Conference review: Botconf 2015

Posted by   Virus Bulletin on   Dec 15, 2015

Third botnet fighting conference another big success.

Though only in its third year, Botconf has already become a regular fixture in my schedule. And thus, after having attended the conference in Nantes in 2013 and in Nancy in 2014, this year I joined more than 250 others for the three-day conference on botnets at Google France's headquarters in Paris.

The conference programme was rather full, featuring 29 presentations (including three keynotes) and a session of lightning talks all in a single stream. However, the tasty food during breaks, as well as the mix of shorter and longer talks, helped attendees stay focused.

Perhaps the most newsworthy talk of the conference was that on Ponmocup by Fox-IT researchers Maarten van Dantzig and Yonathan Klijnsma. I know of this malware mainly through previous Botconf presentations by Tom Ueltschi, as well as for its infamous decoy behaviour, which James Wyke discussed in his VB2014 presentation, but Maarten and Yonathan provided many more details on this intriguing threat.

The malware, which is after user data, takes decoy behaviour to such extremes that it serves adware when it suspects it is running in a virtual environment, leading many to write it off as a not very serious threat. It also installs unique copies on each infected machine, which has confused researchers who believed it was a very small-scale threat. In fact, it may have infected as many as 15 million machines, of which 500,000 are still active today, and is probably making a lot of money for its authors. The researchers released a report, which has already led to some changes being made by the malware authors.

Yonathan took to the stage again on the final morning of the conference, to discuss the evolution of Cryptowall, the infamous ransomware that may deserve to be called the true successor of Cryptolocker (whose name it even used in earlier versions). Intriguingly, but also frustratingly, Yonathan showed that malware authors actually read the security industry's blogs and often use them as free pen-testing.

The same was true for the authors of the Moose botnet, which consists of compromised Linux-based routers. Olivier Bilodeau talked about this at VB2015, yet it was interesting to hear the story again: how the malware works, how it is used to gain fake accolades on social media, and also how its authors responded to ESET's report in May this year.

Another Linux botnet was highlighted by Paul Jung (security consultant at Excellium Services), who discussed a network of compromised web servers, allegedly run from Indonesia. The frustrating part here for a change wasn't that it was advanced, but rather how simple the botnet was and how easy it seems to be to take over so many servers.

A look at these and other botnets from a different angle was given by Frank Denis, representing hosting provider OVH. The company has seen its fair share of abuse happening on its big network, which has led to blocks and blacklisting by the security community. To work with this community, Frank presented ERIS, a tool that allows a hosting provider to share information on their network, such as reassigned IP-addresses or investigated reports, which can then be used by the security community to make better informed decisions.

A number of talks dealt with ordinary Windows botnets, which have long lost their 'coolness' for security researchers, but which remain a plague for many Internet users, especially those in less-developed countries. Case in point was the Sality spam-sending botnet, which, as Peter Kleissner (LookingGlass) showed, was once huge but, thanks to people updating their PCs, has significantly shrunk in size. Jose Migueal Esparza (another researcher from Fox-IT) talked about another large botnet, Andromeda, and focused in particular on the business model behind it.

Perhaps fittingly, Botconf coincided with the takedown of the Dorkbot botnet. While there was no talk on this botnet, John Bambenek (Fidelis) gave an interesting presentation on takedowns in general, how they work, and their advantages and disadvantages.

There were some shorter (20-minute) presentations too, among which was one by ŀukasz Siewierski (CERT.PL) on a Polish company that was hacked through social engineering, had its customer list stolen (which was used to target customers as well), and then claimed nothing was wrong and even sued a journalist for reporting on the case. In another short presentation, Cisco's Veronica Valeros explained what happened when she let a malware sample run for several weeks inside a sandbox. Indeed, it started to behave differently after a few days, when it downloaded new payloads and began to perform brute-force attacks against WordPress sites.

Talks also covered, among other things, sandbox detection, DarkComet, Regin and (a running gag during the conference) DGAs. As with many European conferences, Xavier Mertens blogged about all presentations (day 1, day 2, day 3), thus doing justice to all speakers, whose presentations made the third Botconf such a great success.

Of course, the success of the event is also in large part thanks to the hard work of Eric Freyssinet and his fellow organisers, as well the generous hosts from Google and the many old and new friends I met in Paris. I'm certainly looking forward to Botconf 2016, which will take place in Lyon.

Posted on 15 December 2015 by Martijn Grooten

twitter.png
fb.png
linkedin.png
googleplus.png
reddit.png

 

Latest posts:

Throwback Thursday: Following the Breadcrumbs

In 1999, Christine Orshesky described how one large organization decided to find out how and where the viruses within it were being obtained so it could do more to protect its networks.

VB2016 preview: Cryptography mistakes in malware

At VB2016, two talks will discuss mistakes made by malware authors in cryptographic implementations. Ben Herzog and Yaniv Balmas will present a paper in which they look at a number of these mistakes, while Malwarebytes researcher hasherezade will…

GPS technology is more at risk from cyber attack than ever before, security expert demonstrates at VB2016

Next month at VB2016, HPE Security's Oleg Petrovsky will speak about attacks on GPS. We conducted a short interview with Oleg and asked him about GPS, about the conference, and about his ultimate dinner party.

BSides Denver: Join and Support the Security Community

If you are coming to VB2016 in Denver, why not spend an extra day in the Mile-High City and join the free BSides Denver conference, which takes place on Saturday?

VB2016 'Last-Minute' Papers Announced

We are excited to announce the addition of the "last-minute" papers to the VB2016 programme: nine presentations covering hot research topics, from OS X attacks to exotic APTs, breaking ransomware and the current state of BGP.