Botconf - the 'first botnet fighting conference'

Posted by   Virus Bulletin on   Dec 10, 2013

Tools, ideas and research presented in Nantes.

There are far too many security conferences each year for my agenda, budget and brain to handle, and thus I need to choose carefully which ones to attend. But when I first heard of Botconf, I knew immediately that it would be on my must-attend list.

France seemed like an appropriate country to host the 'first botnet fighting conference', with a lot of cybercrime research going on between the Picardic Coast and the Pyrenees. Some of this research activity is concentrated in the 'study community', in which the conference finds it roots.

So on a cold Thursday in December, some 160 botnet researchers from two dozen countries around the globe descended on the city of Nantes, in Western France.

The schedule for the two-day event looked tightly packed - and the conference organiser in me was a little worried about whether the talks would all be kept on schedule. I needn't have worried: speakers kept to their allotted times and there was plenty of time for discussion between the talks.

At every conference there are things that one thinks could be improved upon (for instance, I would have liked the badges to have included the delegates' affiliations - and not just because it would have prevented me from congratulating the wrong person on his talk), but these are minor details. Overall, Eric Freyssinet and his fellow organisers did an excellent job in running the conference and leaving us all wanting to come back for the second edition next year.

The various speakers on the interesting and varied program did a great job too. There were speakers respresenting big and small security companies, but also many who, while working in the security business in one way or another, presented research they had conducted in their own time. There were also a few speakers representing government, or inter-governmental organisations.

Blogger Xavier Mertens sat on the front row for all of the presentations and wrote about them on his blog here and here. Anyone wanting to find details of all the talks should refer to his posts; I will restrict my review to a few of the talks that I found of particular interest - while adding that this was at least as much influenced by personal preferences and the amount of caffeine and sleep I had prior to the talks as it was by the quality of the presentations itself.

ESET's Sébastien Duquette gave an interesting presentation on the malicious web server binaries that are used to make compromised servers spread malware. Having written about the subject in the past, it continues to fascinate me - and I believe it still doesn't get the attention it deserves. As this technique is used to infect unprotected website visitors with malware, it plays an essential role in the propagation of many a botnet.

Further on in the lifecycle of a botnet, its owner needs to be able to able to control the bots. To protect both the botnet owners' own identities and those of the command-and-control servers, various proxy networks are available in the cybercrime underground. Brad Porter (Internet Identity) and Nick Summerlin (iSight) gave an interesting overview of how various such networks work.

On the second day, I was fascinated by a presentation from Paul Rascagnères, of Paul presented many details on a group of advanced cybercriminals that he initially believed to be APT1, but later realised was a different group working from the same time zone. That mattered to him, as the group's servers were only active when they were being used, roughly between 1am and 10am Luxembourg time, so Paul have to develop an alarm that would wake him up as soon as the group became active. Once they were, he used 'offensive security methods' to find out many details about the group that made heavy use of the 'Poison Ivy' remote access trojan.

It wasn't only the content of Paul's presentation that was well received by the audience. In honour of the 'cyber-vigilantes' from Malware Must Die!, who have taken action against many botnets while using the language of crusades and knights, Paul wore a medieval tunic in Malware Must Die! colours for his presentation.

  Paul Rascagnères paying tribute to 'Malware Must Die!' - photo by Xavier Mertens.

In fact, two members of Malware Must Die! gave my favourite presentation of the conference. Hendrik Adrian and Dhia Mahjoub (the latter also of Umbrella Labs) presented a technincal overview of the Kelihos fast-flux botnet, giving many details including many on the person behind it. Not only did this provide a great insight into how the botnet works, it was presented with the same passion as the group puts into its blog and Twitter account, and one could almost see the hashtags and exclamation marks jump off the stage.

I left Nantes on Saturday morning with my head full of new ideas and my heart full of inspiration to help the fight against botnets. But I also felt humbled by the blood, sweat and tears many of the speakers had shed - often in their own time - in carrying out research and developing tools for the community, all to make the world a more secure place.

Malware must die, for sure, but since it is unlikely to do so within the next 12 months, I am already looking forward to the next Botconf, to be held at a yet-to-be-determined location, in France.

Posted on 10 December 2013 by Martijn Grooten



Latest posts:

VB2016 paper: Steam stealers: it's all fun and games until someone's account gets hijacked

Last year, Kaspersky Lab researcher Santiago Pontiroli and PwC's Bart Parys presented a VB2016 paper analysing the malicious threats faced by users of the Steam online gaming platform, and highlighting how organized criminals are making money with…

Research paper shows it may be possible to distinguish malware traffic using TLS

Researchers at Cisco have published a paper describing how it may be possible to use machine learning to distinguish malware command-and-control traffic using TLS from regular enterprise traffic, and to classify malware families based on their…

Is CVE-2017-0199 the new CVE-2012-0158?

After five years of exploitation in a wide variety of attacks, CVE-2012-0158 may have found a successor in CVE-2017-0199, which is taking the Office exploit scene by storm.

Review: BSides London 2017

Virus Bulletin was a proud sponsor of BSides London 2017 - Martijn Grooten reports on a great event.

VB2017: one of the most international security conferences

It is well known that the problem of cybersecurity is a global one that affects users worldwide - but it's also one that has some unique local flavours. With speakers representing at least 24 countries, VB2017 is one of the most international…