Conference review: Botconf 2017

Posted by    on   Dec 22, 2017

Since its first edition in 2013, the Virus Bulletin team have been big fans of Botconf, the botnet fighting conference held every year in France. This year, Virus Bulletin sent team members Adrian Luca and Ionuț Răileanu to the event, which took place in the Mediterranean city of Montpellier.

banner_botconf_2017.jpg

There appears to have been an uptick recently in research into spam and spam botnets – something that was reflected in the Botconf programme this year. For example, Check Point researchers Or Eshed and Mark Lechtik (the former of whom also spoke at VB2017) discussed a rather targeted Nigerian spam campaign that they had initially believed to be an APT but which, due to the many mistakes it made, they concluded was actually an ALPT: an Absolutely Ludicrous Persistent Threat. Still, it did show how much profit one can make by using only publicly available hacking tools and by following advice found on Facebook and other public forums.

Probably the most prominent spam botnet at the moment is Necurs, which was the subject of a talk by Cisco Talos researcher Jaeson Schultz. Necurs has more than 1 million machines under its control, 40 per cent of which are based in Vietnam and India (which, incidentally, explains why we have seen so much spam from these countries in recent Virus Bulletin tests). Necurs is used in both large and smaller campaigns, and the fact that few Russian IP addresses are part of the botnet, and that it takes a break during Russian holidays, may give some clues as to the location of its owners. Interestingly, after the arrest of the people behind the Lurk trojan last year, Necurs appears to have been operated by less skilled owners, who run it mostly on autopilot.

In another talk, Palo Alto Networks researcher Anthony Kasza looked at the malicious RTF attachments used in some spam campaigns. He explained how the RTF format allows the embedding of other objects, and how this is used in malware, and then went on to explain how such malware can be analysed.

The launch of 'Malpedia' by regular Botconf presenter Daniel Plohmann and his colleagues at the Fraunhofer Institute was noticed well beyond Botconf, and rightly so: Malpedia ia a pooled resource of labelled, unpacked malware samples that favours quality over quantity – a resource that should prove very useful for many a security researcher, including us at Virus Bulletin.

An equally useful tool is 'RetDec', Avast's machine code decompiler. Following a presentation about the tool by Jakub Kroustek (of VB2017 fame) and Peter Matula, it was open-sourced it order to make it available to the wider security community.

Given the size of our own team, we found the presentation by ThreatConnect's Robert Simmons on advanced threat hunting very interesting: he focused on improving the efficiency of a small security team, using a lot of automation to minimize working time. (Robert presented a similar topic at VB2016 in Denver last year.)

Nominum's Hongliang Liu gave a talk on using real-time DNS traffic to identify new domains used by the Locky ransomware, while a presentation by ESET researchers Matthieu Faou and Frédéric Vachon on the Statinko adware showed how even a not particularly malicious threat uses a complex infrastructure that goes to great lengths to avoid being noticed. (You can read more on Statinko in an ESET whitepaper published this summer.)

A talk by Christopher Baker (Dyn) on SOCKs as a service showed how the cybercriminal underground has found a solution to the problem of malicious IPs ending up on blacklists, while Keisuke Muda and Shusei Tomonaga (both of JPCERT/CC) gave a very interesting talk on the tools used by malicious actors, for example for lateral movement.

In some cases, all an attacker needs to do is to keep trying. This is certainly the case when it comes to brute-force attacks against content management systems. Cisco researcher Anna Shirokova gave an interesting presentation on this often overlooked subject, which actually plays an important role in the cybercrime ecosystem.

Sometimes, a researcher is more than just an observer: in a talk on the 'Malware Uncertainty Principle', Maria Jose Erquiaga looked at how the behaviour of malware changes when its C&C traffic is intercepted by a man-in-the-middle proxy. The full dataset has been made available online for anyone to analyse.

Being actively involved in researching exploit kits and watering hole campaigns ourselves, we were very interested in KNIGHTCRAWLER, a project by Félix Aimé of Kaspersky Lab's GReAT team. He explained how he used this tool to hunt for watering holes that use iframe injections and how he, for instance, uses his own YARA rules for hunting watering hole attacks by monitoring around 25,000 targets.

OVH is one of the world's largest hosting providers, and a talk by one of its security engineers, Sébastien Mériot, explained how the company fought a DDoS attack against its servers from an IoT botnet whose C&C infrastructure was also hosted by OVH. What made this rather complicated was the 'hosting provider paradox': the law forbids the provider from looking at customer data. However, the security engineers found that by analysing the malware, they could extract the relevant IP addresses and clean up their network, thus reducing the number of abuse reports by a factor five.

Another talk, by Botconf veteran Karine e Silva of Tilburg University, also looked at legal aspects, in particular those of sharing information about botnets between security researchers and law enforcement, and the various restrictions on sharing imposed by the law, especially when it's not always clear whether the information was gathered legally.

Finally, Botconf regular (and VB2017 presenter) Paul Rascagneres gave an interesting presentation on the (Not)Petya ransomware (called Nyetya by Cisco Talos), and the M.E.Doc link. As expected, this was an excellent talk, showcasing some really good research.

We had an excellent time at the conference and want to thank the organisers for putting together such a great event, with many interesting talks as well as an enjoyable social evening at Montpellier’s aquarium Mare Nostrum. Meeting passionate individuals from the industry in the pleasant atmosphere of a French city, and with so many interesting things to learn, are all part of what makes Botconf such a great conference. We are looking forward to next year’s event in Toulouse.

For a more complete overview of all talks presented at this year's Botconf, we refer to the three-part review by Xavier Mertens: day 1, day 2, day 3.

Adrian Luca & Ionuț Răileanu

twitter.png
fb.png
linkedin.png
googleplus.png
reddit.png

 

Latest posts:

New paper: Does malware based on Spectre exist?

It is likely that, by now, everyone in computer science has at least heard of the Spectre attack, and many excellent explanations of the attack already exist. But what is the likelihood of finding Spectre being exploited on Android smartphones?

More VB2018 partners announced

We are excited to announce several more companies that have partnered with VB2018.

Malware authors' continued use of stolen certificates isn't all bad news

A new malware campaign that uses two stolen code-signing certificates shows that such certificates continue to be popular among malware authors. But there is a positive side to malware authors' use of stolen certificates.

Save the dates: VB2019 to take place 2-4 October 2019

Though the location will remain under wraps for a few more months, we are pleased to announce the dates for VB2019, the 29th Virus Bulletin International Conference.

Necurs update reminds us that the botnet cannot be ignored

The operators of the Necurs botnet, best known for being one of the most prolific spam botnets of the past few years, have pushed out updates to its client, which provide some important lessons about why malware infections matter.

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.