Conference review: Botconf 2016

Posted by   Martijn Grooten on   Dec 20, 2016

This review was written by Martijn Grooten, Adrian Luca and Ionuț Răileanu.

Though still only in its fourth year, Botconf has become one of the Virus Bulletin team's favourite conferences. Late in November, three of the VB team flew to Lyon to attend this year's three-day event.

As its name suggests, Botconf is aimed at those who deal with various aspects of botnet research, though with a strong focus on technical analyses. And while many of the event's attendees came from France, the speaker line-up was international, even to the point that the organisers urged French researchers to submit papers for the next edition.

botconf2016.jpg

One of the most interesting presentations of the conference, and certainly one of the hottest, was "Visiting the Bear's Den", in which ESET researcher Jessy Campos presented research into the group variously known as Sednit, Cozy Bear, APT28 and Sofacy – outside the security community it is, of course, best known as the group that hacked the DNC and WADA. Jessy described the long chain of events that led to the hack, starting with the moment the fictional target 'Serge' clicked on the link in an email. His presentation both demonstrated that there is a well-funded group behind these attacks, and highlighted one of the best bodies of security research in recent years (the full paper can be found as a PDF here).

While most people are unlikely to be a target of the aforementioned group, the same cannot be said for exploit kits, which are always ready to infect those who are a little slow in updating their browser. At VB2016, Fidelis Security researcher John Bambenek presented a well-received Small Talk on the subject, and in Lyon he delivered a 50-minute presentation on exploit kits, in which he described the complex ecosystem in full detail. John suggested that takedown efforts against exploit kits may not be very effective, as new ones will appear quickly, but that with an understanding of the full ecosystem, we may find ways to hit exploit kits a lot harder; the arrests surrounding the Lurk malware and the subsequent demise of the Angler exploit kit, which was run by the same group, is an important example of this.

Another VB2016 presenter on the Botconf programme was CERT Poland's Maciej Kotowicz, who discussed ISFB. Based on Gozi, this is one of the most popular banking trojans in the black market; Maciej's thorough technical analysis gave some insights as to why that is the case.

Yandex researchers Andrey Kovalev and Evgeny Sidorov have spoken at a number of VB conferences, often on web-based malware. At Botconf, they gave a presentation on malware that lives inside the browser. This is not a new topic (indeed, they referred to a presentation on the same subject from the first edition of Botconf), but just like defensive technologies, browser-based malware has gone 'next-generation'. Using two examples of malware that uses rogue browser extensions, they showed why such malware is hard to detect, but also offered suggestions as to how it can be detected, both on the client side and the server side.

Another talk that looked at detecting malware infections was delivered by Sebastián García from the Czech Technical University in Prague, who spoke at VB2015 on the Stratosphere Project. In Lyon, he discussed how the team behind this project has developed an interesting approach that uses machine learning techniques to detect new malware by analysing the data flow made by the malware, trying to distinguish it from traffic generated by legitimate processes.

But while detection is important, it is just as important to make sure that malware has as little chance as possible of infecting users and performing its intended tasks in the first place. Kurtis Armour, a researcher at eSentire, gave a very interesting presentation on this subject, which was all about adding layers to make executing bad code harder. With many easy-to-deploy tricks and tools, the presentation did make one wonder why more organisations don't practice this.

Another interesting technical talk was delivered by Jens Frieß and Laura Guevara from the Fraunhofer Institute. They discussed the issue of dealing with encrypted C&C traffic, in particular that using RSA. Accepting that this cannot be cracked merely by looking at the network traffic, they discussed how they modified the malicious binaries and injected the public key of their man-in-the-middle server, which could then read what information was being exchanged.

There were also a number of non-technical talks on the programme, one of which was given by Wayne Crowder on the subject of cyber insurance. Not necessarily the most appealing topic for a technical audience, Wayne mocked the supposed dullness of cyber insurance throughout his talk while at the same time delivering a very interesting presentation, with many interesting statistics and details from real-life cases. Many of the audience members who had initially been sceptical about such a non-technical way to tackle the problem of cybersecurity were convinced by Wayne's arguments that insurance can play an important role, and that the requirements set by insurers can actually help to make individuals and organisations more secure.

In total, there were 25 talks on the programme. Others included one from Cristiaan Beek on ransomware, an update on the Moose botnet (which we blogged about earlier this month), Botconf regular Tom Ueltschi talking about using Sysmon and Splunk to detect botnets, as well as several talks on Dridex. There were also a number of talks that were very interesting, but which were classified as TLP:Red and thus cannot be written about.

Of course, Botconf 2016 was also about meeting old and new friends, about eating good food (Lyon is often called the gastronomic capital of France, and with good reason), and about visiting another French city. Like many attendants, as soon as the location for Botconf 2017 was announced – Montpelier – we started looking at flights.

We referred to a three-part review of Botconf by Xavier Mertens (part 1, part 2, part 3) to help refresh our memories and write this blog post.

twitter.png
fb.png
linkedin.png
googleplus.png
reddit.png

 

Latest posts:

Standalone product test: FireEye Endpoint

Virus Bulletin ran a standalone test on FireEye's Endpoint Security solution.

VB2017 video: Consequences of bad security in health care

Jelena Milosevic, a nurse with a passion for IT security, is uniquely placed to witness poor security practices in the health care sector, and to fully understand the consequences. Today, we publish the recording of a presentation given by Jelena at…

Vulnerabilities play only a tiny role in the security risks that come with mobile phones

Both bad news (all devices were pwnd) and good news (pwning is increasingly difficult) came from the most recent mobile Pwn2Own competition. But the practical security risks that come with using mobile phones have little to do with vulnerabilities.

VB2017 paper: The (testing) world turned upside down

At VB2017 in Madrid, industry veteran and ESET Senior Research Fellow David Harley presented a paper on the state of security software testing. Today we publish David's paper in both HTML and PDF format.

VB2017 video: Turning Trickbot: decoding an encrypted command-and-control channel

Trickbot, a banking trojan which appeared this year, seems to be a new, more modular, and more extensible malware descendant of the notorious Dyre botnet trojan. At VB2017, Symantec researcher Andrew Brandt presented a walkthrough of a typical…