Conference review: Botconf 2016

Posted by   Martijn Grooten on   Dec 20, 2016

This review was written by Martijn Grooten, Adrian Luca and Ionuț Răileanu.

Though still only in its fourth year, Botconf has become one of the Virus Bulletin team's favourite conferences. Late in November, three of the VB team flew to Lyon to attend this year's three-day event.

As its name suggests, Botconf is aimed at those who deal with various aspects of botnet research, though with a strong focus on technical analyses. And while many of the event's attendees came from France, the speaker line-up was international, even to the point that the organisers urged French researchers to submit papers for the next edition.


One of the most interesting presentations of the conference, and certainly one of the hottest, was "Visiting the Bear's Den", in which ESET researcher Jessy Campos presented research into the group variously known as Sednit, Cozy Bear, APT28 and Sofacy – outside the security community it is, of course, best known as the group that hacked the DNC and WADA. Jessy described the long chain of events that led to the hack, starting with the moment the fictional target 'Serge' clicked on the link in an email. His presentation both demonstrated that there is a well-funded group behind these attacks, and highlighted one of the best bodies of security research in recent years (the full paper can be found as a PDF here).

While most people are unlikely to be a target of the aforementioned group, the same cannot be said for exploit kits, which are always ready to infect those who are a little slow in updating their browser. At VB2016, Fidelis Security researcher John Bambenek presented a well-received Small Talk on the subject, and in Lyon he delivered a 50-minute presentation on exploit kits, in which he described the complex ecosystem in full detail. John suggested that takedown efforts against exploit kits may not be very effective, as new ones will appear quickly, but that with an understanding of the full ecosystem, we may find ways to hit exploit kits a lot harder; the arrests surrounding the Lurk malware and the subsequent demise of the Angler exploit kit, which was run by the same group, is an important example of this.

Another VB2016 presenter on the Botconf programme was CERT Poland's Maciej Kotowicz, who discussed ISFB. Based on Gozi, this is one of the most popular banking trojans in the black market; Maciej's thorough technical analysis gave some insights as to why that is the case.

Yandex researchers Andrey Kovalev and Evgeny Sidorov have spoken at a number of VB conferences, often on web-based malware. At Botconf, they gave a presentation on malware that lives inside the browser. This is not a new topic (indeed, they referred to a presentation on the same subject from the first edition of Botconf), but just like defensive technologies, browser-based malware has gone 'next-generation'. Using two examples of malware that uses rogue browser extensions, they showed why such malware is hard to detect, but also offered suggestions as to how it can be detected, both on the client side and the server side.

Another talk that looked at detecting malware infections was delivered by Sebastián García from the Czech Technical University in Prague, who spoke at VB2015 on the Stratosphere Project. In Lyon, he discussed how the team behind this project has developed an interesting approach that uses machine learning techniques to detect new malware by analysing the data flow made by the malware, trying to distinguish it from traffic generated by legitimate processes.

But while detection is important, it is just as important to make sure that malware has as little chance as possible of infecting users and performing its intended tasks in the first place. Kurtis Armour, a researcher at eSentire, gave a very interesting presentation on this subject, which was all about adding layers to make executing bad code harder. With many easy-to-deploy tricks and tools, the presentation did make one wonder why more organisations don't practice this.

Another interesting technical talk was delivered by Jens Frieß and Laura Guevara from the Fraunhofer Institute. They discussed the issue of dealing with encrypted C&C traffic, in particular that using RSA. Accepting that this cannot be cracked merely by looking at the network traffic, they discussed how they modified the malicious binaries and injected the public key of their man-in-the-middle server, which could then read what information was being exchanged.

There were also a number of non-technical talks on the programme, one of which was given by Wayne Crowder on the subject of cyber insurance. Not necessarily the most appealing topic for a technical audience, Wayne mocked the supposed dullness of cyber insurance throughout his talk while at the same time delivering a very interesting presentation, with many interesting statistics and details from real-life cases. Many of the audience members who had initially been sceptical about such a non-technical way to tackle the problem of cybersecurity were convinced by Wayne's arguments that insurance can play an important role, and that the requirements set by insurers can actually help to make individuals and organisations more secure.

In total, there were 25 talks on the programme. Others included one from Cristiaan Beek on ransomware, an update on the Moose botnet (which we blogged about earlier this month), Botconf regular Tom Ueltschi talking about using Sysmon and Splunk to detect botnets, as well as several talks on Dridex. There were also a number of talks that were very interesting, but which were classified as TLP:Red and thus cannot be written about.

Of course, Botconf 2016 was also about meeting old and new friends, about eating good food (Lyon is often called the gastronomic capital of France, and with good reason), and about visiting another French city. Like many attendants, as soon as the location for Botconf 2017 was announced – Montpelier – we started looking at flights.

We referred to a three-part review of Botconf by Xavier Mertens (part 1, part 2, part 3) to help refresh our memories and write this blog post.



Latest posts:

VB2016 video: Last-minute paper: A malicious OS X cocktail served from a tainted bottle

In a VB2016 last-minute presentation, ESET researchers Peter Kalnai and Martin Jirkal looked at the OS X malware threats KeRanger and Keydnap, that both spread through a compromised BitTorrent client. A recording of their presentation is now…

Consumer spyware: a serious threat with a different threat model

Consumer spyware is a growing issue and one that can have serious consequences: its use is increasingly common in domestic violence. But do our threat models consider the attacker with physical access to, and inside knowledge of the victim?

VB2016 paper: Debugging and monitoring malware network activities with Haka

In their VB2016 paper, Stormshield researchers Benoît Ancel and Mehdi Talbi introduced Haka, an open-source language to monitor, debug and control malicious network traffic. Both their paper and the video recording of their presentation are now…

VB2017: a wide ranging and international conference programme

We are proud to announce a very broad and very international programme for VB2017, which will take place in Madrid, 4-6 October 2017.

John Graham-Cumming and Brian Honan to deliver keynote addresses at VB2017

Virus Bulletin is excited to announce John-Graham Cumming and Brian Honan as the two keynote speakers for VB2017 in Madrid.