Conference review: Botconf 2016

Posted by   Martijn Grooten on   Dec 20, 2016

This review was written by Martijn Grooten, Adrian Luca and Ionuț Răileanu.

Though still only in its fourth year, Botconf has become one of the Virus Bulletin team's favourite conferences. Late in November, three of the VB team flew to Lyon to attend this year's three-day event.

As its name suggests, Botconf is aimed at those who deal with various aspects of botnet research, though with a strong focus on technical analyses. And while many of the event's attendees came from France, the speaker line-up was international, even to the point that the organisers urged French researchers to submit papers for the next edition.


One of the most interesting presentations of the conference, and certainly one of the hottest, was "Visiting the Bear's Den", in which ESET researcher Jessy Campos presented research into the group variously known as Sednit, Cozy Bear, APT28 and Sofacy – outside the security community it is, of course, best known as the group that hacked the DNC and WADA. Jessy described the long chain of events that led to the hack, starting with the moment the fictional target 'Serge' clicked on the link in an email. His presentation both demonstrated that there is a well-funded group behind these attacks, and highlighted one of the best bodies of security research in recent years (the full paper can be found as a PDF here).

While most people are unlikely to be a target of the aforementioned group, the same cannot be said for exploit kits, which are always ready to infect those who are a little slow in updating their browser. At VB2016, Fidelis Security researcher John Bambenek presented a well-received Small Talk on the subject, and in Lyon he delivered a 50-minute presentation on exploit kits, in which he described the complex ecosystem in full detail. John suggested that takedown efforts against exploit kits may not be very effective, as new ones will appear quickly, but that with an understanding of the full ecosystem, we may find ways to hit exploit kits a lot harder; the arrests surrounding the Lurk malware and the subsequent demise of the Angler exploit kit, which was run by the same group, is an important example of this.

Another VB2016 presenter on the Botconf programme was CERT Poland's Maciej Kotowicz, who discussed ISFB. Based on Gozi, this is one of the most popular banking trojans in the black market; Maciej's thorough technical analysis gave some insights as to why that is the case.

Yandex researchers Andrey Kovalev and Evgeny Sidorov have spoken at a number of VB conferences, often on web-based malware. At Botconf, they gave a presentation on malware that lives inside the browser. This is not a new topic (indeed, they referred to a presentation on the same subject from the first edition of Botconf), but just like defensive technologies, browser-based malware has gone 'next-generation'. Using two examples of malware that uses rogue browser extensions, they showed why such malware is hard to detect, but also offered suggestions as to how it can be detected, both on the client side and the server side.

Another talk that looked at detecting malware infections was delivered by Sebastián García from the Czech Technical University in Prague, who spoke at VB2015 on the Stratosphere Project. In Lyon, he discussed how the team behind this project has developed an interesting approach that uses machine learning techniques to detect new malware by analysing the data flow made by the malware, trying to distinguish it from traffic generated by legitimate processes.

But while detection is important, it is just as important to make sure that malware has as little chance as possible of infecting users and performing its intended tasks in the first place. Kurtis Armour, a researcher at eSentire, gave a very interesting presentation on this subject, which was all about adding layers to make executing bad code harder. With many easy-to-deploy tricks and tools, the presentation did make one wonder why more organisations don't practice this.

Another interesting technical talk was delivered by Jens Frieß and Laura Guevara from the Fraunhofer Institute. They discussed the issue of dealing with encrypted C&C traffic, in particular that using RSA. Accepting that this cannot be cracked merely by looking at the network traffic, they discussed how they modified the malicious binaries and injected the public key of their man-in-the-middle server, which could then read what information was being exchanged.

There were also a number of non-technical talks on the programme, one of which was given by Wayne Crowder on the subject of cyber insurance. Not necessarily the most appealing topic for a technical audience, Wayne mocked the supposed dullness of cyber insurance throughout his talk while at the same time delivering a very interesting presentation, with many interesting statistics and details from real-life cases. Many of the audience members who had initially been sceptical about such a non-technical way to tackle the problem of cybersecurity were convinced by Wayne's arguments that insurance can play an important role, and that the requirements set by insurers can actually help to make individuals and organisations more secure.

In total, there were 25 talks on the programme. Others included one from Cristiaan Beek on ransomware, an update on the Moose botnet (which we blogged about earlier this month), Botconf regular Tom Ueltschi talking about using Sysmon and Splunk to detect botnets, as well as several talks on Dridex. There were also a number of talks that were very interesting, but which were classified as TLP:Red and thus cannot be written about.

Of course, Botconf 2016 was also about meeting old and new friends, about eating good food (Lyon is often called the gastronomic capital of France, and with good reason), and about visiting another French city. Like many attendants, as soon as the location for Botconf 2017 was announced – Montpelier – we started looking at flights.

We referred to a three-part review of Botconf by Xavier Mertens (part 1, part 2, part 3) to help refresh our memories and write this blog post.



Latest posts:

New paper: Collector-stealer: a Russian origin credential and information extractor

In a new paper, F5 researchers Aditya K Sood and Rohit Chaturvedi present a 360 analysis of Collector-stealer, a Russian-origin credential and information extractor.

VB2021 localhost videos available on YouTube

VB has made all VB2021 localhost presentations available on the VB YouTube channel, so you can now watch - and share - any part of the conference freely and without registration.

VB2021 localhost is over, but the content is still available to view!

VB2021 localhost - VB's second virtual conference - took place last week, but you can still watch all the presentations.

VB2021 localhost call for last-minute papers

The call for last-minute papers for VB2021 localhost is now open. Submit before 20 August to have your paper considered for one of the slots reserved for 'hot' research!

New article: Run your malicious VBA macros anywhere!

Kurt Natvig explains how he recompiled malicious VBA macro code to valid harmless Python 3.x code.

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.