Conference review: Botconf 2016

Posted by   Martijn Grooten on   Dec 20, 2016

This review was written by Martijn Grooten, Adrian Luca and Ionuț Răileanu.

Though still only in its fourth year, Botconf has become one of the Virus Bulletin team's favourite conferences. Late in November, three of the VB team flew to Lyon to attend this year's three-day event.

As its name suggests, Botconf is aimed at those who deal with various aspects of botnet research, though with a strong focus on technical analyses. And while many of the event's attendees came from France, the speaker line-up was international, even to the point that the organisers urged French researchers to submit papers for the next edition.

botconf2016.jpg

One of the most interesting presentations of the conference, and certainly one of the hottest, was "Visiting the Bear's Den", in which ESET researcher Jessy Campos presented research into the group variously known as Sednit, Cozy Bear, APT28 and Sofacy – outside the security community it is, of course, best known as the group that hacked the DNC and WADA. Jessy described the long chain of events that led to the hack, starting with the moment the fictional target 'Serge' clicked on the link in an email. His presentation both demonstrated that there is a well-funded group behind these attacks, and highlighted one of the best bodies of security research in recent years (the full paper can be found as a PDF here).

While most people are unlikely to be a target of the aforementioned group, the same cannot be said for exploit kits, which are always ready to infect those who are a little slow in updating their browser. At VB2016, Fidelis Security researcher John Bambenek presented a well-received Small Talk on the subject, and in Lyon he delivered a 50-minute presentation on exploit kits, in which he described the complex ecosystem in full detail. John suggested that takedown efforts against exploit kits may not be very effective, as new ones will appear quickly, but that with an understanding of the full ecosystem, we may find ways to hit exploit kits a lot harder; the arrests surrounding the Lurk malware and the subsequent demise of the Angler exploit kit, which was run by the same group, is an important example of this.

Another VB2016 presenter on the Botconf programme was CERT Poland's Maciej Kotowicz, who discussed ISFB. Based on Gozi, this is one of the most popular banking trojans in the black market; Maciej's thorough technical analysis gave some insights as to why that is the case.

Yandex researchers Andrey Kovalev and Evgeny Sidorov have spoken at a number of VB conferences, often on web-based malware. At Botconf, they gave a presentation on malware that lives inside the browser. This is not a new topic (indeed, they referred to a presentation on the same subject from the first edition of Botconf), but just like defensive technologies, browser-based malware has gone 'next-generation'. Using two examples of malware that uses rogue browser extensions, they showed why such malware is hard to detect, but also offered suggestions as to how it can be detected, both on the client side and the server side.

Another talk that looked at detecting malware infections was delivered by Sebastián García from the Czech Technical University in Prague, who spoke at VB2015 on the Stratosphere Project. In Lyon, he discussed how the team behind this project has developed an interesting approach that uses machine learning techniques to detect new malware by analysing the data flow made by the malware, trying to distinguish it from traffic generated by legitimate processes.

But while detection is important, it is just as important to make sure that malware has as little chance as possible of infecting users and performing its intended tasks in the first place. Kurtis Armour, a researcher at eSentire, gave a very interesting presentation on this subject, which was all about adding layers to make executing bad code harder. With many easy-to-deploy tricks and tools, the presentation did make one wonder why more organisations don't practice this.

Another interesting technical talk was delivered by Jens Frieß and Laura Guevara from the Fraunhofer Institute. They discussed the issue of dealing with encrypted C&C traffic, in particular that using RSA. Accepting that this cannot be cracked merely by looking at the network traffic, they discussed how they modified the malicious binaries and injected the public key of their man-in-the-middle server, which could then read what information was being exchanged.

There were also a number of non-technical talks on the programme, one of which was given by Wayne Crowder on the subject of cyber insurance. Not necessarily the most appealing topic for a technical audience, Wayne mocked the supposed dullness of cyber insurance throughout his talk while at the same time delivering a very interesting presentation, with many interesting statistics and details from real-life cases. Many of the audience members who had initially been sceptical about such a non-technical way to tackle the problem of cybersecurity were convinced by Wayne's arguments that insurance can play an important role, and that the requirements set by insurers can actually help to make individuals and organisations more secure.

In total, there were 25 talks on the programme. Others included one from Cristiaan Beek on ransomware, an update on the Moose botnet (which we blogged about earlier this month), Botconf regular Tom Ueltschi talking about using Sysmon and Splunk to detect botnets, as well as several talks on Dridex. There were also a number of talks that were very interesting, but which were classified as TLP:Red and thus cannot be written about.

Of course, Botconf 2016 was also about meeting old and new friends, about eating good food (Lyon is often called the gastronomic capital of France, and with good reason), and about visiting another French city. Like many attendants, as soon as the location for Botconf 2017 was announced – Montpelier – we started looking at flights.

We referred to a three-part review of Botconf by Xavier Mertens (part 1, part 2, part 3) to help refresh our memories and write this blog post.

twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

 

Latest posts:

The spam that is hardest to block is often the most damaging

We see a lot of spam in the VBSpam test lab, and we also see how well such emails are being blocked by email security products. Worryingly, it is often the emails with a malicious attachment or a phishing link that are most likely to be missed.

Throwback Thursday: We're all doomed

Mydoom turns 15 this month, and is still being seen in email attachments. This Throwback Thursday we look back to March 2004, when Gabor Szappanos tracked the rise of W32/Mydoom.

VB2019 call for papers - now open!

Have you analysed a new online threat? Do you know a new way to defend against such threats? Are you tasked with securing systems and fending off attacks? The call for papers for VB2019 is now open and we want to hear from you!

VB2018 paper: Unpacking the packed unpacker: reversing an Android anti-analysis library

Today, we publish a VB2018 paper by Google researcher Maddie Stone in which she looks at one of the most interesting anti-analysis native libraries in the Android ecosystem. We also release the recording of Maddie's presentation.

VB2018 paper: Draw me like one of your French APTs – expanding our descriptive palette for cyber threat actors

Today, we publish the VB2018 paper by Chronicle researcher Juan Andres Guerrero-Saade, who argues we should change the way we talk about APT actors.

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.