EGO MARKET: When People's Greed for Fame Benefits Large-Scale Botnets

Presented at Black Hat Europe 2016, Nov. 4, 2016, 9:30 a.m. (60 minutes)

Want to give your blog a push or your "gun show" more views? Then why not buy 50,000 fake followers for $1,000! Click farms from down South or botnets such as Game over Zeus will be more than happy to supply them for you. For this talk, a criminologist and a security researcher teamed up to hunt a large-scale botnet dubbed Linux/Moose 2.0 that conducts social media fraud. The hunt was fastidious since Linux/Moose 2.0 has stealth features and runs only on embedded systems such as consumer routers or Internet of Things (IoT) devices. Using honeypots set up across the world, we managed to get virtual routers infected to learn how this botnet spread and operated. To do so, we performed an HTTPS man-in-the-middle attack to decrypt its traffic. This gave us an impressive amount of information on the botnet's activities: the name of the fake accounts it uses, its modus operandi to create fake followings and the identification of its consumers, companies and individuals.

This talk will be of interest to a wide audience. First, it will present the elaborate methodology that was used to infect custom honeypots with Linux/Moose 2.0 and led to contributions to the open-source Cowrie Honeypot Project. Second, it will describe the technical details behind the man-in-the-middle attack conducted to decrypt the traffic. Analyses from the decrypted traffic will be presented: what's the botnet's sneaky modus operandi to create fake endorsement and what sly techniques it uses to avoid detection. The presentation will further increase its draw by placing the botnet's activities within a larger-scope: the criminal market for social media fraud. With the data gathered from the decrypted traffic and open-source research, market dynamics behind social media fraud will be presented. Finally, we will cover how botnet operators, wholesalers and online merchants leverage each other to create a criminal market that easily supports money laundering.


  • Olivier Bilodeau - Cybersecurity Research Lead at GoSecure Inc., GoSecure
    Olivier Bilodeau is the head of Cybersecurity Research at GoSecure a consultancy firm specializing in cybersecurity services for the public and private sector. With more than 10 years of infosec experience, Olivier worked on Unix servers, managed enterprise networks, wrote open source network access control software and recently worked as a Malware Researcher at ESET. He likes to reverse engineer everything that crosses his path, participate in information security capture-the-flag competitions, hack open source code and brew beer. He has spoken at various conferences (Defcon, Botconf, VirusBulletin, Derbycon, …​), used to lecture on information security at ETS University in Montreal, drives the NorthSec Hacker Jeopardy and co-organizes the MontreHack capture-the-flag training initiative. His primary research interests include reverse-engineering tools, Linux and/or embedded malware and honeypots.
  • Masarah Paquet-Clouston - Researcher at GoSecure Inc. / Graduate Student in Criminology at Université de Montréal, GoSecure
    Masarah Paquet Clouston is a graduate student in criminology at Université de Montréal and a researcher at GoSecure, a consultancy firm specializing in cybersecurity services for the public and private sector. Additionally, she is an investigator at the Canadian Radio-television and Telecommunications Commission (CRTC) and an active member of the SERENE-RISC Smart Cybersecurity Network. With a background in economics, she specializes on the study of market dynamics behind illegal online activities. She presented in various international academic conferences such as the International Society for the Study of Drug Policy and the American Society of Criminology. Besides doing research, she's passionate about programming, defending online privacy and playing Age of Empire II.


Similar Presentations: