Schedule – Botconf 2019

Tuesday December 3rd 2019


You need a separate ticket for workshops. Lunch will be served from 12:00 and workshops start at the below indicated hours. A coffee break is offered at 15:30. Registration for workshop participants will be open from 11:00.

– 17:30

Suricata for bot hunting and classification
Tatyana Shishkova

One of the distinguishing features of botnets is communication between the bot and the C&C server. Analyzing network traffic is a part of researching a botnet. Suricata, an open-source network threat detection engine, is a powerful tool not only for finding threats in your network, but also for malware classification by analyzing output from a sandbox environment.
I will show how to use Suricata NIDS on Ubuntu VM, speak about rule writing principles and show step-by-step how to write effective IDS rules for a given traffic. Traffic examples for the training include real traffic from bots for various platforms. The training will focus on new features of the latest version of Suricata, which greatly simplify the rule writing process. I will also show how to read Suricata logs and fix false alarms.
At the end of the class, participants will be able to set up NIDS, find malicious requests in traffic and write effective rules for various protocols using the power of the latest NIDS. The workshop will be useful as for beginners in IDS (knowledge of network protocols would be a plus), so for those who have some experience in writing IDS rules for Snort/Suricata.


– 17:30+

Static Android Malware Analysis
Max ‘Libra’ Kersten

Mobile phones are used more and more in our daily lives. Purely based on someone’s phone, one can find a lot of information: GPS data, chat history, photos, notes, and online banking applications. Because of this, mobile phones are a valuable target for criminals, causing a rise in Android malware.

This workshop will provide an introduction into static Android malware analysis for beginning analysts. For more experienced analysts, the methods to effectively analyse the application will improve their analytical skills. In either case, the time that is required to decompile and analyse applications is reduced.


– 18:30

How to track an Android botnet by OSINT and APK analysis tools
Suguru Ishimaru , Manabu Niseki and Hiroaki Ogawa

Analyzing malware is an important part of preventing and detecting cyber threats. But it’s not enough. You should learn how malware is spread for understanding the overall threat landscape. So we’d like to propose a unique training which combines malware analysis and C2 / landing page detection by holding Roaming Mantis as an example.

Roaming Mantis is a campaign which uses DNS hijacking to distribute cyber threats such as web-mining, phishing and malicious Android applications. This criminals activities were discovered by Mcafee. After then, the campaign is named by Kaspersky in April 2018 and it’s still very active and rapidly evolving.

We’d like to propose a hands-on for research that takes the campaign as an example. More than 80% of our training is hands-on. Because, we believe analysts / researchers have doing own way everyday. So, we just want to share and introduce our way, method, tools and viewpoints with attendees through this course.


Wednesday December 4th to Friday December 6th 2019 – Main conference



To be confirmed


  DeStroid – Fighting String Encryption in Android Malware
Daniel Baier and Martin Lambertz
  Zen: A complex campaign of harmful Android apps
Łukasz Siewierski
  The hunt for 3ve
Dimitris Theodorakis , Ryan Castelluci and Tamer Hassan
  Golden Chickens: Uncovering A Malware-as-a-Service (MaaS) Provider and Two New Threat Actors Using It
Marco Riccardi , Chaz Hobson and Allison Ebel
  Botnet tracking story : from spam mail to money laundering
Thomas Dubier and Christophe Rieunier
  Winnti arsenal: brand-new supplies
Mathieu Tartare and Marc-Étienne Léveillé

Short presentations

  BackSwap malware campaign evolution
Carlos Rubio Ricote and David Pastor Sanz
  Using a cryptographic weakness for malware traffic clustering and IDS rule generation
Matthijs Bomhoff and Saskia Hoogma
  Malspam is different spam
Martijn Grooten
  Unrevealing the Architecture Behind the Counter-Strike 1.6 Botnet: Zero-Days and Trojans
Ivan Korolev and Igor Zdobnov
Print Friendly, PDF & Email