Botconf 2017

Formatting for Justice: Crime Doesn’t Pay, Neither Does Rich Text Botconf 2017 Friday | 09:40 – 10:10 Anthony Kasza 🗣 Due to it’s flexibility and capacity for embedding other objects, the rich text format (RTF) is a preferred file type used by both precision and quantity focused threat actors. This presentation will discuss the state […]

PWS, Common, Ugly but Effective Botconf 2017 Friday | 10:10 – 10:40 Paul Jung 🗣 PassWord Stealer (PWS) are around since more than a decade now. They are legions. Some like Pony, aka FareIT are well known. But nobody takes really time to explain what is around, what it is capable of and how this

Nyetya Malware & MeDoc Connection Botconf 2017 Friday | 11:10 – 11:50 Paul Rascagnères 🗣 | David Maynor 🗣 The 27th of June 2017, a new wormable malware variant has surfaced. Talos is identifying this new malware variant as Nyetya. The sample leverages EternalBlue, EternalRomance, WMI, and PsExec for lateral movement inside an affected network. The presentation

Math + GPU + DNS = Cracking Locky Seeds in Real Time without Analyzing Samples Botconf 2017 Friday | 11:50 – 12:30 Yohai Einav 🗣 | Hongliang Liu | Alexey Sarychev We propose and implement a sublinear hash-collision method on a GPU to search for dynamic Locky DGA seed in real-time DNS query traffic. By combining real-time DNS traffic

Hunting Attacker Activities — Methods for Discovering, Detecting Lateral Movements Botconf 2017 Friday | 12:30 – 13:00 Shusei Tomonaga 🗣 | Keisuke Muda 🗣 When attackers intrude into a network by APT attack, malware infection spreads to many hosts and servers. In incident investigations, it is important to examine what actually happened during lateral movement through log