Botconf - the 'first botnet fighting conference'

Posted by   Virus Bulletin on   Dec 10, 2013

Tools, ideas and research presented in Nantes.

There are far too many security conferences each year for my agenda, budget and brain to handle, and thus I need to choose carefully which ones to attend. But when I first heard of Botconf, I knew immediately that it would be on my must-attend list.

France seemed like an appropriate country to host the 'first botnet fighting conference', with a lot of cybercrime research going on between the Picardic Coast and the Pyrenees. Some of this research activity is concentrated in the 'study community' botnets.fr, in which the conference finds it roots.

So on a cold Thursday in December, some 160 botnet researchers from two dozen countries around the globe descended on the city of Nantes, in Western France.

The schedule for the two-day event looked tightly packed - and the conference organiser in me was a little worried about whether the talks would all be kept on schedule. I needn't have worried: speakers kept to their allotted times and there was plenty of time for discussion between the talks.

At every conference there are things that one thinks could be improved upon (for instance, I would have liked the badges to have included the delegates' affiliations - and not just because it would have prevented me from congratulating the wrong person on his talk), but these are minor details. Overall, Eric Freyssinet and his fellow organisers did an excellent job in running the conference and leaving us all wanting to come back for the second edition next year.

The various speakers on the interesting and varied program did a great job too. There were speakers respresenting big and small security companies, but also many who, while working in the security business in one way or another, presented research they had conducted in their own time. There were also a few speakers representing government, or inter-governmental organisations.

Blogger Xavier Mertens sat on the front row for all of the presentations and wrote about them on his blog here and here. Anyone wanting to find details of all the talks should refer to his posts; I will restrict my review to a few of the talks that I found of particular interest - while adding that this was at least as much influenced by personal preferences and the amount of caffeine and sleep I had prior to the talks as it was by the quality of the presentations itself.

ESET's Sébastien Duquette gave an interesting presentation on the malicious web server binaries that are used to make compromised servers spread malware. Having written about the subject in the past, it continues to fascinate me - and I believe it still doesn't get the attention it deserves. As this technique is used to infect unprotected website visitors with malware, it plays an essential role in the propagation of many a botnet.

Further on in the lifecycle of a botnet, its owner needs to be able to able to control the bots. To protect both the botnet owners' own identities and those of the command-and-control servers, various proxy networks are available in the cybercrime underground. Brad Porter (Internet Identity) and Nick Summerlin (iSight) gave an interesting overview of how various such networks work.

On the second day, I was fascinated by a presentation from Paul Rascagnères, of malware.lu. Paul presented many details on a group of advanced cybercriminals that he initially believed to be APT1, but later realised was a different group working from the same time zone. That mattered to him, as the group's servers were only active when they were being used, roughly between 1am and 10am Luxembourg time, so Paul have to develop an alarm that would wake him up as soon as the group became active. Once they were, he used 'offensive security methods' to find out many details about the group that made heavy use of the 'Poison Ivy' remote access trojan.

It wasn't only the content of Paul's presentation that was well received by the audience. In honour of the 'cyber-vigilantes' from Malware Must Die!, who have taken action against many botnets while using the language of crusades and knights, Paul wore a medieval tunic in Malware Must Die! colours for his presentation.

  Paul Rascagnères paying tribute to 'Malware Must Die!' - photo by Xavier Mertens.

In fact, two members of Malware Must Die! gave my favourite presentation of the conference. Hendrik Adrian and Dhia Mahjoub (the latter also of Umbrella Labs) presented a technincal overview of the Kelihos fast-flux botnet, giving many details including many on the person behind it. Not only did this provide a great insight into how the botnet works, it was presented with the same passion as the group puts into its blog and Twitter account, and one could almost see the hashtags and exclamation marks jump off the stage.

I left Nantes on Saturday morning with my head full of new ideas and my heart full of inspiration to help the fight against botnets. But I also felt humbled by the blood, sweat and tears many of the speakers had shed - often in their own time - in carrying out research and developing tools for the community, all to make the world a more secure place.

Malware must die, for sure, but since it is unlikely to do so within the next 12 months, I am already looking forward to the next Botconf, to be held at a yet-to-be-determined location, in France.

Posted on 10 December 2013 by Martijn Grooten

twitter.png
fb.png
linkedin.png
googleplus.png
reddit.png

 

Latest posts:

We are more ready for IPv6 email than we may think

Though IPv6 is gradually replacing IPv4 on the Internet's network layer, email is lagging behind, the difficulty in blocking spam sent over IPv6 cited as a reason not to move. But would we really have such a hard time blocking spam sent over IPv6?

Subtle change could see a reduction in installation of malicious Chrome extensions

Google has made a subtle change to its Chrome browser, banning the inline installation of new extensions, thus making it harder for malware authors to trick users into unwittingly installing malicious extensions.

Paper: EternalBlue: a prominent threat actor of 2017–2018

We publish a paper by researchers from Quick Heal Security Labs in India, who study the EternalBlue and DoublePulsar exploits in full detail.

'North Korea' a hot subject among VB2018 talks

Several VB2018 papers deal explicitly or implicitly with threats that have been attributed to North Korean actors.

Expired domain led to SpamCannibal's blacklist eating the whole world

The domain of the little-used SpamCannibal DNS blacklist had expired, resulting in it effectively listing every single IP address.

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.