BOTCONF 2013 : A real success !
Par Cedric Pernet le jeudi 12 décembre 2013, 16:40 - Security - Lien permanent
The french computer security landscape is not very known for its ability to communicate and organize huge computer security events. This might change, seeing the recent BOTCONF conference, which was held on the 5-6th December 2013 in Nantes, France. This conference had been awaited by the whole french computer security community for quite long and I can tell you it was worth waiting for.
BOTCONF is the "1st Botnet Fighting Conference" as it describes itself. The schedule for the conference, published some time before the actual conference, was already quite a nasty bit of a teaser, showing awesome presentation titles.
I have to say I have not been disappointed by the content, which I will describe later. It was very good, and showing how international the conference was. Yet the best part of BOTCONF was probably the social networking around it. As the official @botconf Twitter account mentioned, there were 23 countries at BOTCONF. Be it the pauses between presentations, the lunch, the official dinner, everything was done so that everyone would spend all their time together and talk. It was a great occasion to meet a lot of partners and friends, in a very nice place.
The organizing committee of this conference is the International botnets fighting alliance / Alliance internationale de lutte contre les botnets (AILB-IBFA), a not for profit organization registered in France and lead by Eric Freyssinet (@ericfreyss).
Just to say a quick word about the organization: it's been amazing. Some of you might know the pain and work it takes to organize such an event, yet the BOTCONF organizers have done it like they had done it fifteen times before. They even managed to stream most of the presentations in real time, which was very nice for all the people who could not attend the event. Congratulations dudes, you have done a great job !
Now for the content of the presentations. I will be very short, almost all of the material has been published on the schedule page of the event.
As my good friend @xme mentioned in his excellent blog post about the event, "The biggest message passed to the audience was: “We need your help!”"
Thomas showed us how a banking trojan worked and how it could bypass two factor authentication. Bankpatch trojan was shown as an example, together with Feodo+SmsSpy and URLZone. Next focus was put on browser hijacking techniques, on 64bits systems and on Chrome hooking difficulties. BankGuard, an antihook solution from GDATA was also exposed. Thomas finished his speech by talking about more recent C&C structures: BankPatch, ZeuS P2P (GameOver) and Tor trojans.
Jessa's goal here was to provide us with information about spam campaigns which uses various compromised CMS (mostly Joomla and Wordpress, very few Drupal) as a way to send spam. On most of these compromised servers, some C99shell or WSO panels were found, to ease tasks for the cybercriminals. Since mid-April 2013, Jessa found approx. 240 000 compromised websites, each sending an average of 1497 spam on a single date.
They reminded us that cybercriminals do use a lot of proxies to protect their identity and anonymity on Internet. Different proxy networks (Kol, Mango, Fluxxy as they named it) were shown, as well as ways to detect them.
Presentation done by Oğuz Kaan Pehlivan about the legal difficulties of fighting botnets. Example taken is the Coreflood case. While cybercriminals do not follow any rules except theirs, security researchers and all the botnet fighters must act according to the law, which makes it much more difficult, often on the edge between legal and not legal.
Presentation done by Vasileios Friligkos, Security consultant at Intrinsec. This short talk was about detecting botnets by using certain indicators of compromise (IOC). The goal is to stop relying on usual signatures to focus on behavioral anomalies. To do this, one needs to collect a lot of data (from the network, from the hosts) and have efficient ways to analyze it. A very interesting talk which would have deserved much more time at BOTCONF.
The presentation was breathtaking, it could have been longer and... well... MalwareMustDie tshirts are excellent ;-)
This presentation was done by Tom Ueltschi, Cyber Security Expert at Swiss Post. Tom provided us with a great presentation of all his work around the malware named Ponmocup. By the way, speaking of naming, Tom showed us that malware naming from various antivirus companies was tough on this malware family. Tom's presentation from BOTCONF is not available at the time of writing but you can find a very close version here. This presentation has been very interesting and could have lasted for longer. Tom is a great speaker and we really enjoyed his humble way of presenting his results. Tom spoke about the way he started investigating on that malware family, before diving in the technical details on the malware and investigating it.
This concludes my quick write-up about the BOTCONF conference. Sorry for the delay, I've been quite busy these days. Once again, I want to thank and salute all of the organization staff. They have done a great job, and I bet everyone who's been there will probably go to the next edition of this event.
At last, I would like to send a particular warm hello and thank you to all the people I've met there. It was a great pleasure seeing you guys. Hope we will meet again at next BOTCONF, which, as the rumor spreads, will probably be held in another part of France ;-)
... And please allow me sending a special greeting to the SECURITY DRUNKYARDS. You know who you are ;-)
BOTCONF is the "1st Botnet Fighting Conference" as it describes itself. The schedule for the conference, published some time before the actual conference, was already quite a nasty bit of a teaser, showing awesome presentation titles.
I have to say I have not been disappointed by the content, which I will describe later. It was very good, and showing how international the conference was. Yet the best part of BOTCONF was probably the social networking around it. As the official @botconf Twitter account mentioned, there were 23 countries at BOTCONF. Be it the pauses between presentations, the lunch, the official dinner, everything was done so that everyone would spend all their time together and talk. It was a great occasion to meet a lot of partners and friends, in a very nice place.
The organizing committee of this conference is the International botnets fighting alliance / Alliance internationale de lutte contre les botnets (AILB-IBFA), a not for profit organization registered in France and lead by Eric Freyssinet (@ericfreyss).
Just to say a quick word about the organization: it's been amazing. Some of you might know the pain and work it takes to organize such an event, yet the BOTCONF organizers have done it like they had done it fifteen times before. They even managed to stream most of the presentations in real time, which was very nice for all the people who could not attend the event. Congratulations dudes, you have done a great job !
Now for the content of the presentations. I will be very short, almost all of the material has been published on the schedule page of the event.
- Preliminary results from the European antibotnet pilot action ACDC. Integrating industry, research and operational networks into detecting and mitigating botnets
As my good friend @xme mentioned in his excellent blog post about the event, "The biggest message passed to the audience was: “We need your help!”"
- Advanced Techniques in Modern Banking Trojans
Thomas showed us how a banking trojan worked and how it could bypass two factor authentication. Bankpatch trojan was shown as an example, together with Feodo+SmsSpy and URLZone. Next focus was put on browser hijacking techniques, on 64bits systems and on Chrome hooking difficulties. BankGuard, an antihook solution from GDATA was also exposed. Thomas finished his speech by talking about more recent C&C structures: BankPatch, ZeuS P2P (GameOver) and Tor trojans.
- Spam and All Things Salty: Spambot v2013
Jessa's goal here was to provide us with information about spam campaigns which uses various compromised CMS (mostly Joomla and Wordpress, very few Drupal) as a way to send spam. On most of these compromised servers, some C99shell or WSO panels were found, to ease tasks for the cybercriminals. Since mid-April 2013, Jessa found approx. 240 000 compromised websites, each sending an average of 1497 spam on a single date.
- Distributed Malware Proxy Networks
They reminded us that cybercriminals do use a lot of proxies to protect their identity and anonymity on Internet. Different proxy networks (Kol, Mango, Fluxxy as they named it) were shown, as well as ways to detect them.
- Legal limits of proactive actions: Coreflood botnet example (short talk)
Presentation done by Oğuz Kaan Pehlivan about the legal difficulties of fighting botnets. Example taken is the Coreflood case. While cybercriminals do not follow any rules except theirs, security researchers and all the botnet fighters must act according to the law, which makes it much more difficult, often on the edge between legal and not legal.
- Back to life, back to correlation (short talk)
Presentation done by Vasileios Friligkos, Security consultant at Intrinsec. This short talk was about detecting botnets by using certain indicators of compromise (IOC). The goal is to stop relying on usual signatures to focus on behavioral anomalies. To do this, one needs to collect a lot of data (from the network, from the hosts) and have efficient ways to analyze it. A very interesting talk which would have deserved much more time at BOTCONF.
- Using cyber intelligence to detect and localize botnets (short talk)
- Zombies in your browser
- Spatial Statistics as a Metric for Detecting Botnet C2 Servers
- The Home and CDorked campaigns : Widespread Malicious Modification of Webservers for Mass Malware Distribution
- Malware Calling (short talk)
- DisAss (short talk)
- Efficient Program Exploration by Input Fuzzing (short talk)
- The power of a team work – Management of Dissecting a Fast Flux Botnet, OP-Kelihos “Unleashed” (short talk)
The presentation was breathtaking, it could have been longer and... well... MalwareMustDie tshirts are excellent ;-)
- Perdix: a framework for realtime behavioral evaluation of security threats in cloud computing environment
- Participatory Honeypots: A Paradigm Shift in the Fight Against Mobile Botnets
- My name is Hunter, Ponmocup Hunter
This presentation was done by Tom Ueltschi, Cyber Security Expert at Swiss Post. Tom provided us with a great presentation of all his work around the malware named Ponmocup. By the way, speaking of naming, Tom showed us that malware naming from various antivirus companies was tough on this malware family. Tom's presentation from BOTCONF is not available at the time of writing but you can find a very close version here. This presentation has been very interesting and could have lasted for longer. Tom is a great speaker and we really enjoyed his humble way of presenting his results. Tom spoke about the way he started investigating on that malware family, before diving in the technical details on the malware and investigating it.
- Reputation-based Life-course Trajectories of Illicit Forum Members
- APT1: Technical Backstage
- Europol and European law enforcement action against botnets
- A General-purpose Laboratory for Large-scale Botnet Experiments
- DNS Resolution Traffic Analysis Applied to Bot Detection
- Exploit Krawler: New Weapon againt Exploits Kits
- BladeRunner: Adventures in Tracking Botnets
- The hunter becomes the hunted – analyzing network traffic to track down botnets
This concludes my quick write-up about the BOTCONF conference. Sorry for the delay, I've been quite busy these days. Once again, I want to thank and salute all of the organization staff. They have done a great job, and I bet everyone who's been there will probably go to the next edition of this event.
At last, I would like to send a particular warm hello and thank you to all the people I've met there. It was a great pleasure seeing you guys. Hope we will meet again at next BOTCONF, which, as the rumor spreads, will probably be held in another part of France ;-)
... And please allow me sending a special greeting to the SECURITY DRUNKYARDS. You know who you are ;-)