Travelling to the far side of Andromeda at Botconf 2015

It has been a while since I wrote the last time here and since I presented at Botconf, but I wanted to share my slides here too. A couple of weks after the sad terrorist attacks in Paris, Botconf was held in the city of love. Way more secure than before and with lots of security controls which almost made me lose my return train, but it was worth it. Attending a security conference focused on cybercrime, malware, reverse engineering and intelligence is always a good plan :) I really recommend you attending Botconf this year in Lyon, you will not regret it ;)

My presentation was about Andromeda. This is the abstract:

Andromeda, also known as Gamarue by some Antivirus vendors, is a popular and modular bot active since 2011. It is normally used to spread additional malware, but sometimes, depending on the criminals, the main objective could be just stealing user credentials. After almost five years of life its development has not stopped. The people behind it keep maintaining it and adding functionalities, like new anti-analysis routines, changes in the communication encryption, new request formats, etc.
This talk will not give just details about the latest changes in the Andromeda binary and control panel, but it will also respond some interesting questions about this botnet. Which are the most popular versions used nowadays? Are most of the botnets spreading malware or just using its plugins? What are the most popular plugins? How and where is Andromeda sold? Who is selling it? What criminal groups are using Andromeda? It is not just a talk about malware reversing but about the whole Andromeda ecosystem.


Since the first time I analyzed Andromeda back in 2013 I have been taking a look at the new versions. Last year I published another blog post to give some details about the new JSON version and since then I have been tracking some Andromeda botnets at work, together with my Fox-IT InTELL colleagues. Thanks to this work we were able to spot some interesting botnets like the botnet used by the Anunak group or the botnet used by Smilex (Dridex operator arrested last year in Cyprus) to distribute his spam bot. Besides that, I was showing some statistics about the botnets we saw, interesting spread plugins like the spammer (Jahoo/Otlard) mentioned by Kafeine some days before my presentation, some funny comments about the anti-analysis techniques used by Andromeda and some details about the actors behind Andromeda. Unfortunately, some of this information was just shared at Botconf and it is not for public distribution.

This is the public version of my slides (you can download them here and also from the Botconf site):

Taking a look at the slides is not so exciting as attending the presentation, hehe, but I think it is enough to have a good idea about the subject and the things I discussed there. If you have any question or comment, be free, shoot! Also via email is ok if you are shy ;) And remember: Botconf, Lyon, 29th of November ;) See you there!