Conference review: Botconf 2015

Posted by   Virus Bulletin on   Dec 15, 2015

Third botnet fighting conference another big success.

Though only in its third year, Botconf has already become a regular fixture in my schedule. And thus, after having attended the conference in Nantes in 2013 and in Nancy in 2014, this year I joined more than 250 others for the three-day conference on botnets at Google France's headquarters in Paris.

The conference programme was rather full, featuring 29 presentations (including three keynotes) and a session of lightning talks all in a single stream. However, the tasty food during breaks, as well as the mix of shorter and longer talks, helped attendees stay focused.

Perhaps the most newsworthy talk of the conference was that on Ponmocup by Fox-IT researchers Maarten van Dantzig and Yonathan Klijnsma. I know of this malware mainly through previous Botconf presentations by Tom Ueltschi, as well as for its infamous decoy behaviour, which James Wyke discussed in his VB2014 presentation, but Maarten and Yonathan provided many more details on this intriguing threat.

The malware, which is after user data, takes decoy behaviour to such extremes that it serves adware when it suspects it is running in a virtual environment, leading many to write it off as a not very serious threat. It also installs unique copies on each infected machine, which has confused researchers who believed it was a very small-scale threat. In fact, it may have infected as many as 15 million machines, of which 500,000 are still active today, and is probably making a lot of money for its authors. The researchers released a report, which has already led to some changes being made by the malware authors.

Yonathan took to the stage again on the final morning of the conference, to discuss the evolution of Cryptowall, the infamous ransomware that may deserve to be called the true successor of Cryptolocker (whose name it even used in earlier versions). Intriguingly, but also frustratingly, Yonathan showed that malware authors actually read the security industry's blogs and often use them as free pen-testing.

The same was true for the authors of the Moose botnet, which consists of compromised Linux-based routers. Olivier Bilodeau talked about this at VB2015, yet it was interesting to hear the story again: how the malware works, how it is used to gain fake accolades on social media, and also how its authors responded to ESET's report in May this year.

Another Linux botnet was highlighted by Paul Jung (security consultant at Excellium Services), who discussed a network of compromised web servers, allegedly run from Indonesia. The frustrating part here for a change wasn't that it was advanced, but rather how simple the botnet was and how easy it seems to be to take over so many servers.

A look at these and other botnets from a different angle was given by Frank Denis, representing hosting provider OVH. The company has seen its fair share of abuse happening on its big network, which has led to blocks and blacklisting by the security community. To work with this community, Frank presented ERIS, a tool that allows a hosting provider to share information on their network, such as reassigned IP-addresses or investigated reports, which can then be used by the security community to make better informed decisions.

A number of talks dealt with ordinary Windows botnets, which have long lost their 'coolness' for security researchers, but which remain a plague for many Internet users, especially those in less-developed countries. Case in point was the Sality spam-sending botnet, which, as Peter Kleissner (LookingGlass) showed, was once huge but, thanks to people updating their PCs, has significantly shrunk in size. Jose Migueal Esparza (another researcher from Fox-IT) talked about another large botnet, Andromeda, and focused in particular on the business model behind it.

Perhaps fittingly, Botconf coincided with the takedown of the Dorkbot botnet. While there was no talk on this botnet, John Bambenek (Fidelis) gave an interesting presentation on takedowns in general, how they work, and their advantages and disadvantages.

There were some shorter (20-minute) presentations too, among which was one by ŀukasz Siewierski (CERT.PL) on a Polish company that was hacked through social engineering, had its customer list stolen (which was used to target customers as well), and then claimed nothing was wrong and even sued a journalist for reporting on the case. In another short presentation, Cisco's Veronica Valeros explained what happened when she let a malware sample run for several weeks inside a sandbox. Indeed, it started to behave differently after a few days, when it downloaded new payloads and began to perform brute-force attacks against WordPress sites.

Talks also covered, among other things, sandbox detection, DarkComet, Regin and (a running gag during the conference) DGAs. As with many European conferences, Xavier Mertens blogged about all presentations (day 1, day 2, day 3), thus doing justice to all speakers, whose presentations made the third Botconf such a great success.

Of course, the success of the event is also in large part thanks to the hard work of Eric Freyssinet and his fellow organisers, as well the generous hosts from Google and the many old and new friends I met in Paris. I'm certainly looking forward to Botconf 2016, which will take place in Lyon.

Posted on 15 December 2015 by Martijn Grooten

twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

 

Latest posts:

VB2018 paper: Lazarus Group: a mahjong game played with different sets of tiles

The Lazarus Group, generally linked to the North Korean government, is one of the most notorious threat groups seen in recent years. At VB2018 ESET researchers Peter Kálnai and Michal Poslušný presented a paper looking at the group's various…

Book your VB2019 ticket now for a chance to win a ticket for BSides London

Virus Bulletin is proud to sponsor this year's BSides London conference, which will take place next week, and we have a number of tickets to give away.

First 11 partners of VB2019 announced

We are excited to announce the first 11 companies to partner with VB2019, whose support will help ensure a great event.

VB2018 paper: Fake News, Inc.

A former reporter by profession, Andrew Brandt's curiosity was piqued when he came across what appeared at first glance to be the website of a small-town newspaper based in Illinois, but under scrutiny, things didn’t add up. At VB2018 he presented a…

Paper: Alternative communication channel over NTP

In a new paper published today, independent researcher Nikolaos Tsapakis writes about the possibilities of malware using NTP as a covert communication channel and how to stop this.

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.