Botconf 2019

3rd - 6th December 2019, Bordeaux

400 participants from all around the world

29 presentations and 3 workshops

4 days of exchanges, discussions and making new friends!

Bordeaux_2019_V3

Schedule

Tuesday 3rd December 2019

14:00 – 17:30
Suricata for bot hunting and classification
Tatyana Shishkova 🗣

Abstract (click to view)

One of the distinguishing features of botnets is communication between the bot and the C&C server. Analyzing network traffic is a part of researching a botnet. Suricata, an open-source network threat detection engine, is a powerful tool not only for finding threats in your network, but also for malware classification by analyzing output from a sandbox environment.
I will show how to use Suricata NIDS on Ubuntu VM, speak about rule writing principles and show step-by-step how to write effective IDS rules for a given traffic. Traffic examples for the training include real traffic from bots for various platforms. The training will focus on new features of the latest version of Suricata, which greatly simplify the rule writing process. I will also show how to read Suricata logs and fix false alarms.
At the end of the class, participants will be able to set up NIDS, find malicious requests in traffic and write effective rules for various protocols using the power of the latest NIDS. The workshop will be useful as for beginners in IDS (knowledge of network protocols would be a plus), so for those who have some experience in writing IDS rules for Snort/Suricata.

14:00 – 17:30
Static Android Malware Analysis Workshop
Max ‘Libra’ Kersten 🗣

Abstract (click to view)

Mobile phones are used more and more in our daily lives. Purely based on someone’s phone, one can find a lot of information: GPS data, chat history, photos, notes, and online banking applications. Because of this, mobile phones are a valuable target for criminals, causing a rise in Android malware.

This workshop will provide an introduction into static Android malware analysis for beginning analysts. For more experienced analysts, the methods to effectively analyse the application will improve their analytical skills. In either case, the time that is required to decompile and analyse applications is reduced.

13:00 – 18:30
How to track an Android botnet by OSINT and APK analysis tools
Suguru Ishimaru 🗣 | Manabu Niseki 🗣 | Hiroaki Ogawa 🗣

Abstract (click to view)

Analyzing malware is an important part of preventing and detecting cyber threats. But it’s not enough. You should learn how malware is spread for understanding the overall threat landscape. So we’d like to propose a unique training which combines malware analysis and C2 / landing page detection by holding Roaming Mantis as an example.

Roaming Mantis is a campaign which uses DNS hijacking to distribute cyber threats such as web-mining, phishing and malicious Android applications. This criminals activities were discovered by Mcafee. After then, the campaign is named by Kaspersky in April 2018 and it’s still very active and rapidly evolving.

We’d like to propose a hands-on for research that takes the campaign as an example. More than 80% of our training is hands-on. Because, we believe analysts / researchers have doing own way everyday. So, we just want to share and introduce our way, method, tools and viewpoints with attendees through this course.

Wednesday 4th December 2019

10:45 – 11:15
DeStroid – Fighting String Encryption in Android Malware
Daniel Baier 🗣 | Martin Lambertz 🗣

Abstract (click to view)

In this paper we present DeStroid, an approach to fully automatically decrypt obfuscated strings from Android apps. We focus in particular on current Android malware using advanced string encryption techniques and show that DeStroid outperforms all publicly available string deobfuscation approaches.

Slides Icon
PDF
Paper Link Icon
Article
11:20 – 12:00
12:05 – 12:35
Unrevealing the Architecture Behind the Counter-Strike 1.6 Botnet: Zero-Days and Trojans
Ivan Korolev 🗣 | Igor Zdobnov 🗣

Abstract (click to view)

The Belonard Botnet was designed to promote servers in Counter-Strike 1.6. In order to achieve that, the botmaster employed the Belonard Trojan, which was spread via malicious game server; an infected pirated build of the Counter-Strike 1.6 client distributed online; and exploits of several RCE vulnerabilities inside the Counter-Strike 1.6 client, from which two are zero-days in the official steam version. Its main objective was to create a botnet from CS 1.6 clients where each infected machine would create fake servers that redirect players to the malicious master server. The Belonard Trojan registered a total of 1,951 fake servers, taking 39% of all game servers on steam. In our presentation, we will disclose the vulnerabilities of the Counter-Strike 1.6 client used by Belonard, uncover its architecture, inner workings and describe the shutdown process.

14:00 – 14:50
14:55 – 15:35
An Android Botnet Analysis – Shaoye Botnet
Min-Chun Tsai 🗣 | Jen-Ho Hsiao 🗣 | Ding-You Hsiao 🗣

Abstract (click to view)

The action of Shaoye botnet started from June 2017. The peak of attacks was seen in January 2018. TWNCERT (Taiwan National Computer Emergency Response Team) received the intelligence about a DNS hijack from Japan NICT (National Institute of Information and Communications Technology) in March 2018. The intelligence indicated that the setting of home routers in Japan had been changed by hackers. Rogue DNS IP was from Taiwan. If user surfed the internet through the hijacked router, he or she will be led to download site which contains malicious APK…

16:05 – 16:45
Tracking botnets with Long Term Sandboxing
Piotr Białczak 🗣 | Adrian Korczak 🗣

Abstract (click to view)

Sandbox systems have become an efficient way to analyze malware behavior. They can provide information about malware in a quick and automatic manner. However their analysis time is usually limited only to a couple of minutes, thus preventing observation of malware behavior in the long run and noticing interesting changes. To resolve these issues, we have created a Long Term Sandboxing system (LTS), which provides means for prolonged automatic analysis of malware behavior. In our presentation we will show how we use it to track botnets – both their infrastructure and operations. Our system has been augmented with network traffic and system resources analyses, providing means for network protocols investigation, including DNS, HTTP(S) and SMTP.

Slides Icon
PDF
16:50 – 17:30
Insights and Trends in the Data-Center Security Landscape
Daniel Goldberg 🗣 | Ophir Harpaz 🗣

Abstract (click to view)

We deployed a large collection of high-interaction deception servers deployed in multiple cloud environments worldwide. Each such deception machine is capable of capturing and recording attacks on various services. This infrastructure provides us with a tremendous amount of data; With this infrastructure, we get to see where attacks originate from, what machines they connect-back to, the ports and services attackers attempt to breach, the processes they initiate – and many more. Using this unique and comprehensive dataset, we explore attack patterns and model the behavior of the attackers.

In this talk, we will guide the audience through our analysis and present some interesting findings. For example, do attackers really change behavior after new vulnerabilities are disclosed? What is the lifetime of an attack machine or a command-and-control server? Do attackers bother staying persistent on victim machines? Using our results, we will provide a clearer picture of today’s data-center-oriented Cyber attacks.

Slides Icon
PDF
17:35 – 18:15
The Hunt for 3ve
Dimitris Theodorakis 🗣 | Ryan Castellucci 🗣

Abstract (click to view)

3ve (pronounced “Eve”) was a global, complex family of online ad fraud operations, each designed to evade detection. A cross-industry alliance dismantled 3ve, resulting in the indictment and arrest of its perpetrators. This is the first time that consequences of this magnitude have been created for ad fraud.

18:20 – 19:00
Guildma: Timers Sent from Hell
Adolf Středa 🗣 | Luigino Camastra 🗣 | Jan Vojtěšek 🗣

Abstract (click to view)

For several months now, we have been tracking a malware campaign called Guildma. Guildma is powerful combination of a RAT (remote access tool), spyware, password stealer and banker malware, mainly distributed via malicious attachments in phishing emails. The cybercriminals behind Guildma have primarily focused on targeting Brazilian users and services , but since May 2019 they have expanded their range and are now targeting more than 130 banks and 75 other web services around the world. In our analysis, we present the infection process and a detailed description of Guildma’s modules. Due to the time-span covered by this research, we were also able to provide details about the evolution of Guildma.

Slides Icon
PDF

Thursday 5th December 2019

09:00 – 09:30
09:35 – 10:15
Honor Among Thieves:How Stealer Malware Fuels an Underground Economy of Compromised Accounts
Brian Carter 🗣

Abstract (click to view)

Stealers are a class of malicious software that reads in saved credentials from common programs on computers and sends them to criminals who will attempt to monetize the stolen information. This presentation covers the economy of stolen credentials and how they are collected and used for financial gain. There are many families of stealer malware today and this presentation will cover those most commonly encountered and provide information about how to learn more about the campaign, the criminal actors behind them, and how to nullify the impact of stolen credentials.

10:20 – 10:40
Bot with Rootkit: Update and Mine!
Alexander Eremin 🗣 | Alexey Shulmin 🗣

Abstract (click to view)

In June of 2019 we got an interesting sample. When analyzing the activity of this sample, we noticed that for some reason it downloaded a legitimate Microsoft update KB3033929 from its own CnC and installed it on infected machine. And things got more interesting when we began to dig deeper…

Slides Icon
PDF
11:10 – 11:40
“DESKTOP-Group” – Tracking a Persistent Threat Group (using Email Headers)
Tom Ueltschi 🗣

Abstract (click to view)

At BotConf 2015, I presented a lightning talk “Creating your own CTI in 3 minutes”. This presentation is building on that capability to do semi-automated malware analysis based on a commercial sandbox solution. I will discuss a malware campaign analysis from a persistent threat actor (or group) over the past 18 months and still ongoing. The attacks are linked by email headers, targeting, and malware C&C infrastructure…

11:45 – 12:10
The Bagsu Banker Case
Benoit Ancel 🗣

Abstract (click to view)

The carding ecosystem is constantly evolving. The actors have to adapt their methodology to continue to steal from the banks with a good cost effectiveness ratio. To maintain this balance, the carders have moved towards infrastructure as a service, making the analyst’s work more and more complex. We have discovered the infrastructure of a quiet banking Trojan actor that has been targeting German users since at least 2014. Our presentation aims to give a technical insight into the whole operation: infrastructure, multi platform trojans, money laundering schemes and their recent move towards the malware-as-a-service markets like Dreambot, Trickbot or even Emotet.

12:15 – 12:35
Tracking Samples on a Budget
Alexandre Holzer 🗣

Abstract (click to view)

I would like to present a feedback on my own experience developing and running a malware tracker (feeds, development choices, architectures, methodologies, crawling heuristics, data pivots, special cases, deception and results) to make a collection from open source data and almost for free. At the time I was student in computer security. 2 years ago, I got interested in learning how to find fresh malware samples in the wild and how to analyze them. I discovered some existing malware samples and C2 trackers like Cybercrime, Malc0de or Malekal which gave me some inspiration. Apart from the fact that it seems to be a French specialty, I have been very interested in learning to understand how they can work and to develop mine. This project is about finding URL spreading malicious files, filtering samples with specific features, process it over multiple analyzers and store it.

Slides Icon
PDF
14:00 – 14:50
14:55 – 15:20
Finding Neutrino Botnet: from Web Scans to Botnet Architecture
Kirill Shipulin 🗣 | Alexey Goncharov 🗣

Abstract (click to view)

In August 2018, we began to record mass scans of phpMyAdmin systems. Scans were accompanied by bruteforcing of 159 various web shells with the command die(md5(Ch3ck1ng)). This information became the starting point of our investigation. Step by step, me and my colleagues have uncovered the whole chain of events and ultimately discovered 2 large malware campaigns ongoing since 2013. In my presentation I will give the details of this notable botnet and the whole story, from start to finish.

Slides Icon
PDF
15:20 – 15:40
BackSwap Malware Campaign Evolution
Carlos Rubio Ricote 🗣 | David Pastor Sanz 🗣

Abstract (click to view)

This article will explain in detail the follow-up since the BackSwap malware was discovered in May 2018, as well as the different campaigns that the group behind BackSwap has carried out towards financial institutions from different countries, cryptocurrency exchanges, and its new evolution after a few months of inactivity.

16:10 – 16:50
Winnti Arsenal: Brand-new Supplies
Mathieu Tartare 🗣 | Marc-Étienne Léveillé 🗣

Abstract (click to view)

This presentation is the result of a long-term research uncovering new unpublished details on the arsenal of the Winnti umbrella. The Winnti umbrella consists in multiple threat actors having in common the use of a custom backdoor for their operations, the Winnti malware. It is active since at least 2009 and is mostly targeting the video-game industry even though it is also known to have compromised other high-profile targets such as the pharmaceutical industry. They are also known for certificates theft used to sign their malwares.

16:55 – 17:45
DFIR & Crisis Management – Post-mortems & Lessons Learned in the Pain from the Field
Vincent Nguyen 🗣 | Jean Marsault 🗣 | Antoine Vallée 🗣

Abstract (click to view)

This presentation aims to summarize the best wins & fails of crisis management based on our field experience. We will cover different phases of a crisis with real life examples such as:

  • A CISO and a CIO convinced that a member of their team is in collusion with the adversary.
  • An “AD dump” found on a threat actor server mobilized more than 300 people… before becoming a false positive.
  • A classic threat hunting that became an incident response following the discovery of Conficker… 9 years after its discovery.
  • Etc.

Lightning talks



















Friday 6th December 2019

09:30 – 10:10
End-to-end Botnet Monitoring with Automated Config Extraction and Emulated Network Participation
Kevin O’Reilly 🗣 | Keith Jarvis 🗣

Abstract (click to view)

With the quantity and sophistication of bots and botnets ever increasing, automation is key in gathering threat intelligence, and disseminating it to defence systems. With botnets’ rapid flux in nodes and update sources, this information needs to be captured and distributed as quickly as possible. In this talk we will look at an approach to this problem, whereby threat intelligence is automatically gathered from bot samples and the botnets they belong to, allowing prompt distribution to security software on endpoints to allow their monitoring to detect the latest threats.

Slides Icon
PDF
10:15 – 10:45
Roaming Mantis: A Melting Pot of Android Bots
Suguru Ishimaru 🗣 | Manabu Niseki 🗣 | Hiroaki Ogawa 🗣

Abstract (click to view)

In March 2018, thousands of home routers were potentially compromised by a criminal campaign called “Roaming Mantis” in Japan to overwrite DNS settings to use a rogue DNS. This criminal has strong financial motivation. Devices under the compromised router, such as Android, iOS, PC were targeted. They have been rapidly improving their malicious contents for each platform. In addition, the attacker implemented their malicious contents which support 27 languages for targeting around the world. Based on our research, we would like to disclose the details of this campaign such as the mind of the criminals, the details of malicious contents and how they compromised routers to share with researchers and CERTs…

Slides Icon
PDF
11:15 – 11:55
The Cereals Botnet
Robert Neumann 🗣 | Gergely Eberhardt 🗣

Abstract (click to view)

A new under-the-radar botnet targeting Network Access Storage (NAS) and Network Video Recorder (NVR) devices, has been discovered. The botnet originates back to 2013, uses a known vulnerability for infection, and is still active as of today. Our research shows that it is infecting a range of devices from a well-known vendor in the consumer software space, however these devices are so popular that compromised examples can be found in both small businesses and governments alike. What makes this botnet unique is the way that it was built from stock components with only very few custom-built binaries; the separation of its subnets; and the way host nodes communicate with the C2. Years later the vendor fixed the targeted vulnerability, however, a large chunk of infected nodes’ firmware has either never been updated or the devices have not been restarted in years.

Slides Icon
PDF
12:00 – 12:30
YARA-Signator: Automated Generation of Code-based YARA Rules
Felix Bilstein 🗣 | Daniel Plohmann 🗣

Abstract (click to view)

Composing YARA rules based on these feats requires a lot of experience and is typically done manually or at best tool-assisted, which still is a tedious and time-consuming process. In this presentation, we introduce YARA-Signator, an approach for the fully automated isolation of these characteristic code regions and the construction of YARA rules targeting them.

Slides Icon
PDF
Paper Link Icon
Article
14:00 – 14:30
Using a Cryptographic Weakness for Malware Traffic Clustering and IDS Rule Generation
Matthijs Bomhoff 🗣 | Saskia Hoogma 🗣

Abstract (click to view)

Encrypted C&C data can make the life of malware analysts and incident handlers a lot harder, as it can make C&C traffic a lot harder to recognise, when done right. Fortunately, not every malware author is able to implement encryption in a secure way. A well-known vulnerability in the use of cryptography (that also led to attacks on older standards for Wi-Fi protection) is still present in a number of wide-spread malware families. In this presentation we show how this cryptographic weakness can be used for several analysis purposes. We show how the presence of the weakness can be detected using traffic gathered in sandboxes. We also show how clustering can be applied to encrypted data to group different variants (with potentially different and unknown encryption keys) of the same malware together while at the same time gathering structural information about the plaintext. And finally, we show how information on the plaintext structure of a malware family can in some cases be used to automatically generate IDS signatures for new variants using only a single ciphertext and without extracting the key itself from the binary.

14:35 – 15:05
Emotet : WordPress Compromises at Scale
Sébastien Mériot 🗣

Abstract (click to view)

The Emotet banking trojan has been studied by many researchers since it was first discovered in 2014. In particular, the infection scheme and the Command & Control architecture are both pretty well documented. However, few researchers investigated the way the payloads were dropped on the compromised websites and how the polymorphism has been implemented. This presentation aims to focus on the latter aspect, describing how the payloads are dropped on the compromised websites and how the polymorphism has been implemented by the Emotet’s herders. New layers of the botnet architecture would be unveiled during the presentation.

15:10 – 15:50
Zen: a Complex Campaign of Harmful Android Apps
Łukasz Siewierski 🗣

Abstract (click to view)

Android malware authors go to great lengths to come up with increasingly clever ways to monetise their apps. The author (or a group) presented during my talk shows quite the range, from simply repacking apps with a bespoke advertising SDK to writing a sophisticated rooting trojan with new techniques never seen in other harmful apps. Their most complex creation is called “Zen”. Zen bundles exploits to gain privileged root access. It then uses this access to create fake Google accounts on devices. These accounts are created by abusing accessibility service with additional help from code injection.

15:55 – 16:25
Malspam is different spam
Martijn Grooten 🗣

Abstract (click to view)

Malspam’ (an umbrella term for spam campaigns that deliver malware or send users to phishing sites) has long been the prominent way for individuals and organisations to get themselves infected. These campaigns are opportunistic (i.e. non targeted), which distinguishes them from very targeted spear-phishing campaigns. Yet these malspam campaigns also differ in a number of fundamental ways from ordinary spam, which positively affects their effectiveness and negatively affects our ability to analyse them. In this talk, I will explain how most malspam campaigns differ from ordinary spam, based on years of studying the email part of such campaigns in our lab. I will discuss how this makes them a lot better at bypassing email filters and how this affects their visibility.

Slides Icon
PDF
16:30 – 17:00
Demystifying Banking Trojans from Latin America
Juraj Horňák 🗣 | Jakub Souček 🗣 | Martin Jirkal 🗣

Abstract (click to view)

At the end of 2018, it has been reported that Latin America suffers approximately 3.7 million cyber-attacks per day. Even the most well-known pieces of malware, such as TrickBot or Emotet, have their eyes set on this region. When it comes to malware that originates in those countries, the first thing that comes to mind are those infamous, huge, mostly Delphi-written banking trojans. These banking trojans have been our focus for over a year now. They are completely different from what is generally called a banking trojan and because their authors tend to copy from one another or from the same sources, all of them are very similar to each other. That is the main reason we see only generic detections. Our research started with identifying strong characteristics that allowed us to identify more than 10 new malware families among them…

Slides Icon
PDF

Our official partner

evenement_CECyF_en

Our sponsors

Platinum

google-logo
whiteOpsLogoVertBlack_v3

Gold

logo-avast
certsg
2019ovhLogoColor
2019SANS-EMEA-18-Logo-RGB-HR
2019-2-GOLD-LaPoste-TEMPORARY1
logo_LightBG1_tagline

Silver

OCD-2lines (1)
blueliv
CERT-CM-EI-sans
GATEWATCHER_RVB_HD_LOGO
lexfo

Bronze

CSIS_LOGO_WEB_RGB_TURQUOISE_556x218
CARTOUCHE_DIGITAL_SECURITY_FOND_BLEU_RVB2019-01
FOX-IT-merkteken-Pos-RGB-1200
VIGILANTEtransparent4-1
NTT_Stacked_RGB
proofpoint-logo-64BEA4E41A-seeklogo.com
sekoia-logo_nom-blanc_sur_noir
Strangebee
synacktiv-logo-noir
Scroll to Top