Since its first edition in
2013
, the Virus Bulletin team have been big fans of
Botconf
, the botnet fighting conference held every year in France. This year, Virus Bulletin sent team members Adrian Luca and Ionuț Răileanu to the event, which took place in the Mediterranean city of Montpellier.
There appears to have been an uptick recently in research into spam and spam botnets – something that was reflected in the Botconf programme this year. For example,
Check Point
researchers Or Eshed and Mark Lechtik (the former of whom also
spoke at V
B2017
)
discussed
a rather targeted Nigerian spam campaign that they had initially believed to be an APT but which, due to the many mistakes it made, they concluded was actually an ALPT: an Absolutely Ludicrous Persistent Threat. Still, it did show how much profit one can make by using only publicly available hacking tools and by following advice found on
Facebook
and other public forums.
Probably the most prominent spam botnet at the moment is Necurs, which was the subject of a
talk
by
Cisco Talos
researcher Jaeson Schultz. Necurs has more than 1 million machines under its control, 40 per cent of which are based in Vietnam and India (which, incidentally, explains why we have seen so much spam from these countries in recent
Virus Bulletin
tests
). Necurs is used in both large and smaller campaigns, and the fact that few Russian IP addresses are part of the botnet, and that it takes a break during Russian holidays, may give some clues as to the location of its owners. Interestingly, after the
arrest
of the people behind the Lurk trojan last year, Necurs appears to have been operated by less skilled owners, who run it mostly on autopilot.
In another talk,
Palo Alto Networks
researcher Anthony Kasza
looked at
the malicious RTF attachments used in some spam campaigns. He explained how the RTF format allows the embedding of other objects, and how this is used in malware, and then went on to explain how such malware can be analysed.
The
launch
of ‘Malpedia’ by regular Botconf presenter Daniel Plohmann and his colleagues at the Fraunhofer Institute was noticed well beyond Botconf, and rightly so: Malpedia ia a pooled
resource
of labelled, unpacked malware samples that favours quality over quantity – a resource that should prove very useful for many a security researcher, including us at
Virus Bulletin
.
An equally useful tool is ‘RetDec’,
Avast
‘s machine code decompiler. Following a
presentation about the tool
by Jakub Kroustek (of
VB2017 fame
) and Peter Matula, it was
open-sourced
it order to make it available to the wider security community.
Given the size of our own team, we found the
presentation
by
ThreatConnect
‘s Robert Simmons on advanced threat hunting very interesting: he focused on improving the efficiency of a small security team, using a lot of automation to minimize working time. (Robert
presented
a similar topic at VB2016 in Denver last year.)
Nominum
‘s Hongliang Liu gave a
talk
on using real-time DNS traffic to identify new domains used by the Locky ransomware, while a
presentation
by
ESET
researchers Matthieu Faou and Frédéric Vachon on the Statinko adware showed how even a not particularly malicious threat uses a complex infrastructure that goes to great lengths to avoid being noticed. (You can read more on Statinko in an
ESET
whitepaper
published this summer.)
A
talk
by Christopher Baker (
Dyn
) on SOCKs as a service showed how the cybercriminal underground has found a solution to the problem of malicious IPs ending up on blacklists, while Keisuke Muda and Shusei Tomonaga (both of
JPCERT/CC
) gave a very interesting
talk
on the tools used by malicious actors, for example for lateral movement.
In some cases, all an attacker needs to do is to keep trying. This is certainly the case when it comes to brute-force attacks against content management systems.
Cisco
researcher Anna Shirokova gave an interesting
presentation
on this often overlooked subject, which actually plays an important role in the cybercrime ecosystem.
Sometimes, a researcher is more than just an observer: in a
talk
on the ‘Malware Uncertainty Principle’, Maria Jose Erquiaga looked at how the behaviour of malware changes when its C&C traffic is intercepted by a man-in-the-middle proxy. The
full dataset
has been made available online for anyone to analyse.
Being actively involved in researching exploit kits and watering hole campaigns ourselves, we were very interested in KNIGHTCRAWLER, a project by Félix Aimé of
Kaspersky Lab
‘s GReAT team. He
explained
how he used this tool to hunt for watering holes that use iframe injections and how he, for instance, uses his own YARA rules for hunting watering hole attacks by monitoring around 25,000 targets.
OVH
is one of the world’s largest hosting providers, and a talk by one of its security engineers, Sébastien Mériot,
explained
how the company fought a DDoS attack against its servers from an IoT botnet whose C&C infrastructure was also hosted by
OVH
. What made this rather complicated was the ‘hosting provider paradox’: the law forbids the provider from looking at customer data. However, the security engineers found that by analysing the malware, they could extract the relevant IP addresses and clean up their network, thus reducing the number of abuse reports by a factor five.
Another
talk
, by Botconf veteran Karine e Silva of Tilburg University, also looked at legal aspects, in particular those of sharing information about botnets between security researchers and law enforcement, and the various restrictions on sharing imposed by the law, especially when it’s not always clear whether the information was gathered legally.
Finally, Botconf regular (and
VB2017 presenter
) Paul Rascagneres gave an interesting
presentation
on the (Not)Petya ransomware (called Nyetya by
Cisco Talos
), and the
M.E.Doc
link. As expected, this was an excellent talk, showcasing some really good research.
We had an excellent time at the conference and want to thank the organisers for putting together such a great event, with many interesting talks as well as an enjoyable social evening at Montpellier’s aquarium
Mare Nostrum
. Meeting passionate individuals from the industry in the pleasant atmosphere of a French city, and with so many interesting things to learn, are all part of what makes Botconf such a great conference. We are looking forward to next year’s event in Toulouse.
For a more complete overview of all talks presented at this year’s Botconf, we refer to the three-part review by Xavier Mertens:
day 1
,
day 2
,
day 3
.
Adrian Luca & Ionuț Răileanu
Leave a Reply