CrimeOps of the KashmirBlack Botnet

Speaker

Sarit Yerushalmi and Ofir Shaty

Abstract

Want to take an in-depth look at the anatomy of a world-wide botnet? Ever wondered how botnets are raised?

In this session we will expose the KashmirBlack botnet that infected hundreds of thousands of CMS platforms victims. It uses Plug&Play infrastructure which makes it easy to expand and add new exploits or payloads without much effort, and it uses sophisticated methods to camouflage itself, stay undetected, and protect its operation.

We will take you down the rabbit hole into our journey where we went undercover, deployed a honeypot and participated in the botnet, resulting in the exposure of the Indonesian hacker crew PhantomGhost. By infiltrating into the botnet’s operation, we got a rare opportunity to witness its evolution from a medium-volume botnet with basic abilities to a massive infrastructure that is here to stay.

Explore the DevOps behind the botnet, discuss its purpose and go deep into the bits-and-bytes of the entities, the operation and the infection technique.

The KashmirBlack botnet utilizes dozens of known vulnerabilities on its victims’ servers, performing millions of attacks per day on average, on thousands of victims in more than 30 different countries around the world.

It has a complex operation managed by one C&C (Command and Control) server and uses more than 60 - mostly innocent surrogate - servers as part of its infrastructure. It handles hundreds of bots, each communicating with the C&C to receive new targets, perform brute force attacks, install backdoors, and expand the size of the botnet.

Speaker information

Sarit Yerushalmi

@sarity85

Security researcher at Imperva for the last 5 years in web application and cloud data security and for 5 years as a security analyst. Analyse CVEs and threats in web applications and cloud environments. Develop algorithms to detect and protect against attacks.

Ofir Shaty

@mamamia431

Security researcher at Imperva for the last 5 years in web application and cloud data security and for 5 years as a security analyst. Analyse CVEs and threats in web applications and cloud environments. Develop algorithms to detect and protect against attacks.