Botconf - the 'first botnet fighting conference'

Posted by   Virus Bulletin on   Dec 10, 2013

Tools, ideas and research presented in Nantes.

There are far too many security conferences each year for my agenda, budget and brain to handle, and thus I need to choose carefully which ones to attend. But when I first heard of Botconf, I knew immediately that it would be on my must-attend list.

France seemed like an appropriate country to host the 'first botnet fighting conference', with a lot of cybercrime research going on between the Picardic Coast and the Pyrenees. Some of this research activity is concentrated in the 'study community', in which the conference finds it roots.

So on a cold Thursday in December, some 160 botnet researchers from two dozen countries around the globe descended on the city of Nantes, in Western France.

The schedule for the two-day event looked tightly packed - and the conference organiser in me was a little worried about whether the talks would all be kept on schedule. I needn't have worried: speakers kept to their allotted times and there was plenty of time for discussion between the talks.

At every conference there are things that one thinks could be improved upon (for instance, I would have liked the badges to have included the delegates' affiliations - and not just because it would have prevented me from congratulating the wrong person on his talk), but these are minor details. Overall, Eric Freyssinet and his fellow organisers did an excellent job in running the conference and leaving us all wanting to come back for the second edition next year.

The various speakers on the interesting and varied program did a great job too. There were speakers respresenting big and small security companies, but also many who, while working in the security business in one way or another, presented research they had conducted in their own time. There were also a few speakers representing government, or inter-governmental organisations.

Blogger Xavier Mertens sat on the front row for all of the presentations and wrote about them on his blog here and here. Anyone wanting to find details of all the talks should refer to his posts; I will restrict my review to a few of the talks that I found of particular interest - while adding that this was at least as much influenced by personal preferences and the amount of caffeine and sleep I had prior to the talks as it was by the quality of the presentations itself.

ESET's Sébastien Duquette gave an interesting presentation on the malicious web server binaries that are used to make compromised servers spread malware. Having written about the subject in the past, it continues to fascinate me - and I believe it still doesn't get the attention it deserves. As this technique is used to infect unprotected website visitors with malware, it plays an essential role in the propagation of many a botnet.

Further on in the lifecycle of a botnet, its owner needs to be able to able to control the bots. To protect both the botnet owners' own identities and those of the command-and-control servers, various proxy networks are available in the cybercrime underground. Brad Porter (Internet Identity) and Nick Summerlin (iSight) gave an interesting overview of how various such networks work.

On the second day, I was fascinated by a presentation from Paul Rascagnères, of Paul presented many details on a group of advanced cybercriminals that he initially believed to be APT1, but later realised was a different group working from the same time zone. That mattered to him, as the group's servers were only active when they were being used, roughly between 1am and 10am Luxembourg time, so Paul have to develop an alarm that would wake him up as soon as the group became active. Once they were, he used 'offensive security methods' to find out many details about the group that made heavy use of the 'Poison Ivy' remote access trojan.

It wasn't only the content of Paul's presentation that was well received by the audience. In honour of the 'cyber-vigilantes' from Malware Must Die!, who have taken action against many botnets while using the language of crusades and knights, Paul wore a medieval tunic in Malware Must Die! colours for his presentation.

  Paul Rascagnères paying tribute to 'Malware Must Die!' - photo by Xavier Mertens.

In fact, two members of Malware Must Die! gave my favourite presentation of the conference. Hendrik Adrian and Dhia Mahjoub (the latter also of Umbrella Labs) presented a technincal overview of the Kelihos fast-flux botnet, giving many details including many on the person behind it. Not only did this provide a great insight into how the botnet works, it was presented with the same passion as the group puts into its blog and Twitter account, and one could almost see the hashtags and exclamation marks jump off the stage.

I left Nantes on Saturday morning with my head full of new ideas and my heart full of inspiration to help the fight against botnets. But I also felt humbled by the blood, sweat and tears many of the speakers had shed - often in their own time - in carrying out research and developing tools for the community, all to make the world a more secure place.

Malware must die, for sure, but since it is unlikely to do so within the next 12 months, I am already looking forward to the next Botconf, to be held at a yet-to-be-determined location, in France.

Posted on 10 December 2013 by Martijn Grooten



Latest posts:

Security products and HTTPS: let's do it better

A recent paper showed that many HTTPS-intercepting security solutions have implemented TLS rather poorly. Does that mean we should avoid such solutions altogether?

The SHA-1 hashing algorithm has been 'shattered'

Researchers from Google and CWI Amsterdam have created the first known collision of the SHA-1 hashing algorithm, making a very strong case to ditch it.

Throwback Thursday: Once a researcher...

VB was saddened to learn this week of the passing of one of the pioneers of the AV industry, Ross Greenberg. This Throwback Thursday we look back at an interview with Ross in November 1995.

VB2017: What is happening in the threat landscape and what are we doing against it? Submit a proposal in the VB2017 CFP!

Have you analysed a new online threat? Do you know a new way to defend against such threats? Then submit an abstract in the CFP for VB2017!

VB2016 paper: APT reports and OPSEC evolution, or: these are not the APT reports you are looking for

APT reports are great for gaining an understanding of how advanced attack groups operate - however, they can also provide free QA for the threat actors. Today, we publish a VB2016 paper by Gadi Evron (Cymmetria) and Inbar Raz (Perimeter X), who…