But before I start, I would like to introduce myself and my country. I am Chema Alonso, (@chemaalonso) I work in a small company called I64 (Informatica 64) in Spain, I’m also a Microsoft MVP in Enterprise Security, and I live in Spain.
Do you know Spain? Have you ever been to Spain? If not, you have to go and visit our country. This is Madrid (see left-hand image below), the city in which I live. As you can see, this is a city that is never asleep, but it is smaller than New York. And there are a lot of big places in Spain that you have to visit. This is the Sacred Family in Barcelona (image in the middle), one of the most beautiful churches in the world, as you can see.
Of course, there are other places that you might like to visit. This is Ibiza (right-hand image above), a small island to which I’m going tomorrow, so if you want to rest and discover a different Spain – it’s very close to you, it’s in Europe, just across the ocean.And of course, if you’re a brave man you can visit all the cities with all the parties. This is Pamplona (see left-hand pic). How many of you have run from bulls any time of your life? There is only one rule: if you drink, don’t run. That’s the only rule. The rest is easy, you only need to run faster than the bull, it’s very easy to do.
And of course, if you’d like another party, we’ve got something special. This is the Tomatina (on right-hand image above); it’s a battlefield with tomatoes, one day long. I am not sure about the history of this party, but you only need to throw tomatoes – that’s all, it’s quite interesting. Well, we are Spaniards, you know.
Well, let’s start with today’s topic. Today’s topic is quite simple: let’s create a botnet – that’s all. But we’ve got a lot of problems with this from the start. I guess many of you have been thinking about creating a botnet any time in your life. How many of you have been thinking about creating a botnet? How many of you did it? I did it.Well, the idea of creating a botnet is quite interesting, but of course, I assure you, I’m lazy. I’m from Spain, so it’s normal. So, we are lazy, and this is a nice picture (see image). I would like to show you this picture, because when Spanish people need power supplier, and they are using flip-flops to connect it through the swimming pool. It’s incredible! This is more or less like a thing we’re used to doing in Spain.
So, that’s the idea of creating a botnet. We wanted to create a botnet, but we were lazy; we have no money – you know it; we have no 0-days; we aren’t the FBI or the NSA, so we cannot intercept communication for free, and of course we are not Google, Apple or Microsoft that are running all their devices around the world. And, you know, we are Spaniards, so we need to do something different from the beginning.The idea of creating a botnet was quite simple. We thought: okay, let them be infected; let’s do something that allows bots to be infected for themselves. So, the only thing that we wanted is so that they would want to be infected, quite simple.
In the end, if you think about this topic, it’s very useful and the malware industry had been using it for around the last 5 or 10 years; we’ve rolled antivirus and social engineering tricks. So, why not make our own botnet doing the same trick?So, the idea of creating a botnet is just to create a man-in-the-middle attack. There are so many man-in-the-middle attacks that can be used in different scenarios. Of course, if we are in a network we can use something like ARP spoofing, or we can use rogue DHCP in IPv4 or IPv6 networks, man-in-the-middle attacks in IPv6 networks. We are going to publish a new tool, a new FOCA, which is the evil FOCA, to perform man-in-the-middle attacks in IPv6 networks: just point it and click, quite simple.
And of course, if you are able to manage the DNS, you can do the man-in-the-middle attack. But it is quite complicated in terms of the Internet because you have to deal with a lot of Internet service providers and networks, so it’s difficult to use on the Internet.One of the most used practices on the Internet several years ago was the man-in-the-browser, in which things like Browser Helper Objects are installed in Internet Explorer, and lots of malware samples have been using this trick. We got a lot of malware this way, especially from Russians. You’ve seen this trick, this is very effective and it works so well that they need special files to configure the Trojan to attack different banks. This is how a banking Trojan uses an XML file to configure the man-in-the-browser to control all the different web pages from different banks. Quite simple, and yet it works very well.