Attacking Linux/Moose Unraveled an Ego Market

Presented at NorthSec 2017, Unknown date/time (Unknown duration)

For this talk, a criminologist and a security researcher teamed up to hunt a large-scale botnet dubbed Linux/Moose that conducts social media fraud. Linux/Moose has stealth features and runs only on embedded systems such as consumer routers or Internet of Things (IoT) devices. Using honeypots set up across the world, we managed to get virtual routers infected to learn how this botnet spread and operated. We performed a large-scale HTTPS man-in-the-middle attack on several honeypots over the course of several months decrypting the bots' proxy traffic. This gave us an impressive amount of information on the botnet's activities on social networks: the name of the fake accounts it uses, its modus operandi to conduct social media fraud and the identification of its consumers, companies and individuals. This presentation will be of interest to a wide audience. First, it will present the elaborate methodology we used to infect custom honeypots with Linux/Moose and led to contributions to the open-source Cowrie Honeypot Project. Second, it will describe the technical details behind the man-in-the-middle attack conducted to decrypt the traffic. The talk will further increase its draw by placing the botnet's activities within a larger-scope: the illicit market for social media fraud. With the data gathered from the decrypted traffic and open-source research, market dynamics behind the sale of social media fraud will be presented, allowing an overview of the botnet's potential profitability. Overall, this research elevates the standards of botnet studies as it not only investigates how a botnet is built, but also what drives it.

Presenters:

• Olivier Bilodeau
  Olivier Bilodeau is leading the Cybersecurity Research team at GoSecure. With more than 10 years of infosec experience, Olivier managed large networks and server farms, wrote open source network access control software and worked as a Malware Researcher. Passionate communicator, Olivier has spoken at several conferences like BlackHat Europe, Defcon, Botconf, SecTor, Derbycon and many more. Invested in his community, he co-organizes MontréHack - a monthly workshop focused on applied information security -, he is in charge of NorthSec's training sessions and is hosting NorthSec's Hacker Jeopardy. His primary research interests include reverse-engineering tools, embedded Linux malware and honeypots. To relax, he likes to work on the AsciiDoc open source ecosystem and brew his own beer.
• Masarah Paquet-Clouston
  Masarah is a security researcher at GoSecure, a consultancy firm specializing in cybersecurity services for the public and private sector. She is also a member of the council for the NorthSec conference. Using her economic and criminological backgrounds, she specializes on the study of market dynamics behind illegal online activities. Her goal is to conduct scientific research to understand these online phenomena, without falling into the corporate alarmist side. She presented at various international conferences such as Black Hat Europe, Botconf and the American Society of Criminology. Besides doing research, she's passionate about programming, defending online privacy and discussing politics.

Links:

• https://www.nsec.io/2017/02/attacking-linuxmoose-unraveled-an-ego-market/
• https://www.youtube.com/watch?v=8c8C5cHbRU0

Similar Presentations:

• VB2015 / Last-minute paper: Anonymizing VPN services as a botnet monetization strategy - analysing the Bunitu botnet
• VB2015 / Last-minute paper: Linux/Moose endangered or extinct? An update on this atypical embedded Linux botnet
• Black Hat Europe 2016 / EGO MARKET: When People's Greed for Fame Benefits Large-Scale Botnets