Conference review: Botconf 2017

Posted by    on   Dec 22, 2017

Since its first edition in 2013, the Virus Bulletin team have been big fans of Botconf, the botnet fighting conference held every year in France. This year, Virus Bulletin sent team members Adrian Luca and Ionuț Răileanu to the event, which took place in the Mediterranean city of Montpellier.


There appears to have been an uptick recently in research into spam and spam botnets – something that was reflected in the Botconf programme this year. For example, Check Point researchers Or Eshed and Mark Lechtik (the former of whom also spoke at VB2017) discussed a rather targeted Nigerian spam campaign that they had initially believed to be an APT but which, due to the many mistakes it made, they concluded was actually an ALPT: an Absolutely Ludicrous Persistent Threat. Still, it did show how much profit one can make by using only publicly available hacking tools and by following advice found on Facebook and other public forums.

Probably the most prominent spam botnet at the moment is Necurs, which was the subject of a talk by Cisco Talos researcher Jaeson Schultz. Necurs has more than 1 million machines under its control, 40 per cent of which are based in Vietnam and India (which, incidentally, explains why we have seen so much spam from these countries in recent Virus Bulletin tests). Necurs is used in both large and smaller campaigns, and the fact that few Russian IP addresses are part of the botnet, and that it takes a break during Russian holidays, may give some clues as to the location of its owners. Interestingly, after the arrest of the people behind the Lurk trojan last year, Necurs appears to have been operated by less skilled owners, who run it mostly on autopilot.

In another talk, Palo Alto Networks researcher Anthony Kasza looked at the malicious RTF attachments used in some spam campaigns. He explained how the RTF format allows the embedding of other objects, and how this is used in malware, and then went on to explain how such malware can be analysed.

The launch of 'Malpedia' by regular Botconf presenter Daniel Plohmann and his colleagues at the Fraunhofer Institute was noticed well beyond Botconf, and rightly so: Malpedia ia a pooled resource of labelled, unpacked malware samples that favours quality over quantity – a resource that should prove very useful for many a security researcher, including us at Virus Bulletin.

An equally useful tool is 'RetDec', Avast's machine code decompiler. Following a presentation about the tool by Jakub Kroustek (of VB2017 fame) and Peter Matula, it was open-sourced it order to make it available to the wider security community.

Given the size of our own team, we found the presentation by ThreatConnect's Robert Simmons on advanced threat hunting very interesting: he focused on improving the efficiency of a small security team, using a lot of automation to minimize working time. (Robert presented a similar topic at VB2016 in Denver last year.)

Nominum's Hongliang Liu gave a talk on using real-time DNS traffic to identify new domains used by the Locky ransomware, while a presentation by ESET researchers Matthieu Faou and Frédéric Vachon on the Statinko adware showed how even a not particularly malicious threat uses a complex infrastructure that goes to great lengths to avoid being noticed. (You can read more on Statinko in an ESET whitepaper published this summer.)

A talk by Christopher Baker (Dyn) on SOCKs as a service showed how the cybercriminal underground has found a solution to the problem of malicious IPs ending up on blacklists, while Keisuke Muda and Shusei Tomonaga (both of JPCERT/CC) gave a very interesting talk on the tools used by malicious actors, for example for lateral movement.

In some cases, all an attacker needs to do is to keep trying. This is certainly the case when it comes to brute-force attacks against content management systems. Cisco researcher Anna Shirokova gave an interesting presentation on this often overlooked subject, which actually plays an important role in the cybercrime ecosystem.

Sometimes, a researcher is more than just an observer: in a talk on the 'Malware Uncertainty Principle', Maria Jose Erquiaga looked at how the behaviour of malware changes when its C&C traffic is intercepted by a man-in-the-middle proxy. The full dataset has been made available online for anyone to analyse.

Being actively involved in researching exploit kits and watering hole campaigns ourselves, we were very interested in KNIGHTCRAWLER, a project by Félix Aimé of Kaspersky Lab's GReAT team. He explained how he used this tool to hunt for watering holes that use iframe injections and how he, for instance, uses his own YARA rules for hunting watering hole attacks by monitoring around 25,000 targets.

OVH is one of the world's largest hosting providers, and a talk by one of its security engineers, Sébastien Mériot, explained how the company fought a DDoS attack against its servers from an IoT botnet whose C&C infrastructure was also hosted by OVH. What made this rather complicated was the 'hosting provider paradox': the law forbids the provider from looking at customer data. However, the security engineers found that by analysing the malware, they could extract the relevant IP addresses and clean up their network, thus reducing the number of abuse reports by a factor five.

Another talk, by Botconf veteran Karine e Silva of Tilburg University, also looked at legal aspects, in particular those of sharing information about botnets between security researchers and law enforcement, and the various restrictions on sharing imposed by the law, especially when it's not always clear whether the information was gathered legally.

Finally, Botconf regular (and VB2017 presenter) Paul Rascagneres gave an interesting presentation on the (Not)Petya ransomware (called Nyetya by Cisco Talos), and the M.E.Doc link. As expected, this was an excellent talk, showcasing some really good research.

We had an excellent time at the conference and want to thank the organisers for putting together such a great event, with many interesting talks as well as an enjoyable social evening at Montpellier’s aquarium Mare Nostrum. Meeting passionate individuals from the industry in the pleasant atmosphere of a French city, and with so many interesting things to learn, are all part of what makes Botconf such a great conference. We are looking forward to next year’s event in Toulouse.

For a more complete overview of all talks presented at this year's Botconf, we refer to the three-part review by Xavier Mertens: day 1, day 2, day 3.

Adrian Luca & Ionuț Răileanu



Latest posts:

Tendency for DDoS attacks to become less volumetric fits in a wider trend

CDN provider Cloudflare reports an increase in DDoS attacks targeting layer 7 and focusing on exhausting server resources rather than sending large volumes of data. This fits in a wider trend.

Turkish Twitter users targeted with mobile FinFisher spyware

Through fake social media accounts, users were tricked into installing an Android application that was actually a mobile version of the FinFisher spyware.

Hide'n'Seek IoT botnet adds persistence

The Hide'n'Seek IoT botnet has received an update to make its infection persist on infected devices beyond a restart.

Registration for VB2018 now open!

Registration for VB2018, the 28th International Virus Bulletin conference, is now open, with an early bird rate available until 1 July.

RSA 2018: the good, the bad, the ugly, the great and the fantastic

In April, VB's Martijn Grooten attended the RSA Expo in San Francisco. He shares his views on the expo and the industry.