf
amrapali builders @@ hacking challenges.pdfamrapali builders @@ hacking challenges.pdf
amrapali builders @@ hacking challenges.pdf
 
Puppet at DemonWare - Ruaidhri Power - Puppetcamp Dublin '12
Puppet at DemonWare - Ruaidhri Power - Puppetcamp Dublin '12Puppet at DemonWare - Ruaidhri Power - Puppetcamp Dublin '12
Puppet at DemonWare - Ruaidhri Power - Puppetcamp Dublin '12
 
IPv6 Security Talk mit Joe Klein
IPv6 Security Talk mit Joe KleinIPv6 Security Talk mit Joe Klein
IPv6 Security Talk mit Joe Klein
 
New Botnets Trends and Threats (BH Europe 2007)
New Botnets Trends and Threats (BH Europe 2007)New Botnets Trends and Threats (BH Europe 2007)
New Botnets Trends and Threats (BH Europe 2007)
 
Hacking your Droid (Aditya Gupta)
Hacking your Droid (Aditya Gupta)Hacking your Droid (Aditya Gupta)
Hacking your Droid (Aditya Gupta)
 
Malware cryptomining uploadv3
Malware cryptomining uploadv3Malware cryptomining uploadv3
Malware cryptomining uploadv3
 
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...
 
Securing your Cloud Environment v2
Securing your Cloud Environment v2Securing your Cloud Environment v2
Securing your Cloud Environment v2
 
Virus Bulletin 2016: A Malicious OS X Cocktail Served from a Tainted Bottle
Virus Bulletin 2016: A Malicious OS X Cocktail Served from a Tainted BottleVirus Bulletin 2016: A Malicious OS X Cocktail Served from a Tainted Bottle
Virus Bulletin 2016: A Malicious OS X Cocktail Served from a Tainted Bottle
 
Kalnai_Jirkal-vb-2016-malicious-osx-cocktail
Kalnai_Jirkal-vb-2016-malicious-osx-cocktailKalnai_Jirkal-vb-2016-malicious-osx-cocktail
Kalnai_Jirkal-vb-2016-malicious-osx-cocktail
 
Exploring the Labyrinth: Deep dive into the Lazarus Group's foray into macOS
Exploring the Labyrinth: Deep dive into the Lazarus Group's foray into macOSExploring the Labyrinth: Deep dive into the Lazarus Group's foray into macOS
Exploring the Labyrinth: Deep dive into the Lazarus Group's foray into macOS
 
Zombie browsers spiced with rootkit extensions - DefCamp 2012
Zombie browsers spiced with rootkit extensions - DefCamp 2012Zombie browsers spiced with rootkit extensions - DefCamp 2012
Zombie browsers spiced with rootkit extensions - DefCamp 2012
 
Defcon
DefconDefcon
Defcon
 
A Botnet Detecting Infrastructure Using a Beneficial Botnet
A Botnet Detecting Infrastructure Using a Beneficial BotnetA Botnet Detecting Infrastructure Using a Beneficial Botnet
A Botnet Detecting Infrastructure Using a Beneficial Botnet
 
44CON 2013 - Browser bug hunting - Memoirs of a last man standing - Atte Kett...
44CON 2013 - Browser bug hunting - Memoirs of a last man standing - Atte Kett...44CON 2013 - Browser bug hunting - Memoirs of a last man standing - Atte Kett...
44CON 2013 - Browser bug hunting - Memoirs of a last man standing - Atte Kett...
 
Evolving Threat Landscapes Web-Based Botnet Through Exploit Kits and Scripts ...
Evolving Threat Landscapes Web-Based Botnet Through Exploit Kits and Scripts ...Evolving Threat Landscapes Web-Based Botnet Through Exploit Kits and Scripts ...
Evolving Threat Landscapes Web-Based Botnet Through Exploit Kits and Scripts ...
 
Luiz eduardo. introduction to mobile snitch
Luiz eduardo. introduction to mobile snitchLuiz eduardo. introduction to mobile snitch
Luiz eduardo. introduction to mobile snitch
 
Sthack 2015 - Ramon Vicens & Victor Acin - Cyber threats "the reality"
Sthack 2015 - Ramon Vicens & Victor Acin - Cyber threats "the reality"Sthack 2015 - Ramon Vicens & Victor Acin - Cyber threats "the reality"
Sthack 2015 - Ramon Vicens & Victor Acin - Cyber threats "the reality"
 

Kürzlich hochgeladen

Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.krishnachandrapal52
 
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查ydyuyu
 
Microsoft Azure Arc Customer Deck Microsoft
Microsoft Azure Arc Customer Deck MicrosoftMicrosoft Azure Arc Customer Deck Microsoft
Microsoft Azure Arc Customer Deck MicrosoftAanSulistiyo
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC
 
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制pxcywzqs
 
Best SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency DallasBest SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency DallasDigicorns Technologies
 
Real Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtReal Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtrahman018755
 
Power point inglese - educazione civica di Nuria Iuzzolino
Power point inglese - educazione civica di Nuria IuzzolinoPower point inglese - educazione civica di Nuria Iuzzolino
Power point inglese - educazione civica di Nuria Iuzzolinonuriaiuzzolino1
 
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...kajalverma014
 
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...gajnagarg
 
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样ayvbos
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge GraphsEleniIlkou
 
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime NagercoilNagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoilmeghakumariji156
 
75539-Cyber Security Challenges PPT.pptx
75539-Cyber Security Challenges PPT.pptx75539-Cyber Security Challenges PPT.pptx
75539-Cyber Security Challenges PPT.pptxAsmae Rabhi
 
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac RoomVip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Roommeghakumariji156
 
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency""Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency"growthgrids
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC
 
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfpdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfJOHNBEBONYAP1
 
20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdfMatthew Sinclair
 
Trump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts SweatshirtTrump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts Sweatshirtrahman018755
 

Kürzlich hochgeladen (20)

Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.
 
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
 
Microsoft Azure Arc Customer Deck Microsoft
Microsoft Azure Arc Customer Deck MicrosoftMicrosoft Azure Arc Customer Deck Microsoft
Microsoft Azure Arc Customer Deck Microsoft
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
 
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
 
Best SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency DallasBest SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency Dallas
 
Real Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtReal Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirt
 
Power point inglese - educazione civica di Nuria Iuzzolino
Power point inglese - educazione civica di Nuria IuzzolinoPower point inglese - educazione civica di Nuria Iuzzolino
Power point inglese - educazione civica di Nuria Iuzzolino
 
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
 
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
 
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
 
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime NagercoilNagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
 
75539-Cyber Security Challenges PPT.pptx
75539-Cyber Security Challenges PPT.pptx75539-Cyber Security Challenges PPT.pptx
75539-Cyber Security Challenges PPT.pptx
 
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac RoomVip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
 
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency""Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53
 
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfpdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
 
20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf
 
Trump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts SweatshirtTrump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts Sweatshirt
 

Travelling to the far side of Andromeda

  • 1. Travelling to the far side of Andromeda Jose Miguel Esparza
  • 2. $ whoami  Jose Miguel Esparza  Lead Threat Analyst at Fox-IT InTELL (NL) • Malware, Botnets, C&Cs, Exploit Kits, …  Security Researcher at home ;) • peepdf, NFC, malware (again)  http://eternal-todo.com  @EternalTodo on Twitter
  • 3. Agenda  Introduction  Evolution of Andromeda  The Dark Side of Andromeda  Statistics  Interesting use cases  Conclusions
  • 4. Introduction  Developed during 2011 (probably 2010 too)  First advertised in July 2011  Modular and versatile bot  Pings C&C periodically asking for “tasks” • Executes additional malware (and updates) • Executes plugins • Capability to send tasks to specific countries/bots/build_ids  Spread via spam campaigns, loaders and Exploit Kits  Current version: 2.10
  • 5. Evolution of Andromeda  Binary  Plugins  Panel
  • 6. Evolution of Andromeda  Binary • Request parameters • Response encryption • Plugins decryption • Anti-analysis (and bypass!)
  • 7. Evolution of Andromeda  Binary • References - http://eternal-todo.com/blog/yet-another-andromeda-gamarue-analysis - http://eternal-todo.com/blog/andromeda-gamarue-loves-json - http://blog.fortinet.com/post/andromeda-2-7-features - http://blog.fortinet.com/post/new-anti-analysis-tricks-in-andromeda-2-08 - http://stopmalvertising.com/spam-scams/cve-2013-2729-and-andromeda- 2.9-a-massive-hsbc-themed-email-campaign/andromeda-botnet.html
  • 8. Evolution of Andromeda  Binary • Request parameters - <= 2.06  id:%lu|bid:%lu|bv:%lu|sv:%lu|pa:%lu|la:%lu|ar:%lu - 2.07/2.08  id:%lu|bid:%lu|bv:%lu|os:%lu|la:%lu|rg:%lu - 2.09  id:%lu|bid:%lu|os:%lu|la:%lu|rg:%lu - 2.10  {"id":%lu, "bid":%lu, "os":%lu, "la":%lu, "rg":%lu}  {"id":%lu, "bid":%lu, "os":%lu, "la":%lu, "rg":%lu, "bb":%lu}
  • 10. Evolution of Andromeda  Binary • Anti-analysis - Previous versions  BP detection  Custom exception handler  Comodo / Sandboxie  Process blacklist (custom hash)  VM detections  Time check (RDTSC)
  • 11. Evolution of Andromeda  Binary • Anti-analysis - Newer versions  Just blacklisted processes (CRC32)
  • 14. Evolution of Andromeda  Binary • Bypassing anti-analysis - Hardcoded system drive volume hash (previous versions)  0x20C7DD84 (CKF81X) - Special registry key (current version)  HKEY_LOCAL_MACHINESOFTWAREPolicies • is_not_vm =botid
  • 15. Evolution of Andromeda  Binary • They want to fool you - Fake payload (old versions) - Fake URL - Overwritten code - RC4 algorithm modified - Fake RC4 key
  • 16. Evolution of Andromeda  Binary • They want to fool you - Fake payload (old versions)  Cmd.exe in port 8000
  • 18. Evolution of Andromeda  Binary • They want to fool you - Fake URLs  thisshitismoresafethanpentagonfuckyoufedsbecausethisisaf.com/im age.php (2.06)  http://www.chudakov.net/goto.php?num=146897 (2.07)  http://s28.postimg.org/wmsgw5s23/image.jpg (2.08)  http://img4.joyreactor.cc/pics/post/... (2.08)
  • 19. Evolution of Andromeda  Binary • They want to fool you - Code to decrypt URLs removed (since 2.07)
  • 21. Evolution of Andromeda  Binary • They want to fool you - RC4 algorithm modified (2.07/2.08)  Replacing 1 byte (add/sub)  Craziness trying to decrypt
  • 25. Evolution of Andromeda  Binary • They want to fool you - Fake RC4 key  MD5("go fuck yourself")  754037e7be8f61cbb1b85ab46c7da77d
  • 26. Evolution of Andromeda  Base plugins (older versions) • Socks4 • Formgrabber • Keylogger • Ring3 Rootkit
  • 27. Evolution of Andromeda  Base plugins • Socks5 • Formgrabber • Keylogger • TeamViewer
  • 28. Evolution of Andromeda  Additional plugins • Tutorial/Help on how to write your own plugins
  • 29. Evolution of Andromeda  Additional plugins • Pony • Powershell + Embedded dlls • Spam • Proxy • …
  • 30. Evolution of Andromeda  Panel • Show bot information / stats • Create tasks • Check received logs (Formgrabber / Keylogger)
  • 33. Evolution of Andromeda  Panel • No too many changes in last version • Just added support for: - TeamViewer - JSON
  • 34. The Dark Side of Andromeda  Who is behind Andromeda?
  • 35. The Dark Side of Andromeda d40e75961383124949436f37f45a8cb6
  • 36. The Dark Side of Andromeda  Business model • Selling bot licenses • Charging per rebuild (bot) • Payment - BTC, Perfect Money
  • 37. The Dark Side of Andromeda  Builder • Used to create the binaries - URLs - RC4 key - Builder id
  • 38. The Dark Side of Andromeda  Jabber bot • Fully active since Feb 2012 • Connected to customer DB • Refill credit • Build binaries - Command sent to bot - Bot responds with links to the binaries
  • 39. The Dark Side of Andromeda  Jabber bot • resident: If the bot will remain installed in the system or not • plugins: Can be disabled if you do not plan on using plug-ins • integrity: Add privilege elevation • services: Add functionality to stop and disable security services • vm: Add functionality to detect the virtual machines and "bad" software • dns: Specifies if the bot will use Google DNS servers to resolve domains • relocs: Relocation of sections in the executable
  • 40. The Dark Side of Andromeda  Jabber bot • ! set | resident | off • ! build | 123ABC | http://first.com/gate.php | http://second.com/gate.php
  • 41. The Dark Side of Andromeda  Prices Product Old price Bot v1.* $300 Bot v2.* $500 Socks4 Included Formgrabber $500 Keylogger $200 Ring3 Rootkit $300 Product Current price Bot v2.* $500 Rebuild (bot) $10 Socks5 Free Formgrabber $500 Keylogger $200 TeamViewer $500
  • 48. Interesting use cases  The Anunak group  Smilex  GamaPOS  Andromeda + TOR  Andromeda + PDF  Andromeda loving AV industry
  • 49. Interesting use cases  The Anunak group • Report published in December 2014 (Fox-IT+GroupIB) • Russian banks and POS breaches • Andromeda botnet - Gozi/ISFB variant dropping Andromeda - Andromeda dropping Anunak
  • 50. Interesting use cases  Smilex • Dridex operator • Arrested some months ago in Cyprus • Using Andromeda to distribute spambot (FortDisco) • Spambot distributing Dridex via doc+macro
  • 51. Interesting use cases  GamaPOS • TrendMicro (July 2015) • Andromeda spread via DOC+Macro and Rig EK • PsExec & Mimikatz • GamaPOS in certain bots
  • 52. Interesting use cases  Andromeda + TOR • Weird case • Spotted by Jaime Blasco (AlienVault) • Dropper on Malwr • Setting up proxy in the registry…
  • 53. Interesting use cases  Andromeda + PDF • Curious case • Binary executing Andromeda • Opening decoy PDF file
  • 55. Interesting use cases  Andromeda loving AV industry
  • 56. Interesting use cases  Veronica´s botnet ;) • Distributed same plugin, different hashes • Spam bot (Jahoo/Otlarda) - S:_src_bor_softJSS_kitJahooReleaseJahoo32.pdb • Documented by Kafeine 5 days ago
  • 59. Conclusions  Andromeda is far from dying  Alive “project” and business  Used by serious criminal gangs  Interesting custom plugins
  • 60. Acknowledgements  Fox-IT InTELL • Ronaldo Vasconcellos • Alberto Ortega • Frank Ruiz  The Honeynet Project  Malware research community • Alexandru Maximciuc (Bitdefender)  Botconf