Conference review: Botconf 2015

Posted by   Virus Bulletin on   Dec 15, 2015

Third botnet fighting conference another big success.

Though only in its third year, Botconf has already become a regular fixture in my schedule. And thus, after having attended the conference in Nantes in 2013 and in Nancy in 2014, this year I joined more than 250 others for the three-day conference on botnets at Google France's headquarters in Paris.

The conference programme was rather full, featuring 29 presentations (including three keynotes) and a session of lightning talks all in a single stream. However, the tasty food during breaks, as well as the mix of shorter and longer talks, helped attendees stay focused.

Perhaps the most newsworthy talk of the conference was that on Ponmocup by Fox-IT researchers Maarten van Dantzig and Yonathan Klijnsma. I know of this malware mainly through previous Botconf presentations by Tom Ueltschi, as well as for its infamous decoy behaviour, which James Wyke discussed in his VB2014 presentation, but Maarten and Yonathan provided many more details on this intriguing threat.

The malware, which is after user data, takes decoy behaviour to such extremes that it serves adware when it suspects it is running in a virtual environment, leading many to write it off as a not very serious threat. It also installs unique copies on each infected machine, which has confused researchers who believed it was a very small-scale threat. In fact, it may have infected as many as 15 million machines, of which 500,000 are still active today, and is probably making a lot of money for its authors. The researchers released a report, which has already led to some changes being made by the malware authors.

Yonathan took to the stage again on the final morning of the conference, to discuss the evolution of Cryptowall, the infamous ransomware that may deserve to be called the true successor of Cryptolocker (whose name it even used in earlier versions). Intriguingly, but also frustratingly, Yonathan showed that malware authors actually read the security industry's blogs and often use them as free pen-testing.

The same was true for the authors of the Moose botnet, which consists of compromised Linux-based routers. Olivier Bilodeau talked about this at VB2015, yet it was interesting to hear the story again: how the malware works, how it is used to gain fake accolades on social media, and also how its authors responded to ESET's report in May this year.

Another Linux botnet was highlighted by Paul Jung (security consultant at Excellium Services), who discussed a network of compromised web servers, allegedly run from Indonesia. The frustrating part here for a change wasn't that it was advanced, but rather how simple the botnet was and how easy it seems to be to take over so many servers.

A look at these and other botnets from a different angle was given by Frank Denis, representing hosting provider OVH. The company has seen its fair share of abuse happening on its big network, which has led to blocks and blacklisting by the security community. To work with this community, Frank presented ERIS, a tool that allows a hosting provider to share information on their network, such as reassigned IP-addresses or investigated reports, which can then be used by the security community to make better informed decisions.

A number of talks dealt with ordinary Windows botnets, which have long lost their 'coolness' for security researchers, but which remain a plague for many Internet users, especially those in less-developed countries. Case in point was the Sality spam-sending botnet, which, as Peter Kleissner (LookingGlass) showed, was once huge but, thanks to people updating their PCs, has significantly shrunk in size. Jose Migueal Esparza (another researcher from Fox-IT) talked about another large botnet, Andromeda, and focused in particular on the business model behind it.

Perhaps fittingly, Botconf coincided with the takedown of the Dorkbot botnet. While there was no talk on this botnet, John Bambenek (Fidelis) gave an interesting presentation on takedowns in general, how they work, and their advantages and disadvantages.

There were some shorter (20-minute) presentations too, among which was one by ŀukasz Siewierski (CERT.PL) on a Polish company that was hacked through social engineering, had its customer list stolen (which was used to target customers as well), and then claimed nothing was wrong and even sued a journalist for reporting on the case. In another short presentation, Cisco's Veronica Valeros explained what happened when she let a malware sample run for several weeks inside a sandbox. Indeed, it started to behave differently after a few days, when it downloaded new payloads and began to perform brute-force attacks against WordPress sites.

Talks also covered, among other things, sandbox detection, DarkComet, Regin and (a running gag during the conference) DGAs. As with many European conferences, Xavier Mertens blogged about all presentations (day 1, day 2, day 3), thus doing justice to all speakers, whose presentations made the third Botconf such a great success.

Of course, the success of the event is also in large part thanks to the hard work of Eric Freyssinet and his fellow organisers, as well the generous hosts from Google and the many old and new friends I met in Paris. I'm certainly looking forward to Botconf 2016, which will take place in Lyon.

Posted on 15 December 2015 by Martijn Grooten



Latest posts:

WannaCry shows we need to understand why organizations don't patch

Perhaps the question we should be asking about WannaCry is not "why do so many organizations allow unpatched machines to exist on their networks?" but "why doesn't patching work reasonably well most of the time?"

Modern security software is not necessarily powerless against threats like WannaCry

The WannaCry ransomware has affected many organisations around the world, making it probably the worst and most damaging of its kind. But modern security is not necessarily powerless against such threats.

Throwback Thursday: CARO: A personal view

This week sees the 11th International CARO Workshop taking place in Krakow, Poland – a prestigious annual meeting of anti-malware and security experts. As a founding member of CARO, Fridrik Skulason was well placed, in August 1994, to shed some light…

VB2016 paper: Uncovering the secrets of malvertising

Malicious advertising, a.k.a. malvertising, has evolved tremendously over the past few years to take a central place in some of today’s largest web-based attacks. It is by far the tool of choice for attackers to reach the masses but also to target…

Throwback Thursday: Tools of the DDoS Trade

As DDoS attacks become costlier to fix and continue to increase in both number and diversity, we turn back the clock to 2000, when Aleksander Czarnowski took a look at the DDoS tools of the day.