Last-minute paper: Nymaim: the Untold Story

Presented at VB2016, Oct. 6, 2016, 10 a.m. (30 minutes)

Over the course of the last few months, we have observed a new Nymaim campaign, on a larger scale than usual. According to other researchers, Nymaim has caused over 2.8 million infections recently. More than 270 Polish banks have been targeted (many of which are our customers). They haven't been particularly happy about their customers being robbed, so we have had to do something. In this talk, we will describe our findings. We will discuss Nymaim's technical details - in particular, we will cover: * Methods of operation and behaviour after landing. * Obfuscation and anti-debugging used - and how to defeat them. * The web injects, how the money is stolen and what happens next. * How the static configuration is stored in the binary, and how to extract it automatically. * Network protocol and botnet architecture. During our analysis, we focused mainly on the network protocol. We have observed typical P2P botnet behaviour - as far as we know, this is something that hasn't been described publicly before. We will describe obfuscation and encryption methods used in communication, various internal resource formats, and we will highlight a few peculiar similarities to Gozi ISFB. We will also share snippets and tools we created - a packet dissector, and DGA implementation. We will conclude by presenting the main result of this research - our Nymaim tracker written in Python. We are currently crawling through the Nymaim botnet, scrapping IPs and downloading everything we can. We are able to automatically download new configs, binaries and web injects from C&Cs and peers as soon as they are released.


  • Maciej Kotowicz - CERT Poland
    Maciej Kotowicz Maciej Kotowicz is Principal Botnet Pwner at with a special interest in reverse engineering and exploit development as well as automation of both. Occasional speaker. In his free time he like to drink beer and play CTFs, in no particular order. @maciekkotowicz
  • Jarosław Jedynak - CERT Poland
    Jarosław Jedynak Jarosław Jedynak is a security engineer working at CERT Polska. His research interests focus on malware and botnets, especially P2P ones. In his free time, he is a passionate CTF player.


Similar Presentations: