Notes from AfricaHackOn: Bank IT Security in Kenya.


Review from IT Security Conference in Kenya. Find out how Bank IT Security is developing in Kenya.
AfricaHackOn 2014, first conference about IT Security in Kenya and Africa. How does it look like in practice...

Botnets: The Advanced Malware Threat in Kenya's Cyberspace

Paula Musuva-Kigen
Research Associate Director, Centre for Informatics Research and Innovation (CIRI). Lecturer in Cyber-security and Digital Forensics, USIU, MSc, CCSP, CISA

Christian Kisutsa
Information Security Consultant – Serianu Limited, Computer Forensics & Cyber Crime Graduate (USIU)

Introduction: What is a bot(net)

Bot – type of malicious software

  • Places the infected machine (zombie) under the control of an attacker (bot herder or bot master)

  • Zombie connects to a Command and Control (C&C) server

  • Initially Internet Relay Chat (IRC) used to connect to C&C

  • These days use HTTP to connect to C&C because its NOT blocked on firewalls

Botnet - Network of machines infected with a particular bot

  • Common Command and Control (C&C) server

  • Often infected machines are designed to use automated infection vectors to infect other machines on the network

Introduction: Worldwide Statistics

Top Banking Botnets of 2013 – Released Feb 2014

Dell Secure Works Counter Threat Unit (CTU)

  • Over 900 financial institutions around the globe are being targeted

  • Banks and Corporate Finance providers

  • Also providers of corporate payroll services, stock trading, social networking, email services, mail delivery services, employment portals, entertainment and dating portals

Top Banking Botnets of 2013



Top Botnets in Kenya - 2013 [exclusive statistics]

Check out Kenya Cyber Security Report 2014 by Serianu




What do Botnets Do?

  • Theft of Information (keyloggers)

  • Login credetials leading to Identity Theft

  • Financial data especially Credit Card data

  • IP/Trade secrets on espionage basis and Identity theft

  • Financial fraud: E-banking and Mobile banking

  • Consumer Accounts – Online shopping (Jambopay/Jumia/Pesapal)

  • Business Accounts – Online Banking (Corporate/Retail)

  • Spam/Phishing: Infected machines relay spam

  • Click Fraud: Automated clicks of Web advertising links for revenue

  • DDoS: Zombies can be co-ordinated to launch massive attacks

  • Pay per Install: malware distribution. Bot masters get paid for every 1,000 infected machines

  • Botnets for hire: Crime as a Service(CaaS)


Tactics for Botnet malware delivery

  • Cracked softwares or Free wares

  • Clicking links to infected sites e.g link on email/social media

  • Drive by downloads: visiting site with malicious scripts, automatic download through browser without user’s interaction/knowledge

  • Malicious PDFs’

  • Malicious images/photos e.g. on social media

  • Creating FUD (Fully Undetectable) files by use of cryptors that evade anti-virus detection

  • Executable flash disks

  • Malicious mobile applications

Botnets on the Network



Background of Zeus, Citadel and Spyeye

  • Zeus creator called Slavik aka Monstr

  • Released 2007. Zeus code publicly leaked in May 2011 (Many variants thereafter

  • SpyEye creator called Gribodemon, aka Harderman

  • Released 2009. Initially a competitor to Zeus (removed Zeus)

  • Author Aleksander Panin arrested in Jan 2014

  • Citadel and Ice IX considered by-products of Zeus

  • Released in 2011

  • Citadel’s creator called Aquabox

  • Improved ZeuS’s code by making its control panel more user-friendly

  • Very good customer support network for buyers in underground

  • Ice IX creator called nvidiag

  • Gameover – P2P Zeus variant released in 2011. Highest infection. P2P

  • ZitMO – Zeus in The Mobile since 2010. Intercepts SMS and 2F authentication

  • KINS – latest Zeus variant since 2013


Timeline of Zeus and its variants



Building the botnet

  • Builder – Bot preparation and compilation

  • Configuration file – Contains settings for the Bot

  • Web injects – Man-in-the-Browser customizations. These show extra fields in the log-in screens

  • Control Panel – Bot Master’s screen where they control all the Bots under their control.

  • Remote Scripts – The Bot Master’s tools to send commands to the infected machines



Online Services

Measures Taken to Secure Online Banking in East Africa

  • Virtual Keyboards

  • Randomized Keys

  • Hover-mode

  • Encryption

  • SSL over HTTP - HTTPS

  • Client Side Encryption

  • 2 page authentication

Measures Taken to Secure Online Payment and Shopping

  • Encryption

  • SSL over HTTP - HTTPS


Statistics: Online Banking - Kenya



Bank using virtual keyboards – 6/33 banks Bank using 2PG – 4/33 banks



Banks with client side encryption – 2/33 Banks Banks with NO client side encryption : 31/33

Online Banking - East Africa



Banks using virtual keyboards – 9/46 Banks using 2PG – 6/46 Banks



Banks with NO client side encryption : 40/46 Banks Banks with client side encryption: 6/46 Banks

Banks Online Payment and Shopping



Top Online Payment Sites in Kenya with NO Top Online Shopping Sites in Kenya with NO client side encryption 4/4 client side encryption : 6/6


Mobile Malware

ZitMo for Mobile banking

  • Version of Zeus that infects Mobile Phones

  • Mobile Banking is the new “thing” in Kenya hence users exposed to this Mobile Trojan and other mobile malware.

  • M-pesa users at risk as Android malware is on the rise.

  • Only a matter of time before a custom malware is made that targets M-pesa.


Botnet Evolution

  • Domain Generation Algorithms (DGA)

  • Tor Botnets - Anonymized

  • P2P botnets – Zeus P2P/Gameover etc




  • Patch systems: bots exploit known vulnerabilities for infection especially browsers and Windows OS

  • Anti-malware tools: antivirus makers have signatures for the well known bot types

  • Use Browser protection

  • Use latest anti-malware updates and signatures

  • User Information Security Education, Training and Awareness Program (SETA)

  • Use reports like those by Serianu and Tespok Cyberusalama to know latest trends and how to avoid common vectors of infection


How do I know I’m Infected

  • Process Monitoring: e.g. use of CrowdInspect and Sysinternals TCP View

  • Registry Entries with sdra64.exe


Strange UDP and TCP ports


  • CrowdInspect – highly recommended for Microsoft users

  • Multiple sources of information, including VirusTotal, Web of Trust (WOT), and Team Cymru's Malware Hash Registry


  • Host-based process inspection for Forensic analysis

  • Tells you which network connections are open to which IP addresses, processes


Remediation: Network Side

  • Detecting C&C traffic

  • Examine networktrafficforcertain known patterns

  • Use logging information from IDS/IPS, Firewalls, e.g BotHunter and BotSniffer

  • Honeypots/Honeybots: Dionaea, Spam traps, Open Proxies, URL analysis

  • Correlate using SIEM tools



  • Hijacking Botnet traffic, redirecting it to analysis servers

  • Done by CERTs and Security Researchers in collaboration with ISPs and Domain Registrars

  • E.g. by Microsoft (Mar 2012) , Polish CERT, Team Cymru

  • Study the Botnet then take down Domain Names and C&C Servers


Remediation: Network Side

  • Zeus Tracker and SpyEye Tracker (

Provide domain- and IP-blocklist of known ZeuS Command&Control servers (hosts) around the world

Including Kenya



Paula Musuva-Kigen: [email protected]

Christian Kisutsa: [email protected]


© HAKIN9 MEDIA SP. Z O.O. SP. K. 2023