Botconf 2018 Talks


  • Colonel Jean-Dominique NOLLET, Head of the C3N – Gendarmerie’s national cybercrime fighting unit France
  • “Chess with Pyotr”, Tillmann WERNER and Brett STONE-GROSS United States of America


  • [Paper] “Swimming in the Cryptonote Pools”, Emilien LE JAMTEL, CERT-EU European Union
  • [Paper] “Code Cartographer’s Diary”, Daniel PLOHMANN, Steffen ENDERS and Elmar PADILLA Germany
  • [Paper] “In-depth Formbook Malware Analysis”, Rémi JULLIAN France
  • [Paper] “Collecting Malicious Particles from Neutrino Botnets”, Jakub SOUČEK, Jakub TOMANEK and Peter KÁLNAI Czechia
  • [Paper] “Automation and structured knowledge in Tactical Threat Intelligence”, Ronan MOUCHOUX and Ivan KWIATKOWSKI France
  • “Hunting for Silence”, Rustam MIRKASYMOV Russia
  • “Internals of a Spam Distribution Botnet, Jose Miguel ESPARZA Spain
  • “The Dark Side of the ForSSHe”, Romain DUMONT and Hugo PORCHER Canada
  • “Mirai: Beyond the Aftermath”, Rommel JOVEN, David MACIEJAK and Jasper MANUEL Singapore
  • “Leaving no Stone Unturned – in Search of HTTP Malware Distinctive Features”, Piotr BIAŁCZAK Poland
  • “Stagecraft of Malicious Office Documents – A Look at Recent Campaigns”, Dr. Nirmal SINGH India, Deepen DESAI United States of America and Tarun DEWAN India
  • “Let’s Go with a Go RAT!”, Yoshihiro ISHIKAWA and Shinichi NAGANO Japan
  • “Judgement Day”, Thomas SIEBERT Germany
  • “Tracking Actors through their Webinjects”, James WYKE United Kingdom of Great Britain and Northern Ireland
  • “Triada: the Past, the Present and the (Hopefully not Existing) Future”, Łukasz SIEWIERSKI United Kingdom of Great Britain and Northern Ireland
  • “The Snake Keeps Reinventing Itself”, Matthieu FAOU and Jean-Ian BOUTIN Canada
  • “How many Mirai variants are there?”, Ya LIU and Hui WANG China

Short presentations

  • [Paper] “APT Attack against the Middle East: The Big Bang”, Aseel KAYAL and Lotem FINKELSTEIN Israel
  • [Paper] “Cutting the Wrong Wire: how a Clumsy Attacker Revealed a Global Cryptojacking Campaign”, Renato MARINHO Brazil
  • [Paper] “How Much Should You Pay for your own Botnet ?”, Antoine REBSTOCK, Pierre-Edouard FABRE, Emmanuel BESSON France
  • [Paper] “Botception: Botnet distributes script with bot capabilities”, Jan SIRMER and Adolf STREDA Czechia
  • “Trickbot, The Trick is On You!”, Floser BACURIO Jr. and Joie SALVIO Singapore
  • “Hunting and Detecting APTs using Sysmon and PowerShell Logging”, Tom UELTSCHI Switzerland
  • “Everything Panda Banker”, Dennis SCHWARZ United States of America
  • “WASM Security Analysis and Reverse Engineering”, Zhao GUANGYUAN and Wu TIEJUN China
  • “Red Teamer 2.0: Automating the C&C Set up Process”, Charles IBRAHIM France

Workshops – Tuesday December 4th 2018 – Don’t forget to make a separate registration for workshops

  • WS1 – “ExtREme Malware Analysis”, Maciej KOTOWICZ Poland – 6h workshop (schedule: 11:00-13:00 / 14:00-18:00)
    • Reverse Engineering is not an easy task, especially when dealing with malware. A bug hunter may spend some quality time with a nice functions, but a malware researcher that deals with tens or hundreds of samples in a short time frame cannot get distracted and must be able to cut fast and precisely into the heart of the malware! This training is aimed to teach our approach to fast and effective malware reversing, demonstrating some not-so-cutting-edge technologies and tricks that are drastically speeding up a reversing process. After a completion of this course, attendees should be able in matter of hours assess if given malware is a new thing or belongs to some known family (and say to which one), what data it does carry, and how it communicates with its C&C.
  • WS2 – “Introducing a new Cyber Threat Detection System: How Threat Intelligence Halts Tomorrow’s Botnets”, Solomon SONYA United States of America – 4h workshop (schedule: 14:00-18:00)
    • The cyber attack landscape is constantly evolving. Botnets are increasingly pervasive to detect and irradiate. This is because malicious adversaries have advanced techniques used to exploit enterprise networks. Previous paradigms have failed to adequately prevent, detect, respond, and recover from new attacks. As such, the paradigm we use to hunt and eradicate new threats must adapt as well. The purpose of this talk is to introduce a new cyber threat detection system that merges threat intelligence with advanced host, network, and memory forensics to create a better protection paradigm at detecting and preventing new botnet and network command and control activity.Developing a robust framework as this one is not trivial, nor is understanding how to engineer a real-life actionable cyber threat intelligence engine that we will create during the course. In fact, this requires a holistic approach in order to understand how to enhance the paradigm. This hands-on workshop first teaches the participant how to perform host and network forensics. We will learn how to create new distributed network sensors and work with a new tool I am releasing called Themis Network Analyzer. We move into hands-on exercises to learn advanced memory forensics and work with another new tool I am releasing to the community called Xavier Memory Forensics Framework. From here, we pivot into malware analysis to extract pertinent artifacts from the infected host. Next, we take this knowledge into engineering a new threat intelligence engine and intrusion detection that validates our new concept. We finally conclude this workshop with a robust hands-on capstone exercise.

      Many new tools are created and released for this workshop. Participants will walk away from this workshop with new concepts and capabilities to better hunt for malicious actors and botnet activity across the protected enterprise network.

  • WS3 – “Detect, Investigate and Respond using MISP, TheHive & Cortex”, Danni CO, Raphaël VINOT and Saâd KADHI France – 4h workshop (schedule: 14:00-18:00)
    • This workshop will take participants through a journey to familiarise themselves with common activities related to incident response, digital forensics, and cyber threat intelligence using the popular FOSS stack composed of MISP, the Malware Information Sharing Platform, TheHive, a Security Incident Response Platform, and Cortex, a powerful observable analysis and automated response engine.The workshop organisers will briefly walk participants through the guiding principles of DFIR and CTI and describe the software stack that will be used throughout the workshop. Participants will then have to work on an incident and try to investigate and respond to it by analyzing various artifacts and leveraging cyber threat intelligence.

      Participants are expected to bring laptops running either VMware Workstration/Fusion or VirtualBox. Laptops must be powerful enough to run two VMs simultaneously. Limited familiarity with Python is a plus to work on advanced case where automation will be used to speed up the investigation.

Print Friendly, PDF & Email