Attacking Linux/Moose Unraveled an Ego Market

Retour à la liste des conférenciers et sessions

For this talk, a criminologist and a security researcher teamed up to hunt a large-scale botnet dubbed Linux/Moose that conducts social media fraud. Linux/Moose has stealth features and runs only on embedded systems such as consumer routers or Internet of Things (IoT) devices. Using honeypots set up across the world, we managed to get virtual routers infected to learn how this botnet spread and operated. We performed a large-scale HTTPS man-in-the-middle attack on several honeypots over the course of several months decrypting the bots’ proxy traffic. This gave us an impressive amount of information on the botnet’s activities on social networks: the name of the fake accounts it uses, its modus operandi to conduct social media fraud and the identification of its consumers, companies and individuals.

This presentation will be of interest to a wide audience. First, it will present the elaborate methodology we used to infect custom honeypots with Linux/Moose and led to contributions to the open-source Cowrie Honeypot Project. Second, it will describe the technical details behind the man-in-the-middle attack conducted to decrypt the traffic. The talk will further increase its draw by placing the botnet’s activities within a larger-scope: the illicit market for social media fraud. With the data gathered from the decrypted traffic and open-source research, market dynamics behind the sale of social media fraud will be presented, allowing an overview of the botnet’s potential profitability. Overall, this research elevates the standards of botnet studies as it not only investigates how a botnet is built, but also what drives it.

Olivier Bilodeau Cybersecurity Research Lead, GoSecure

Olivier Bilodeau is leading the Cybersecurity Research team at GoSecure. With more than 13 years of infosec experience, he enjoys luring malware operators into his traps, writing tools for malware research and vulnerability research. Olivier is a passionate communicator having spoken at several conferences including BlackHat, Defcon, Botconf, NorthSec, Derbycon, and HackFest. Invested in his community, he co-founded MontréHack, a monthly workshop focused on hands-on CTF problem solving, and NorthSec, a large non-profit conference and CTF based in Montreal which you may have heard of.

Masarah Paquet-Clouston , Université de Montréal

Masarah Paquet-Clouston is a professor at Université of Montréal and a collaborator at the Stratosphere Laboratory. She holds a Ph.D. in criminology from Simon Fraser University and is specialized in the study of profit-driven crime enabled by technologies. In the past, she worked five years as a researcher at the private cybersecurity firm GoSecure. She presented the results of her research at various international conferences including NorthSec, Black Hat USA, DEF CON, CERT-EU, RSA, HackFest, and Virus Bulletin.