Botconf - the 'first botnet fighting conference'

Posted by   Virus Bulletin on   Dec 10, 2013

Tools, ideas and research presented in Nantes.

There are far too many security conferences each year for my agenda, budget and brain to handle, and thus I need to choose carefully which ones to attend. But when I first heard of Botconf, I knew immediately that it would be on my must-attend list.

France seemed like an appropriate country to host the 'first botnet fighting conference', with a lot of cybercrime research going on between the Picardic Coast and the Pyrenees. Some of this research activity is concentrated in the 'study community', in which the conference finds it roots.

So on a cold Thursday in December, some 160 botnet researchers from two dozen countries around the globe descended on the city of Nantes, in Western France.

The schedule for the two-day event looked tightly packed - and the conference organiser in me was a little worried about whether the talks would all be kept on schedule. I needn't have worried: speakers kept to their allotted times and there was plenty of time for discussion between the talks.

At every conference there are things that one thinks could be improved upon (for instance, I would have liked the badges to have included the delegates' affiliations - and not just because it would have prevented me from congratulating the wrong person on his talk), but these are minor details. Overall, Eric Freyssinet and his fellow organisers did an excellent job in running the conference and leaving us all wanting to come back for the second edition next year.

The various speakers on the interesting and varied program did a great job too. There were speakers respresenting big and small security companies, but also many who, while working in the security business in one way or another, presented research they had conducted in their own time. There were also a few speakers representing government, or inter-governmental organisations.

Blogger Xavier Mertens sat on the front row for all of the presentations and wrote about them on his blog here and here. Anyone wanting to find details of all the talks should refer to his posts; I will restrict my review to a few of the talks that I found of particular interest - while adding that this was at least as much influenced by personal preferences and the amount of caffeine and sleep I had prior to the talks as it was by the quality of the presentations itself.

ESET's Sébastien Duquette gave an interesting presentation on the malicious web server binaries that are used to make compromised servers spread malware. Having written about the subject in the past, it continues to fascinate me - and I believe it still doesn't get the attention it deserves. As this technique is used to infect unprotected website visitors with malware, it plays an essential role in the propagation of many a botnet.

Further on in the lifecycle of a botnet, its owner needs to be able to able to control the bots. To protect both the botnet owners' own identities and those of the command-and-control servers, various proxy networks are available in the cybercrime underground. Brad Porter (Internet Identity) and Nick Summerlin (iSight) gave an interesting overview of how various such networks work.

On the second day, I was fascinated by a presentation from Paul Rascagnères, of Paul presented many details on a group of advanced cybercriminals that he initially believed to be APT1, but later realised was a different group working from the same time zone. That mattered to him, as the group's servers were only active when they were being used, roughly between 1am and 10am Luxembourg time, so Paul have to develop an alarm that would wake him up as soon as the group became active. Once they were, he used 'offensive security methods' to find out many details about the group that made heavy use of the 'Poison Ivy' remote access trojan.

It wasn't only the content of Paul's presentation that was well received by the audience. In honour of the 'cyber-vigilantes' from Malware Must Die!, who have taken action against many botnets while using the language of crusades and knights, Paul wore a medieval tunic in Malware Must Die! colours for his presentation.

  Paul Rascagnères paying tribute to 'Malware Must Die!' - photo by Xavier Mertens.

In fact, two members of Malware Must Die! gave my favourite presentation of the conference. Hendrik Adrian and Dhia Mahjoub (the latter also of Umbrella Labs) presented a technincal overview of the Kelihos fast-flux botnet, giving many details including many on the person behind it. Not only did this provide a great insight into how the botnet works, it was presented with the same passion as the group puts into its blog and Twitter account, and one could almost see the hashtags and exclamation marks jump off the stage.

I left Nantes on Saturday morning with my head full of new ideas and my heart full of inspiration to help the fight against botnets. But I also felt humbled by the blood, sweat and tears many of the speakers had shed - often in their own time - in carrying out research and developing tools for the community, all to make the world a more secure place.

Malware must die, for sure, but since it is unlikely to do so within the next 12 months, I am already looking forward to the next Botconf, to be held at a yet-to-be-determined location, in France.

Posted on 10 December 2013 by Martijn Grooten



Latest posts:

VB2017 paper: The life story of an IPT - Inept Persistent Threat actor

At VB2017 in Madrid, Polish security researcher and journalist Adam Haertlé presented a paper about a very inept persistent threat. Today, we publish both the paper and the recording of Adam's presentation.

Five reasons to submit a VB2018 paper this weekend

The call for papers for VB2018 closes on 18 March, and while we've already received many great submissions, we still want more! Here are five reasons why you should submit a paper this weekend.

First partners of VB2018 announced

We are excited to announce the first six companies to partner with VB2018.

VB2018: looking for technical and non-technical talks

We like to pick good, solid technical talks for the VB conference programme, but good talks don't have to be technical and we welcome less technical submissions just as much.

Partner with VB2018 for extra visibility among industry peers

Partnering with the VB conference links your company to a successful and well-established event, demonstrates your commitment to moving the industry forward, allows you to meet potential clients, be visible to industry peers and build lasting…