Conference review: Botconf 2015

Posted by   Virus Bulletin on   Dec 15, 2015

Third botnet fighting conference another big success.

Though only in its third year, Botconf has already become a regular fixture in my schedule. And thus, after having attended the conference in Nantes in 2013 and in Nancy in 2014, this year I joined more than 250 others for the three-day conference on botnets at Google France's headquarters in Paris.

The conference programme was rather full, featuring 29 presentations (including three keynotes) and a session of lightning talks all in a single stream. However, the tasty food during breaks, as well as the mix of shorter and longer talks, helped attendees stay focused.

Perhaps the most newsworthy talk of the conference was that on Ponmocup by Fox-IT researchers Maarten van Dantzig and Yonathan Klijnsma. I know of this malware mainly through previous Botconf presentations by Tom Ueltschi, as well as for its infamous decoy behaviour, which James Wyke discussed in his VB2014 presentation, but Maarten and Yonathan provided many more details on this intriguing threat.

The malware, which is after user data, takes decoy behaviour to such extremes that it serves adware when it suspects it is running in a virtual environment, leading many to write it off as a not very serious threat. It also installs unique copies on each infected machine, which has confused researchers who believed it was a very small-scale threat. In fact, it may have infected as many as 15 million machines, of which 500,000 are still active today, and is probably making a lot of money for its authors. The researchers released a report, which has already led to some changes being made by the malware authors.

Yonathan took to the stage again on the final morning of the conference, to discuss the evolution of Cryptowall, the infamous ransomware that may deserve to be called the true successor of Cryptolocker (whose name it even used in earlier versions). Intriguingly, but also frustratingly, Yonathan showed that malware authors actually read the security industry's blogs and often use them as free pen-testing.

The same was true for the authors of the Moose botnet, which consists of compromised Linux-based routers. Olivier Bilodeau talked about this at VB2015, yet it was interesting to hear the story again: how the malware works, how it is used to gain fake accolades on social media, and also how its authors responded to ESET's report in May this year.

Another Linux botnet was highlighted by Paul Jung (security consultant at Excellium Services), who discussed a network of compromised web servers, allegedly run from Indonesia. The frustrating part here for a change wasn't that it was advanced, but rather how simple the botnet was and how easy it seems to be to take over so many servers.

A look at these and other botnets from a different angle was given by Frank Denis, representing hosting provider OVH. The company has seen its fair share of abuse happening on its big network, which has led to blocks and blacklisting by the security community. To work with this community, Frank presented ERIS, a tool that allows a hosting provider to share information on their network, such as reassigned IP-addresses or investigated reports, which can then be used by the security community to make better informed decisions.

A number of talks dealt with ordinary Windows botnets, which have long lost their 'coolness' for security researchers, but which remain a plague for many Internet users, especially those in less-developed countries. Case in point was the Sality spam-sending botnet, which, as Peter Kleissner (LookingGlass) showed, was once huge but, thanks to people updating their PCs, has significantly shrunk in size. Jose Migueal Esparza (another researcher from Fox-IT) talked about another large botnet, Andromeda, and focused in particular on the business model behind it.

Perhaps fittingly, Botconf coincided with the takedown of the Dorkbot botnet. While there was no talk on this botnet, John Bambenek (Fidelis) gave an interesting presentation on takedowns in general, how they work, and their advantages and disadvantages.

There were some shorter (20-minute) presentations too, among which was one by ŀukasz Siewierski (CERT.PL) on a Polish company that was hacked through social engineering, had its customer list stolen (which was used to target customers as well), and then claimed nothing was wrong and even sued a journalist for reporting on the case. In another short presentation, Cisco's Veronica Valeros explained what happened when she let a malware sample run for several weeks inside a sandbox. Indeed, it started to behave differently after a few days, when it downloaded new payloads and began to perform brute-force attacks against WordPress sites.

Talks also covered, among other things, sandbox detection, DarkComet, Regin and (a running gag during the conference) DGAs. As with many European conferences, Xavier Mertens blogged about all presentations (day 1, day 2, day 3), thus doing justice to all speakers, whose presentations made the third Botconf such a great success.

Of course, the success of the event is also in large part thanks to the hard work of Eric Freyssinet and his fellow organisers, as well the generous hosts from Google and the many old and new friends I met in Paris. I'm certainly looking forward to Botconf 2016, which will take place in Lyon.

Posted on 15 December 2015 by Martijn Grooten



Latest posts:

Test your technical and mental limits in the VB2017 foosball tournament

As has become tradition, VB2017 will once again see a security industry table football tournament. Register your team now for some great fun and adrenaline-filled matches in between sessions in Madrid!

The case against running Windows XP is more subtle than we think it is

Greater Manchester Police is one of many organizations still running Windows XP on some of its systems. This is bad practice, but the case against running XP is far more subtle than we often pretend it is.

Hot FinSpy research completes VB2017 programme

Researchers from ESET have found a new way in which the FinSpy/FinFisher 'government spyware' can infect users, details of which they will present at VB2017 in Madrid.

Transparency is essential when monitoring your users' activities

Activity monitoring by security products in general, and HTTPS traffic inspection in particular, are sensitive issues in the security community. There is a time and a place for them, VB's Martijn Grooten argues, but only when they are done right.

VB2017 preview: Android reverse engineering tools: not the usual suspects

We preview the VB2017 paper by Fortinet researcher Axelle Apvrille, in which she looks at some less obvious tools for reverse engineering Android malware.