This website uses cookies. By continuing to browse this website, you accept our use of cookies and our Cookie Policy. Close

Our Blog

Botconf 2019 – “The Cereals Botnet” presentation slides and review

Share

Tuesday, Dec 17, 2019

I have just travelled back from presenting at Botconf 2019.  This was the seventh Botconf conference, this time taking place in the lovely city of Bordeaux in France.

I have to admit that I have only attended this conference in recent years, but it can be easily stated that this is one of those events where you always have the room full with barely any empty seats left. That is due to the high quality of presentations that everyone delivers there.

This year was also special to me as a personal friend of mine - Gergely Eberhardt - and I were also presenting on a rather unique piece; a botnet we’ve discovered many years ago and kept tracking until almost its extinction.

As most of the talks this year were focusing on Windows and Android based botnets (with a few exceptions of incident response, online ad fraud or Latin American banking trojans), our NAS-based Linux focused botnet talk enjoyed a good reception.  The title of our talk was “The Cereals Botnet” and we presented on Friday morning.

The Cereals botnet targeted Network Access Storage (NAS) and Network Video Recorder (NVR) devices.  The botnet originates from 2013 but is still active today.  We found compromised devices in the consumer, small business and government space.  This botnet is unique in the way that it was built from stock components with only very few custom-built binaries; the separation of its subnets; and the way host nodes communicate with the command & control.  Years later the vendor fixed the targeted vulnerability, however, a large chunk of infected nodes’ firmware has either never been updated and the botnet was never properly cleaned from the storage drives.

You are probably wondering why we called it the Cereals botnet.  You can find out in our presentation slides on the conference website: https://www.botconf.eu/wp-content/uploads/2019/12/B2019-Neumann-Eberhardt-the_cereals_botnet_botconf_2019_final.pdf

The full conference schedule along with slides of other talks is available here: https://www.botconf.eu/botconf-2019/schedule/

 

Three days went by quickly and I for one am already looking forward to going back to the eighth incarnation taking place next year in Nantes!

About the Author

Robert Neumann

Senior Security Researcher

Robert Neumann is a Senior Security Researcher in Forcepoint X-Labs. He focuses on various short- and long-term research projects, ranging from small scale malicious campaigns through niche malware and file formats to in-depth investigations and threat actor attribution. 
 
Robert is...