Conference review: Botconf 2015

Posted by   Virus Bulletin on   Dec 15, 2015

Third botnet fighting conference another big success.

Though only in its third year, Botconf has already become a regular fixture in my schedule. And thus, after having attended the conference in Nantes in 2013 and in Nancy in 2014, this year I joined more than 250 others for the three-day conference on botnets at Google France's headquarters in Paris.

The conference programme was rather full, featuring 29 presentations (including three keynotes) and a session of lightning talks all in a single stream. However, the tasty food during breaks, as well as the mix of shorter and longer talks, helped attendees stay focused.

Perhaps the most newsworthy talk of the conference was that on Ponmocup by Fox-IT researchers Maarten van Dantzig and Yonathan Klijnsma. I know of this malware mainly through previous Botconf presentations by Tom Ueltschi, as well as for its infamous decoy behaviour, which James Wyke discussed in his VB2014 presentation, but Maarten and Yonathan provided many more details on this intriguing threat.

The malware, which is after user data, takes decoy behaviour to such extremes that it serves adware when it suspects it is running in a virtual environment, leading many to write it off as a not very serious threat. It also installs unique copies on each infected machine, which has confused researchers who believed it was a very small-scale threat. In fact, it may have infected as many as 15 million machines, of which 500,000 are still active today, and is probably making a lot of money for its authors. The researchers released a report, which has already led to some changes being made by the malware authors.

Yonathan took to the stage again on the final morning of the conference, to discuss the evolution of Cryptowall, the infamous ransomware that may deserve to be called the true successor of Cryptolocker (whose name it even used in earlier versions). Intriguingly, but also frustratingly, Yonathan showed that malware authors actually read the security industry's blogs and often use them as free pen-testing.

The same was true for the authors of the Moose botnet, which consists of compromised Linux-based routers. Olivier Bilodeau talked about this at VB2015, yet it was interesting to hear the story again: how the malware works, how it is used to gain fake accolades on social media, and also how its authors responded to ESET's report in May this year.

Another Linux botnet was highlighted by Paul Jung (security consultant at Excellium Services), who discussed a network of compromised web servers, allegedly run from Indonesia. The frustrating part here for a change wasn't that it was advanced, but rather how simple the botnet was and how easy it seems to be to take over so many servers.

A look at these and other botnets from a different angle was given by Frank Denis, representing hosting provider OVH. The company has seen its fair share of abuse happening on its big network, which has led to blocks and blacklisting by the security community. To work with this community, Frank presented ERIS, a tool that allows a hosting provider to share information on their network, such as reassigned IP-addresses or investigated reports, which can then be used by the security community to make better informed decisions.

A number of talks dealt with ordinary Windows botnets, which have long lost their 'coolness' for security researchers, but which remain a plague for many Internet users, especially those in less-developed countries. Case in point was the Sality spam-sending botnet, which, as Peter Kleissner (LookingGlass) showed, was once huge but, thanks to people updating their PCs, has significantly shrunk in size. Jose Migueal Esparza (another researcher from Fox-IT) talked about another large botnet, Andromeda, and focused in particular on the business model behind it.

Perhaps fittingly, Botconf coincided with the takedown of the Dorkbot botnet. While there was no talk on this botnet, John Bambenek (Fidelis) gave an interesting presentation on takedowns in general, how they work, and their advantages and disadvantages.

There were some shorter (20-minute) presentations too, among which was one by ŀukasz Siewierski (CERT.PL) on a Polish company that was hacked through social engineering, had its customer list stolen (which was used to target customers as well), and then claimed nothing was wrong and even sued a journalist for reporting on the case. In another short presentation, Cisco's Veronica Valeros explained what happened when she let a malware sample run for several weeks inside a sandbox. Indeed, it started to behave differently after a few days, when it downloaded new payloads and began to perform brute-force attacks against WordPress sites.

Talks also covered, among other things, sandbox detection, DarkComet, Regin and (a running gag during the conference) DGAs. As with many European conferences, Xavier Mertens blogged about all presentations (day 1, day 2, day 3), thus doing justice to all speakers, whose presentations made the third Botconf such a great success.

Of course, the success of the event is also in large part thanks to the hard work of Eric Freyssinet and his fellow organisers, as well the generous hosts from Google and the many old and new friends I met in Paris. I'm certainly looking forward to Botconf 2016, which will take place in Lyon.

Posted on 15 December 2015 by Martijn Grooten



Latest posts:

Necurs pump-and-dump spam campaign pushes obscure cryptocurrency

A Necurs pump-and-dump spam campaign pushing the lesser known Swisscoin botnet is mostly background noise for the Internet.

Alleged author of creepy FruitFly macOS malware arrested

A 28-year old man from Ohio has been arrested on suspicion of having created the mysterious FruitFly malware that targeted macOS and used it to spy on its victims.

The threat and security product landscape in 2017

At the start of the new year, Virus Bulletin looks back at the threats seen in the 2017 and at the security products that are available to help mitigate them.

Spamhaus report shows many botnet controllers look a lot like legitimate servers

Spamhaus's annual report on botnet activity shows that botherders tend to use popular, legitimate hosting providers, domain registrars and top-level domains when setting up command-and-control servers.

Tips on researching tech support scams

As tech support scammers continue to target the computer illiterate through cold calling, VB's Martijn Grooten uses his own experience to share some advice on how to investigate such scams.