Botconf 2015

2nd - 4th December 2015, Paris

250 participants from all around the world

29 presentations

3 days of exchanges, discussions and making new friends!

affiche-botconf-A2

Schedule

Wednesday 2nd December 2015

11:20 – 11:50
Slides Icon
PDF
11:50 – 12:40
Ponmocup, the full story: A giant hiding in the shadows
Maarten van Dantzig 🗣 | Yonathan Klijnsma 🗣

Abstract (click to view)

Ponmocup is one of the most successful and longest running botnets of the past decade. First detected in 2006, as Vundo or Virtumonde, and detected as Ponmocup starting in 2011, we believe this is one of the most underestimated botnets still under continuous development.
Though Ponmocup has received a minimal amount of attention from the security community, it is in fact a sophisticated botnet serving different purposes. Though these purposes have often been described as low-risk functionalities, the malware is actually used by a group of sophisticated criminals who use the botnet for various (financials) gains, and are likely conducting a limited amount of targeted attacks.

Slides Icon
PDF
12:40 – 13:00
DGA clustering and analysis: mastering modern, evolving threats
Aliaksandr Chailytko 🗣 | Aliaksandr Trafimchuk 🗣 | Ron Davidson

Abstract (click to view)

Conficker was the first to introduce Domain Generation Algorithms to the malware world. Today’s modern malware practically use it as a basic building block.
Malware researchers have tackled this problem with various tools and techniques with varying degrees of success.
In this talk, we will present a method which allows us to analyze samples of a specific malware family that is utilizing a DGA technique. It works regardless of the DGA initialization vector and with no RE required – enabling a cluster based analysis. This method also automatically ranks potential sinkhole domains and allows analysis of the whole malware family, specific campaign, etc.
We will present the POC of our system and demonstrate its abilities on the Tinba malware family. This will include showing connections between different campaigns and compelling results. Most importantly, we will discuss how to utilize the outcome of the analysis in order to create smarter protections against similar malware.

Slides Icon
PDF
Video
Paper Link Icon
Article
14:00 – 14:20
Sandbox detection for the masses: leak, abuse, test
Zoltan Balazs 🗣

Abstract (click to view)

Manual processing of malware samples became impossible years ago. Sandboxes are used to automate the analysis of malware samples to gather information about the dynamic behaviour of the malware, both at AV companies and at enterprises. Some malware samples use known techniques to detect when it runs in a sandbox, but most of these sandbox detection techniques can be easily detected and thus flagged as malicious. During my research I invented new approaches to detect these sandboxes. I developed (and will publish during my presentation) a tool, which can collect a lot of interesting information from these sandboxes to create statistics how the current technologies work (and fail). After analyzing these results I will demonstrate tricks to detect sandboxes. These tricks can not be flagged easily as malicious. Some sandboxes are not interacting with the internet, in order to block data extraction, but with some DNS-fu the information can be extracted from these appliances as well.

Slides Icon
PDF
Video
Paper Link Icon
Article
14:20 – 14:50
(Mostly) Polish threat landscape: not only VBKlip
Łukasz Siewierski 🗣

Abstract (click to view)

Last year, I presented a talk about Polish malware authors. Since then, we acquired even more knowledge and Polish malware market evolved slightly. Of course, there still are ”hacker” forums, which use simple, leaked and cracked keyloggers and sell their services to anyone with enough money. However, this is probably the same case in any other country.
On the other hand, major players start emerging. VBKlip and Banatrix, which were used to replace the bank account number in the Windows clipboard, evolved to a more sophisticated, webinject-based malware. This means that Polish authors are constantly learning from other malware families. This evolution mimics what was happening in the banking trojan market during the last couple of years – starting with simple, one-off attacks moving to a
more structured way of stealing money.

Video
14:50 – 15:40
15:40 – 16:00
Make It count: An analysis of a brute-forcing botnet
Veronica Valeros 🗣

Abstract (click to view)

What does a botnet do when it gets bored? Make every infection second count – even if it means to use the infection time for brute forcing.
This presentation aims to show a complete sandbox infection cycle, which started with a seemingly Gamarue infection and end up with an automated horizontally brute forcing malware and more than 4000 WordPress sites targeted.
By performing an in-deep network traffic analysis of a 15 days network capture, the talk will unveil how this botnet works.

Slides Icon
PDF
Video
Paper Link Icon
Article
16:30 – 17:20
The missing piece in threat intelligence
Frank Denis 🗣

Abstract (click to view)

Information sharing has become increasingly important to reduce risk against security threats. From public feeds to mechanisms for privately exchanging information between security researchers, the number of threat intelligence feeds may very well exceeds the number of actors being tracked. These information have proved to be useful for enterprise defense. However, from an infrastructure provider perspective, the current threat intelligence data and tools appear to be clearly insufficient.
In this presentation we will describe some shortcomings we found with threat intelligence feeds, and how their overall quality and relevance could be improved by engaging infrastructure providers. Finally, we will do a live demonstration of ERIS, an opensource implementation of our proposal, to be released during Botconf ’15.
Submitted

Slides Icon
PDF
Video
Paper Link Icon
Article
17:20 – 17:50
Honey ?! Where is my PoS ?
Marc Doudiet 🗣

Abstract (click to view)

It doesn’t pass a month without a news about a new POS (point-of-sale) malware or credit card data breach. By nature, the details of this kind of breach cannot be public (banks, ongoing investigation, reputation, …). But what do we know really from POS malware ? Can we create groups of malware related to group of cyber criminals ? As we already do for standard malware, we need a honeypot for POS, so we can share publicly the TTP (techniques, tactics, and procedures) of POS cyber criminals.
The goal of this presentation is to explain how we can create a honeypot for POS with open source tools or custom scripts, and to show the results of 3 months of a running honeypot (samples, TTP, groups, …).

Slides Icon
PDF
17:50 – 18:30
Takedowns: case studies and what we all could be doing better
John Bambenek 🗣

Abstract (click to view)

We have all seen the splashy headlines of large threats being subjected to takedowns only to re-emerge days (or hours) later. A few takedowns, however, have achieved long term results. This talk will focus on how recent successful operations were accomplished, what tools are the most helpful and what we all can do to make takedowns more frequent and more successful.

Slides Icon
PDF
Video

Thursday 3rd December 2015

09:00 – 09:50
DGArchive – A deep dive into domain generating malware
Daniel Plohmann 🗣

Abstract (click to view)

An observable trend in recent years of malware development is the increased use of Domain Generation Algorithms (DGAs). After having announced the project “DGArchive” in a lightning talk of last year’s Botconf, we would like to follow up with a full talk proposal for this year.
The core idea of DGArchive is to create a high-coverage database of DGA domains. On the one hand, this allows time-independent checks on potential DGA domains, on the other hand, blocklists can be derived for network protection.

Slides Icon
PDF
Video
09:50 – 10:30
Travelling to the far side of Andromeda
Jose Miguel Esparza 🗣

Abstract (click to view)

Andromeda, also known as Gamarue by some Antivirus vendors, is a popular and modular bot active since 2011. It is normally used to spread additional malware, but sometimes, depending on the criminals, the main objective could be just stealing user credentials. After almost five years of life its development has not stopped. The people behind it keep maintaining it and adding functionalities, like new anti-analysis routines, changes in the communication encryption, new request formats, etc.

Slides Icon
PDF
11:00 – 11:30
Whose phone is in your pocket?
Mikhail Kuzin 🗣 | Nikita Buchka 🗣

Abstract (click to view)

In later April we discovered an Android malware that used for installing backdoor with root priveleges on the devices. This malware is popular in Russia, India, Ukraine, Algeria, but the spread is not limited to this countries. Our research has revealed infection cases all over the world. The malware is distributed via popular third-party stores and was available for download on Google Play from May 22, 2015 to June 9, 2015 (100 000 – 500 000 installs). Command servers for the backdoor is hosted by Amazon clouds…

Slides Icon
PDF
11:30 – 11:50
Building a better botnet DGA mousetrap: separating mice, rats and cheese in DNS data
Josiah Hagen 🗣 | Miranda Mowbray 🗣 | Prasad Rao 🗣

Abstract (click to view)

Botnets and other malware are getting better and better at evading blacklisting in enterprise networks. This draft paper is about an approach for detecting such botnets or other entities, using Domain Name Service (DNS) data and machine learning. Three distinguishing features of this work are that we identify what family of blacklist-evading malware a host machine is infected with, not just that it is infected, using only DNS data as input; that we use syntactic rules in addition to machine learning; and that we currently deal with over two dozen malware families.

Slides Icon
PDF
11:50 – 12:30
Building a hybrid experimental platform for mobile botnet research
Apostolos Malatras 🗣 | Laurent Beslay

Abstract (click to view)

Mobile botnets are an emerging security threat that aims at exploiting the wide penetration of mobile devices and systems and their vulnerabilities in the same spirit of traditional botnets. Mobile botmasters take advantage of infected mobile devices and issue command and control operations on them to extract personal information, cause denial of service or gain financially. To date, research on countering such attacks or studying their effects has been conducted in a sporadic manner that hinders the repetition of experiments and thus limits their validity. We present here our work on a hybrid experimental platform for mobile botnets that supports the execution and monitoring of related scenarios concerning their infection, attack vectors, propagation, etc. The platform is based on principles of flexibility, extensibility and facilitates the setup of scalable experiments utilising both real and emulated mobile systems. We also discuss a novel method of estimating the active bot population in a botnet and illustrate its deployment on the experimental platform.

Slides Icon
PDF
Video
Paper Link Icon
Article
12:30 – 13:00
14:00 – 14:40
BoxBotNet
Paul Jung 🗣

Abstract (click to view)

A hosted box botnet, is a botnet of compromised web servers, usually using vulnerabilities in CMS on low cost hosted servers. Since last year I had followed an indonesian group which operate this kind of botnet and resell access to theses powned servers.
The amazing thing is that this botnet is self expanding since compromised servers are automatically findings and compromizing other servers.

Slides Icon
PDF
Video
14:40 – 15:30
Malware Instrumentation: Application to Regin Analysis
Matthieu Kaczmarek 🗣

Abstract (click to view)

The complexity of the Regin malware underlines the importance of reverse engineering in modern incident response. The present study shows that such complexity can be overcome: substantial information about adversary tactics, techniques and procedures is obtained from reverse engineering. An introduction to the Regin development framework is provided along with an instrumentation guidelines. Such instrumentation enables experimentation with malware modules. So analysis can derectly leverage malware’s own code without the need to program an analysis toolkit. As an application of the presented instrumentation, the underlying botnet architecture is analysed. Finally conclusions from different perspectives are provided: defense, attack and counter intelligence.

Slides Icon
PDF
Video
Paper Link Icon
Article
16:00 – 16:40
Practical Experiences of Building an IPFIX Based Open Source Botnet Detector
Mark Graham 🗣 | Adrian Winckles 🗣 | Erika Sanchez 🗣

Abstract (click to view)

The academic study of flow-based malware detection has primarily focused on NetFlow v5 and v9. In 2013 IPFIX was ratified as the flow export standard. As part of a larger project to develop protection methods for Cloud Service Providers from botnet threats, this paper considers the challenges involved in designing an open source IPFIX based botnet detection function. This paper describes how these challenges were overcome and presents an open source system built upon Xen hypervisor and Open vSwitch that is able to display botnet traffic within Cloud Service Provider-style virtualised environments. The system utilises Euler property graphs to display suspect “botnests”. The conceptual framework presented provides a vendor-neutral, real time detection mechanism for monitoring botnet communication traffic within cloud architectures and the Internet of Things.

Slides Icon
PDF
Video
Paper Link Icon
Article
16:40 – 17:00
The dirty half-dozen of the Brazilian threat landscape
Tal Darsan 🗣

Abstract (click to view)

Brazilian Cybercrime? Easy Does It!
Brazil is a unique cybercrime landscape that has evolved on its own to surpass even the Russian-speaking underground in terms of how large and diverse it is. Brazilian cybercrime has considerably expanded in 2014, and now includes new malware and schemes engineered by local cybercriminals to steal online banking and bank customer data in order to commit fraud.
Although Brazilian malware expertise is not considered to come remotely close to the technical sophistication displayed by its Eastern European counterparts, it does adhere to a universal rule all cybercriminals revere: take the path of least resistance. Malware written and used in Brazil is almost ridiculously simple, but unfortunately, many times it is this very simplicity that does the trick.

17:00 – 17:30
Automatically classifying unknown bots by the register messages
Ya Liu 🗣 | Bing Song 🗣

Abstract (click to view)

The ever-increasing number of malware/botnet samples demands efficient and scalable classification solution for better detection and prevention. C&C protocol based classification has proved to be effective and accurate. However, it’s not trivial to acquire new samples’ detailed C&C protocol, which decreases the scalability of C&C based classification. In this talk we present a simplified classification solution, which is based on the C&C register message. Similarities in semantics/structure of register messages are studied and used. Because of the easier acquisition of register messages, we think our solution is easy to automate and has better scalability. The implementation details and evaluation result would be talked.

Slides Icon
PDF
Video
Lightning talks

Slides Icon
PDF

Slides Icon
PDF



Slides Icon
PDF

Slides Icon
PDF

Slides Icon
PDF

Slides Icon
PDF

Slides Icon
PDF

Slides Icon
PDF

Slides Icon
PDF

Friday 4th December 2015

09:30 – 10:00
The story of Cryptowall: a historical analysis of a large scale cryptographic ransomware threat
Yonathan Klijnsma 🗣

Abstract (click to view)

For almost two years Cryptowall has been making its rounds encrypting the files of victims and extorting them for money in the form of Bitcoins. Following in the footsteps of Cryptolocker Cryptowall has made many victims including law enforcement, large organizations as well as the general public.

Slides Icon
PDF
Video
10:00 – 10:30
Powered by JavaScript
Renaud Bidou 🗣

Abstract (click to view)

Current capabilities of JavaScript turns the browser into the perfect host for a botnet agent. It can be compromised through different vectors, offers a wide range of functionalities, provides persistence and storage, communicates freely with many C&C channels, and behaves like a perfect pivoting point for further propagation into the internal network, or anywhere else.
Therefore JavaScript is to be considered as a powerful botnet enabler, deeply interlaced with other underlying technologies, such as HTML5, WebRTC or even local shells, and able to interfere at any level of the botnet lifecycle.
This presentation aims at identifying most of the recent JavaScript-based techniques which have proved to be efficient in the implementation of core botnet capabilities (injection, control, persistence, propagation, and of course operations from the compromised browser), and to show how one could build a 100% javascript botnet able to defeat most of the defenses currently found in today’s IT.

Slides Icon
PDF
Video
11:00 – 11:50
Inside DarkComet: a wild case-study
Jeremy du Bruyn 🗣

Abstract (click to view)

This research discusses the application of a framework for the automated analysis of malware samples, specifically botnet binaries, which automates the collection, analysis, and infiltration of botnets. Due to the increased number of samples released daily, such frameworks have become a necessity for anti-malware organisations and product vendors. Some academic research has recently been concluded into their design and development. a case-study was conducted which resulted in the collection of 83,175 DarkComet RAT samples, of which 48.85% were successfully analysed and their configuration information extracted, leading to the infiltration of 751 Command and Control servers which provided information on 109,535 unique victim computers. The collection of the DarkComet bot binaries occurred between August of 2013 and June 2014, with CNC infiltration commencing on 10 May 2014 and concluding on 6 June 2014. A refined exploit for the QUICKUP vulnerability, previously document, which prevents detection by botmasters and supports the downloading of large files is provided. The document presents an analysis of the configuration data extracted from the collected malware samples.

11:50 – 12:30
Air-gap limitations and bypass techniques: “command and control” using Smart Electromagnetic Interferences
Chaouki Kasmi 🗣 | José Lopes Esteves 🗣 | Philippe Valembois 🗣

Abstract (click to view)

Air gaps are generally considered to be a very efficient information security protection. However, this technique also showed limitations, involving finding covert channels for bridging the air gap. Interestingly, recent publications have pointed out that a smart use of the intentional electromagnetic interferences introduced new threats for information security. In this paper, an innovative way for remotely communicating with a malware installed on a computer by involving the induced perturbations is discussed leading to the design of a new air gap bridging covert channel.

Slides Icon
PDF
Video
Paper Link Icon
Article
12:30 – 13:00
14:00 – 14:40
Sality
Peter Kleissner 🗣

Abstract (click to view)

Sality is one of the longest-alive threats and probably the most underrated botnet ever. It made its first appearance in 2003 and is still active in 2015.
There are more than 2 million active infections (as per 24 hours) and it has advanced features like a peer-to-peer botnet, a rootkit which is able to kill AVs and a nasty file infector.

Slides Icon
PDF
Video
14:40 – 15:20
A moose once bit my honeypot – A story of an embedded Linux botnet
Olivier Bilodeau 🗣

Abstract (click to view)

Embedded Linux platforms, labeled “Internet of Things” devices these days, have been increasingly targeted by malware authors in the last few years, with most infections resulting in the compromised system taking part in a botnet. While many of these botnets have been used to perform distributed denial of service (DDoS) or DNS hijacking attacks, we took the opportunity to thoroughly investigate a slightly different take on the Embedded Linux Botnet landscape.
Targeting Linux-based consumer routers, Linux/Moose is used by its operators to perform fraud on social networking sites like Facebook, Instagram, Twitter and YouTube. With this intent, it is built with SOCKS and HTTP proxying capabilities and a generic packet sniffer and exfiltration mechanism. To increase the size of its botnet, Linux/Moose uses several scanner threads that find and infect hosts, with the assistance of a C&C server to provide a binary specific to the victim’s architecture. Additionally, the malware has code to enable it to spread past firewalls and performs NAT traversal to allow the operator inside firewalled networks.

External link: Online presentation
Slides Icon
PDF
15:20 – 16:00
Behavior-driven development in malware analysis
Thomas Barabosch 🗣

Abstract (click to view)

A daily task of malware analysts is the extraction of behaviors from malicious binaries. Such behaviors include domain generation algorithms, cryptographic algorithms or deinstallation routines. Ideally, this tedious task would be automated. So far scientific solutions have not gotten beyond proof-ofconcepts. Malware analysts continue to reimplement behaviors of interest manually. However, often times they merely translate the malicious binary assembler code to a higher-level language. This yields to poorly readable and undocumented code whose correctness is not ensured. In this paper, we aim at overcoming these shortcomings by integrating Behavior-Driven Development in the malware analysis process. We explain in detail how the integration of Behavior-Driven Development into the malware analysis process can be done. In a case study on the highly obfuscated malware Nymaim, we show the feasibility of our approach.

Slides Icon
PDF
Video
Paper Link Icon
Article
Scroll to Top