Botconf Author Listing

This presentation will discuss digital threats against civil society groups outside the West: journalists and independent media organizations, human rights activists, defenders of minorities’ rights, women’s rights organizations etc. On top of the digital threats that any organization around the world faces – phishing, malware, business email compromise etc. – these organizations face more targeted threats related to their activities. These vary from the technically very advanced, including zero-day using spyware like Pegasus, from the technically mundane but really impactful, like social media accounts being hacked or banned.

The first part of the presentation will discuss the context in which civil society groups operate in the digital world, then discuss the threats they are facing, including the support they receive in responding to these threats. The second and main part of the presentation will cover real-world examples of such threats and focus on the real-world impact these threats have, including the psychosocial impact. The final part will cover what can be done to support civil society in the rest of the world and in particular what the Botconf audience could do to help.

Malspam’ (an umbrella term for spam campaigns that deliver malware or send users to phishing sites) has long been the prominent way for individuals and organisations to get themselves infected. These campaigns are opportunistic (i.e. non targeted), which distinguishes them from very targeted spear-phishing campaigns. Yet these malspam campaigns also differ in a number of fundamental ways from ordinary spam, which positively affects their effectiveness and negatively affects our ability to analyse them. In this talk, I will explain how most malspam campaigns differ from ordinary spam, based on years of studying the email part of such campaigns in our lab. I will discuss how this makes them a lot better at bypassing email filters and how this affects their visibility.

Mevade (also known as Sefnit) is a botnet that engages in click-fraud and cryptocurrency mining. Mevade is noticeable for two reasons. Firstly, it is huge: at some point, several millions of computers had been infected. And secondly, when it hosted its C&C servers on Tor hidden services, it almost took down the Tor network. In this presentation we will give an overview of what is known about Mevade and how the botnet has evolved over time. A large part of the presentation will focus on the research performed on the non-Tor C&C communication and the somewhat unusual choice of domain names for C&C communication. We will also discuss about links between Mevade and other kinds of adware and malware. We are actively following this botnet and the developments around it and will of course present any developments taking place in the months prior to the conference.

Outline of presentation:

• History of Mevade
• Overview of the malware
• Click-fraud
• Cryptocurrency mining and the Stratum mining protocol used by Mevade
• Network communication Using Tor for C&C
• Links to other kinds of botnet and malware
• New developments