Botconf 2017 has ended
View analytic

Log in to bookmark your favorites and sync them to your phone or calendar.

Tuesday, December 5


Registration for workshops and buffet lunch
Tuesday December 5, 2017 12:30 - 14:00
Université de Montpellier (Faculté de droit et science politique) 14 Rue du Cardinal de Cabrières, 34000 Montpellier, France


Botnet Tracking and Data Analysis Using Open-Source Tools
Fully understanding a botnet often requires a researcher to go beyond standard reverse-engineering practice and explore the malware’s network traffic. The latter can provide meaningful information on the evolution of a malware’s activity. However, it is often disregarded in malware research due to time constraints and publication pressures.
The workshop is about overcoming such constraints by providing a powerful workflow to conduct quick analysis of malicious traffic. The data science approach presented capitalizes on open-source tools (Wireshark/Tshark, Bash with GNU parallel) and valuable python libraries (ipython, mitmproxy, pandas, matplotlib). During the workshop, participants will do practical technical labs with datasets from our recent botnet investigation. They will learn how to quickly find patterns, plot graphs and interpret data in a meaningful way. Although the exercises will focus on botnet’s data, the tools and skills learned will be useful to all sorts of context. Moreover, to ensure that participants take the most out of the workshop, it will be built in a way to allow them to easily replicate the data-analysis environment at home and reproduce similar analysis with their own traffic data.
Workshop Outline
  • Introduction to the workshop
    • Overview of the Linux/Moose botnet
    • The datasets available: Pcaps and mitmproxy logs
    • Overview of the tools we will use
  • Network traffic and C&C protocol analysis
    • Lab 1: Find the potential victims that have been targeted by the botnet’s scanner
    • Lab 2: Find and extract the C&C traffic in the Pcaps
    • Lab 3: Find the list of proxy clients IPs and evaluate if the list changes through time
  • Decrypted HTTPS traffic data analysis
    • Lab 4: Find the list of websites targeted by the botnet and graph them based on the proxy client IP
    • Lab 5: Graph the total number of requests made per proxy client through time
    • Lab 6: Find whether proxy clients are re-using their fake social media accounts

avatar for Olivier Bilodeau

Olivier Bilodeau

Cybersecurity Research Lead, GoSecure
avatar for Masarah Paquet Clouston

Masarah Paquet Clouston

Security Researcher, GoSecure
Masarah is a security researcher at GoSecure and one of Canada’s decorated 150 scientific innovators. With her background in economics and criminology, she specializes in the study of market dynamics behind illicit online activities. Her primary goal is to conduct scientific research... Read More →

Tuesday December 5, 2017 14:00 - 18:00
Université de Montpellier (Faculté de droit et science politique) 14 Rue du Cardinal de Cabrières, 34000 Montpellier, France


Cyber Threat Intel & Incident Response with TheHive, Cortex & MISP
  • Cyber Threat Intel & Incident Response in 2017
  • MISP, TheHive & Cortex Overview,
  • Installing & configuring the product stack
… Bringing it all together
  • An IR case study,
  • Dealing with notifications,
  • How CTI feeds IR,
  • How IR feeds CTI,
  • The CTI-IR cycle: case study

avatar for Saâd Kadhi

Saâd Kadhi

A convinced archeofuturist and a true retromodernist with a serious knack for individualistic altruism, I have been working in the wonderful field of Incident Response, Digital Forensics and hubris, er, Threat Intelligence for a decade. I am the leader of TheHive Project and I currently... Read More →

Raphaël Vinot

CERT Operator & MISP core developper, CIRCL
I'm one of the core developer of MISP Threat Sharing and especially working on all the APIs and interactions with 3rd party tools.

Tuesday December 5, 2017 14:00 - 18:00
Université de Montpellier (Faculté de droit et science politique) 14 Rue du Cardinal de Cabrières, 34000 Montpellier, France


Python and Machine Learning: How to Clusterize a Malware Dataset
The goal of this workshop is to present how to use python to make machine learning. We take examples of security data like malware and we explain how to transform data to use algorithms of machine learning. We detail the different algorithms and the different librairies Scikit-learn and Tensorflow.

The algorithms help to clusterize quickly a database malware to create yara signature for using in Incident Response. The participants will work on little dataset and develop some code based on theses librairies and create yara signature.

Tuesday December 5, 2017 14:00 - 18:00
Université de Montpellier (Faculté de droit et science politique) 14 Rue du Cardinal de Cabrières, 34000 Montpellier, France
Wednesday, December 6



avatar for Eric Freyssinet

Eric Freyssinet

Chairman / Chief digital strategy officer, Botconf / Gendarmerie nationale
Chairman of the organising committee. French law enforcement cybercrime specialist. PhD in computer science.

Wednesday December 6, 2017 10:00 - 10:30
Corum Allée du Saint-Esprit, 34000 Montpellier, France


How to Compute the Clusterization of a Very Large Dataset of Malware with Open Source Tools for Fun & Profit?
Malware are now developed at an industrial scale and human analysts need automatic tools to help them.
We propose here to present the results of our experiments on this difficult problem: how to cluster a very large set of malware (with only static information) to be able to classify some new malware. To cluster a set of (numerical) objects is to group into meaningful categories these objects. We want objects in the same group to be closer (or more similar) to each other than to those in other groups. Such groups of similar objects are called clusters. When data are labeled, this problem is called supervised clustering. It is a difficult problem but easier that the {\it unsupervised clustering} problem we have when data are not labeled.
All our experiments have been done with code written in Python and we have mainly used scikit-learn so you will probably be able to do the work again with your own feature vectors (well we hope for you!).

We will present some results on our dataset of two million malware. We will give some example of the results we have found and we will talk about future works that could be interesting to do (well: problems still to be solved).
Co-authors: Alexandre Letois, Marwan Burelle


Robert Erra

Professor, head of LSE, EPITA

Wednesday December 6, 2017 10:30 - 11:10
Corum Allée du Saint-Esprit, 34000 Montpellier, France


Get Rich or Die Trying
In a World where oil is scarce and people click mail attachments they really shouldn’t, One Man sets out on an epic journey for glory, conquest, and other people’s money. So begins the amazing tale of the “Oil bot” campaign: a tale of a single man who ran a sting operation on a good share of the industrial sector, armed with nothing but his supply of off-the-shelf RATs, his very subpar OPSEC standards, and his Nigerian hutzpah. The talk will follow the entire course of Check Point’s investigation into this affair – from the few emails that didn’t add up, through the campaign’s not-so-intricate C&C infrastructure, to the point where we were inside the campaign, looking at all the incredulous details. How do you scam people into scamming other people? What leads a fraudster to leave a trail of incriminating footprints?

And what does a Nigerian scammer want with an energy company, anyway? One thing’s for sure: In this brave new world, the Nigerian prince is no longer happily calling to inform you that you should transfer your money to them; it is you who is angrily calling your bulk provider, asking where all your money went.

avatar for Or Eshed

Or Eshed

Lead Threat Intelligence Analyst, Check Point
Or Eshed - Lead threat intelligence analyst in Check Point’s threat intelligence group. Has 10 years of experience in intelligence and investigations. Expertise in data analysis and pattern recognition.
avatar for Mark Lechtik

Mark Lechtik

Security Researcher, Check Point
Mark Lechtik - Malware researcher at Check Point Software Technologies for the last 2 years. Deals mainly with reverse engineering and binary analysis. Loves to wallow in the dirts of any malware, dissecting it meticulously and digging out all the gory technical details. Also, was... Read More →

Wednesday December 6, 2017 11:10 - 11:40
Corum Allée du Saint-Esprit, 34000 Montpellier, France


Exploring a P2P Transient Botnet - From Discovery to Enumeration
From DDoS attacks to malicious code propagation, Botnets continue to represent a strength threat to entities and users connected to the Internet and, due to this, continue to be an important research area. The power of those numerous networks proved us its power when they interrupted great part of the Internet causing impacts to companies like Twitter and Netflix when Mirai P2P Botnet targeted Dyn company’s DNS services back in 2016. In this paper, we present the study that allowed us to find out a “Mirai-like” botnet called Rakos – from our high interactivity honeypot recruitment to the detailed analysis and exploitation of this botnet C&C protocol using crawling and node-injection methods to enumerate and estimate its size. Our contribution includes also a comparison between two P2P botnet exploration methods used in our research and in which situations they may be better suitable in further analysis. Additionally, we propose the term “transient” to designate botnets formed by malware that does not use persistence on the compromised system as this tends to be usual amongst modern threats to IoT (Internet of Things) devices.

avatar for Renato Marinho

Renato Marinho

Chief Research Officer, Morphus Labs
Renato Marinho is Chief of Research at Morphus Labs and Incident Handler at SANS Internet Storm Center. His journey in the area began in 2001, when he created Nettion, one of the first firewalls to use the contemporary UTM (Unified Threat Management) concept. Experienced in cyber... Read More →

Wednesday December 6, 2017 11:40 - 12:10
Corum Allée du Saint-Esprit, 34000 Montpellier, France


RetDec: An Open-Source Machine-Code Decompiler
Machine-code decompilation transforms an executable file into a high-level language. It has found its applications mostly in the field of reverse engineering, where analysts use decompilers to inspect suspicious binaries.

This paper introduces RetDec, a recently open-sourced retargetable decompiler for platform-independent analysis of binary files. More specifically, we give an overview of the RetDec project’s history, its current state, comparison with other decompilers,
and an example of a successful application.

avatar for Jakub Křoustek

Jakub Křoustek

Threat intelligence team leader, Avast

Peter Matula

Senior Developer, Avast
Peter Matula is a senior developer at Avast Software. He focuses on reverse-engineering research and is currently the main developer of the RetDec decompiler. He received his MSc. degree from the Faculty of Information Technology, Brno University of Technology, Czech Republic.

Petr Zemek

Senior Developer, Avast
Petr Zemek is a software developer at Avast software, where he works on tools used by malware analysts. He has a Ph.D. in theoretical computer science from the Brno University of Technology, Czech Republic. His general interests are programming languages and practices, open-source... Read More →

Wednesday December 6, 2017 12:10 - 13:00
Corum Allée du Saint-Esprit, 34000 Montpellier, France



A Silver Path: Ideas for Improving Lawful Sharing of Botnet Evidence with Law Enforcement
Business, organizations, and individuals can largely contribute to a better collective response to botnets. Apart from the power of thwarting attacks as they occur, multistakeholders play a meaningful role in handing over evidence to law enforcement about botnet crimes. Yet, criminal procedure law places significant a threshold on how evidence collected by third parties may be used in a criminal investigation and before court. In this study, I am particularly interested with the so-called category of illegally obtained evidence, in other words, evidence that is amassed in a way that (potentially) violates the standards prescribed by criminal procedural law. This distinction is downright pertinent to the current debate on botnet intelligence that could be disclosed to law enforcement and, more importantly, on whether data gathered in grey zones of the law could be used against cybercriminals.

Traditionally, legal systems have opposed to the doctrine of the fruit of the poisonous tree. Following this stream, evidence gathered via unlawful means suffers from the same spoilage as the original source of the collection. According to this doctrine, illegally obtained evidence is per se illegal and holds no value in the due legal procedure. This remains largely the doctrine adopted by most civil law systems, including many EU Member States. However, pragmatic perspectives of the law have refused to repudiate the nature of the poisonous fruits: the silver platter doctrine has gained space among EU Member States, such as the Netherlands, where illegally obtained evidence handed over to law enforcement, where such unlawful obtaining was not influenced by the authorities, should not be disavowed but brought into play. I intend to investigate whether an adaptation of the silver platter doctrine may be deemed legitimate in the context of cybercrime and justify the sharing of botnet evidence with law enforcement where such data is collected by businesses, organizations, and individuals.

This is an experimental study. It explores and critically analyses the main trends on the use of unlawfully obtained evidence by law enforcement in the U.S. and in select EU Member States (the NL and DE or FR). It builds upon these findings to propose rules that may pave the way for greater use of botnet evidence by law enforcement in a way that is consistent and respectful of the EU framework for fundamental rights: including the limits and opportunities that such a framework may entail.


Karine e Silva

PhD Student, Tilburg University

Wednesday December 6, 2017 14:15 - 14:55
Corum Allée du Saint-Esprit, 34000 Montpellier, France


Use Your Enemies: Tracking Botnets with Bots
Botnets are a curious thing for malware researchers. Although we’re constantly trying to shut them down and stop the responsible people, we’re also focusing a lot of attention on studying and analysing their inner workings in order to learn more about how they operate.

And the best strategy of getting information from a botnet is tricking it into sending everything to us on its own. In this talk we’ll describe our latest project, which does exactly that. We are reverse-engineering communication protocols, re-implementing them in python and impersonating real bots. This way, we can get fresh information/malware/spam/urls directly from a C&C, process it automatically, and react appropriately.

We want to share our insights from a year of tracking, compare our approach with more blackbox solutions (hint: there are advantages and disadvantages), and discuss some challenges and our solutions to them. Although we won’t focus on specific malware protocols, we’ll mention them in the passing.

avatar for Jarosław Jedynak

Jarosław Jedynak

Security Engineer/Malware Researcher, CERT.PL
Jarosław Jedynak is a malware analyst and security engineer at CERT.PL. His research interests focus on malware, especially P2P botnets. Additionally he is actively tracking new malicious campaigns, in order to disrupt criminal activity. In his free time, he is a passionate CTF player... Read More →
avatar for Paweł Srokosz

Paweł Srokosz

Security Researcher / Malware Analyst, CERT.PL
Paweł Srokosz is a security researcher and a malware analyst at CERT.PL, constantly digging for fire and doing reverse engineering of ransomware and botnet malware. Free-time spends on playing CTFs as a p4 team member and studying Computer Science at Warsaw University of Technol... Read More →

Wednesday December 6, 2017 14:55 - 15:45
Corum Allée du Saint-Esprit, 34000 Montpellier, France


SOCKs as a Service, Botnet Discovery
On the internet, no one knows you’re a dog, but they know that you are accessing their website from an IP announced by an ASN that belongs to an ISP on the East Coast of the United States. As the DOM renders a piece of third party fraud detection, javascript runs and collects details about local time, flash, etc, creating a finger print for your browser. It also takes a look at your IP address to see if it is a reasonable match to the zip code associated with the credit card you’re using and possibly confirming that it matches the netblock you frequently login from. This second component, access to secure sockets (SOCKS) in ISP networks and other netblocks, is the topic covered in this presentation. We will cover the market for SOCKs, including vendors and pricing models, as well as a botnet that we came across when monitoring SOCKs markets


Christopher Baker

Principal of Threat Intelligence, Dyn
Chris Baker is an Internet cartographer, data analyst, and wanderlust researcher at Dyn, where he is responsible for an array of data analysis and research projects ranging from trends in the DNS to Internet measurement and infrastructure profiling. Previously, Chris worked at Fidelity... Read More →

Wednesday December 6, 2017 15:45 - 16:15
Corum Allée du Saint-Esprit, 34000 Montpellier, France



Automation Of Internet-Of-Things Botnets Takedown By An ISP
For the past 12 months, the Internet-Of-Things botnets have made the headlines. Behind the media noise lies a threat that could be easily remedied by taking appropriate actions to discourage the herders which, most of the time, are kiddies. The latters often purchase the services of a third party to set up the Command & Control on dedicated servers and thus, have a strong potential to cause harm. The growing number of botnets made us reflect upon a workflow to contain the trend.

This presentation aims to show how easy it is to identify the Command & Controls of the Internet-of-Things botnets and how OVH implemented an automated workflow to search them out of its network. This workflow is currently running in production and is able to extract the Command & Control IP in 9 out of 10 cases. and could be easily implemented by other ISPs.

OVH is the third hosting company in the world, providing bare metal servers, cloud instances, web hosting, xDSL links, etc. Also known for having mitigated a Distributed Deny of Service attack above the symbolic terabits per second barrier issued by a MIRAI botnet, OVH is definitively committed to fight against botnets.

avatar for Sébastien Mériot

Sébastien Mériot

Security Engineer - Anti-Abuse & Anti-Fraud department, OVH
Sébastien works as a security engineer in the security team of OVH. His work has been crucial to mitigate the 1 Tbps attack issued by a MIRAI botnet and to protect the OVH’s customers from the WannaCry outbreak.

Wednesday December 6, 2017 16:45 - 17:15
Corum Allée du Saint-Esprit, 34000 Montpellier, France


The New Era of Android Banking Botnets
In the past, mobile malware used to target victims only to harvest SMS messages, which are often used as a 2FA (two-factor authentication) mechanism or as OTP (one-time password). Since late 2015, we have seen attacks which targeted the entire bank app with an overlay type of attack that started a new era in Android banking botnets. This is what we will be detailing and discussing on this presentation. In the past, mobile malware used to target victims only to harvest SMS messages, which are often used as a 2FA (two-factor authentication) mechanism or as OTP (one-time password). Since late 2015, we have seen attacks which targeted the entire bank app with an overlay type of attack that started a new era in Android banking botnets. This is what we will be detailing and discussing on this presentation.
First, we will quickly introduce the audience of past Android malware families that had SMS harvest as a goal. Perkele, Zitmo and iBanking are some examples of those families.
Then, we will focus on modern Android malware evolution in terms of obfuscation, anti-analysis, C&C communication and infection mechanisms. We will also provide insights into some of those modern Android malware botnets including some not yet known to the public. The Android malware families we will be discussing are: Slempo (also known as GMBot and SlemBunk), MazarBot, Catelites, Shifu, Marcher and BankBot (also known as Maza-in).


Pedro Drimel Neto

Threat Analyst, Fox-IT InTELL
Pedro Drimel Neto is a Threat Analyst at Fox-IT InTELL where he focuses on analysis of malware focused on cybercrime. In the past, he worked as a Malware Analyst at BlackBerry and Security Researcher at Qualys, Brazilian Government Research Center and zImperium.

Wednesday December 6, 2017 17:15 - 18:05
Corum Allée du Saint-Esprit, 34000 Montpellier, France


Hunting Down Gooligan
This talk provides a retrospective on how during 2017 Check Point and Google jointly hunted down Gooligan – one of the largest Android botnets at the time. Beside its scale what makes Gooligan a worthwhile case-study is its heavy reliance on stolen oauth tokens to attack Google Play’s API, an approach previously unheard of in malware.

This talk starts by providing an in-depth analysis of how Gooligan’s kill-chain works from infection and exploitation to system-wide compromise. Then building on various telemetry we will shed light on which devices were infected and how this botnet attempted to monetize the stolen oauth tokens. Next we will discuss how we were able to uncover the Gooligan infrastructure and how we were able to tie it to another prominent malware family: Ghostpush. Last but not least we will recount how we went about re-securing the affected users and takedown the infrastructure.

avatar for Elie BURSZTEIN


Anti-fraud and abuse research team lead, Google
Anti-abuse research lead

Wednesday December 6, 2017 18:05 - 18:45
Corum Allée du Saint-Esprit, 34000 Montpellier, France


Thursday, December 7



KNIGHTCRAWLER, « Discovering Watering-holes for Fun, Nothing. »
How to find watering holes (aka. Strategic Web Compromise – SWC) from your bedroom? At the intersection between geopolitics and technology, « KNIGHTCRAWLER » is a personal project developed to find some malicious activities on several thousand of strategic websites (Govs, NGOs, companies, newpapers etc.). Dozens of watering holes related to APT and cybercrime stuff has been discovered using this project, including several exploit kits and actors not yet published in open source.

avatar for Félix Aimé

Félix Aimé

GReAT, Kaspersky
Félix Aimé is an autodidact in the fields of computer security and geopolitics. He joined in 2013 the French National Cybersecurity Agency to develop the Threat Intelligence investigations and related capabilities. In mid 2017, he switched to the private sector and integrated the... Read More →

Thursday December 7, 2017 09:30 - 09:50
Corum Allée du Saint-Esprit, 34000 Montpellier, France


The (makes me) Wannacry Investigation
On May 12, 2017 a virulent new strain of ransomware known as Wannacry hit hundreds of thousands of computers affecting all types of organisations across the globe. While it is well understand how Wannacry spread using EternalBlue, there was little information on how the attack initially began.

It is often the case that tracking the activity of an attacker back in time can be invaluable for learning more about how the attacker operates, and potentially identifying any mistakes made. This proved true with WannaCry 1.0.

This talk aims to present a walk-through of Symantec’s investigation into Wannacry and how we were able to identify links to previously identified malware families and tools used in attacks against Sony Pictures Entertainment in November, 2014 to ultimately identify who was behind the attack.

avatar for Alan Neville

Alan Neville

Sr. Threat Intelligence Analyst, Symantec
Alan is a senior threat intelligence analyst on the attack investigations team in Symantec. Alan is responsible for leading and documenting investigations into high profile attacks affecting Symantec customers and acting as a liaison between LE and Symantec.

Thursday December 7, 2017 09:50 - 10:20
Corum Allée du Saint-Esprit, 34000 Montpellier, France


Malware Uncertainty Principle: an Alteration of Malware Behavior by Close Observation
During the last couple of years there has been an important surge on the use of HTTPs by malware. The exact reason for this increase is not completely understood yet, but it is hypothesized that it was forced by organizations only allowing web traffic to the Internet and that using HTTPs makes the malware similar to normal connections. Therefore, there has been a growing interest in understanding the usage of HTTPs by malware. This paper describes our research to obtain large quantities of real malware traffic using HTTPs, our use of man-in-the-middle HTTPs interceptor proxies to open and study the content and our analysis of how the behavior of the malware changes after being intercepted. Our research goal is to understand the use of HTTPs in malware traffic and the impact of intercepting its traffic. After our analysis we conclude that the use of a interceptor proxy in a network should be carefully considered.


Maria Jose Erquiaga

My research experience has been mostly focused on studying the behavior of malware in the network. In particular, the behavior of large botnets in real networks. I researched and worked capturing large quantities of malware traffic for long period of times (available to download... Read More →

Thursday December 7, 2017 10:20 - 10:50
Corum Allée du Saint-Esprit, 34000 Montpellier, France



Knock Knock... Who's there? admin admin, Get In! An Overview of the CMS Brute-Forcing Malware Landscape.
With more than 18M websites on the internet using WordPress [1] and hundreds of known vulnerabilities reported [2], this and other well-known Content Management Systems (CMS) have been systematically attacked for the past years by different threat actors looking for disposable infrastructure for their attacks.

Brute-forcing is one of the most common types of attacks against CMS. The main goal of this attack is pretty straightforward: to obtain a valid username and password and access the CMS administration panel. Attackers take advantage of the fact that, in most cases, CMSs chosen passwords are very weak. Successfully brute-forced websites are commonly used for hosting C&Cs, scams, and drive-by attacks to spread malware.
The goal of this presentation is threefold. First, we will give an overview of the history and current state of brute-force attacks and discuss the reasons for why WordPress is getting under brute-force attacks more often than the other CMS platforms. Second, we will provide an overview of the different brute-forcing botnets and the techniques they use. Third, we will provide an in-depth analysis of the Sathurbot botnet.
The Trojan Sathurbot first appeared in 2013 [3], and is still active, affecting hundreds of users. To this date, the trojan has 4 known modules: backdoor, downloader, web crawler, and brute-forcing. The downloader module allows the trojan to deliver additional malware to the infected machine such as Boaxxe, Kovter, and Fleercivet. The web crawler module allows the trojan to search in different searching engines for websites using WordPress CMS. The brute-forcing module is what the trojan uses to attempt to login to the WordPress admin panels with different credentials. The case of study focuses on the web crawling and brute-forcing modules with specific insights obtained from a real infection. It provides insights of the infrastructure, target selection, aggressiveness, and an analysis of its success from our observation.

Finally, we will talk about detections methods to identify these type of attacks.

avatar for Anna Shirokova

Anna Shirokova

Security Researcher, CISCO
avatar for Veronica Valeros

Veronica Valeros

Veronica specializes in malware network traffic analysis and network behavioral patterns. Since 2013 she is part of the Cognitive Threat Analytics team, Cisco Systems.

Thursday December 7, 2017 11:10 - 11:50
Corum Allée du Saint-Esprit, 34000 Montpellier, France


Automation Attacks at Scale
Automation attacks are currently plaguing organizations in industries ranging from financial to retail, to gaming & entertainment. These attacks exploit stolen credential leaks, black market & custom attack toolkits, and massively scalable infrastructure to launch widely distributed attacks that are extremely difficult to detect, let alone attribute. In this presentation we will inform the audience of the scale of this problem, discuss a detection methodology to counter these attacks, and walk through 3 real-world examples of how attackers created and monetized the distributed infrastructure they require to launch these attacks.


Will Glazier

Stealth Security
Will Glazier serves as Stealth Security’s Threat Intelligence Analyst & Architect. His primary interests include understanding attacker infrastructure responsible for malicious automation attacks, including account takeover. His current focus is on building out a threat intelligence... Read More →

Thursday December 7, 2017 11:50 - 12:30
Corum Allée du Saint-Esprit, 34000 Montpellier, France


The Good, the Bad, the Ugly: Handling the Lazarus Incident in Poland
[TLP: Amber]


Maciej Kotowicz

Maciej Kotowicz is Principal Botnet Pwner at CERT.pl with a special interest in reverse engineering and exploit development as well as automation of both. In his free time he likes to drink beer and play CTFs, in no particular order.

Thursday December 7, 2017 12:30 - 13:00
Corum Allée du Saint-Esprit, 34000 Montpellier, France



Malpedia: A Collaborative Effort to Inventorize the Malware Landscape
In this paper, we introduce Malpedia, our take on a collaborative platform for the curation of a coherent corpus of cleanly labeled, unpacked malware samples. Illustrating one of the use cases for this data set, we provide a comparative overview of structural characteristics for more than 300 families of Windows malware.


Martin Clauß

Wissenschaftlicher Mitarbeiter, Fraunhofer FKIE
avatar for Daniel Plohmann

Daniel Plohmann

Malware analyst, Fraunhofer FKIE
Daniel Plohmann works as a senior analyst for Fraunhofer FKIE, taking apart malware families and botnet instances. His PhD research at University of Bonn focuses on automation and improving the efficiency of reverse engineering as an instrument for in-depth analysis. As a Teaching... Read More →

Thursday December 7, 2017 14:00 - 15:00
Corum Allée du Saint-Esprit, 34000 Montpellier, France


YANT - Yet Another Nymaim Talk
We have already heard of Nymaim’s famous obfuscation techniques, such as WinAPI wrappers, function detours, encrypted memcpy, and others. But have you heard of heaven’s gate, hybrid binaries and thread obfuscation? In this presentation, we will dive into some of the obfuscation patterns that are still untold.


Sebastian Eschweiler

Sebastian Eschweiler is a security researcher at CrowdStrike. Before that, he studied computer science in Bonn and did his doctorate at the University of Bonn. He also fought botnets at the Fraunhofer FKIE.

Thursday December 7, 2017 15:00 - 15:30
Corum Allée du Saint-Esprit, 34000 Montpellier, France



Augmented Intelligence to Scale Humans Fighting Botnets
We propose and implement a novel method of discovering botnet activities by identifying new core domains (domains that are directly below a TLD) that appear in real-time DNS query traffic as suspicious, and discovering botnet C&C groups using a domain correlation machine learning model. This method discovers botnet C&C groups before security list vendors which it is benchmarked against.

avatar for Amir Asiaee

Amir Asiaee

Senior Data Scientist, Nominum
Dr. Amir Asiaee has more than 10 years of academic and industry experience in machine learning and natural language processing related projects. He has applied data analytic techniques to optimize Nominum output feeds by validating and consolidating lists of malicious activities that... Read More →

Hongliang Liu

Principal Data Scientist, Nominum
Dr. Hongliang Liu, Principal Data Scientist at Nominum, received his PhD degree in Physics in 2011. Dr. Liu has been working on defeating DDoS attacks known as Pseudo Random Subdomain (PRSD) attacks which rely on the worldwide DNS infrastructure and building machine intelligence for... Read More →

Yuriy Yuzifovich

Head of Security Research and Data Science, Nominum
Yuriy Yuzifovich is Head of Security Research and Data Science for Nominum. Yuriy’s team builds patent-pending tools that analyze 100 billion DNS queries per day from hundreds of millions of internet subscribers in real time. With these tools, Nominum Data Science is able to discover... Read More →

Thursday December 7, 2017 16:00 - 16:30
Corum Allée du Saint-Esprit, 34000 Montpellier, France


Stantinko: a Massive Adware Campaign Operating Covertly since 2012
Stantinko is a botnet that we estimate infects around half a million machines mainly located in the Russian Federation and Ukraine. In addition to its prevalence, Stantinko stands out because of its use of advanced anti-analysis techniques, the heavy usage of encryption to hide malicious code and the use of anti-virus evasion tricks that allowed them to stay under the radar for the past five years. While its main purpose is to commit advertisement fraud, Stantinko also installs a backdoor allowing them to run arbitrary code on the victim’s machine.

The Stantinko malware family dates back to at least 2012. We noticed a significant change in the group’s toolset that occured at the beginning of 2015, which made it way more difficult to track them and to gather all the pieces necessary to conduct a complete analysis of this notably undocumented threat.

When we began our analysis, we were not sure at what kind of malware we were looking at. It took us some time to understand Stantinko’s purpose because of its fileless modular architecture. After reverse-engineering its network protocol, we were able to collect the modules that contain the actual malicious code and were able to slowly draw the big picture. We found out that its malicous activities include advertising fraud, Facebook fraud and brute-forcing administrator credentials of Joomla and WordPress Content Management Systems. At this point, it became clear to us that we were looking at a crimeware botnet.

This presentation will cover the findings from our six-month hunt after this large-scale stealthy botnet.


Matthieu FAOU

Malware Researcher, ESET
Matthieu Faou is a Malware Researcher at ESET where he performs in-depth analysis of malware. He has a strong interest for cybercrime and especially click fraud. He finished his Master’s degree in computer science at École Polytechnique de Montréal in 2016. In the past, he has... Read More →
avatar for Frédéric Vachon

Frédéric Vachon

Malware Researcher, ESET
Frédéric Vachon is a Malware Researcher at ESET. Formerly History student, he traded his love for old stories to play with rusty computer language like assembly. He cherishes the past and can’t quite understand why modern GUI supplanted good old terminal based UI.

Thursday December 7, 2017 16:30 - 17:30
Corum Allée du Saint-Esprit, 34000 Montpellier, France



Thursday December 7, 2017 20:00 - 23:30
Friday, December 8



Formatting for Justice: Crime Doesn't Pay, Neither Does Rich Text
Due to it’s flexibility and capacity for embedding other objects, the rich text format (RTF) is a preferred file type used by both precision and quantity focused threat actors. This presentation will discuss the state of threats making use of the file format and provide a brief overview of how the file format is constructed. The presentation will also explain results of exploratory experiments conducted to achieve a deep comprehension of the file format’s structure. Best practices for building protections in organizations will be discussed. Techniques developed while hunting for specific features across large sample sets will be shared.

avatar for Anthony Kasza

Anthony Kasza

Senior Threat Researcher, Palo Alto Networks
Anthony Kasza is a Senior Threat Researcher for Palo Alto Networks. At Palo Alto Networks, Anthony is responsible for discovering new and tracking known threats to ensure context around customer detections. Prior to Palo Alto Networks, Anthony was responsible for creating scalable... Read More →

Friday December 8, 2017 09:40 - 10:10
Corum Allée du Saint-Esprit, 34000 Montpellier, France


PWS, Common, Ugly but Effective
PassWord Stealer (PWS) are around since more than a decade now. They are legions. Some like Pony, aka FareIT are well known. But nobody takes really time to explain what is around, what it is capable of and how this little industry works.

However, they are still a common threat actively used according to our incidents logs.
A PWS is not a RAT we made this distinction. The aim of a PWS is to be launched, steal a lot of credentials and optionally keylog and/or drop another payload.

Sadly nobody cares about them anymore when they fire an antivirus inside a company.
To illustrate this, my presentation will go thought a couple of PWS that I meet, and I will an overview of the history and capabilities of the threat, give tricks and tools/script needed to identify and decipher them. A couple of these decoding/identification tools are freely available to the community and not written by me, this task may be achieved by a lot of security people without even any skills in reverse engineering.

Finally I will try to summarize these threats by giving to the participants a clear view of what is available in the field.

avatar for Paul Jung

Paul Jung

Senior security consultant, Excellium Services
Paul Jung is since a long time a security enthusiast. He works in the security field in Luxembourg since more than a decade. During this time, Paul has covered operations as well as consulting within various industries. He possesses a wide range of skills and experiences that enable... Read More →

Friday December 8, 2017 10:10 - 10:40
Corum Allée du Saint-Esprit, 34000 Montpellier, France



Nyetya Malware & MeDoc Connection
The 27th of June 2017, a new wormable malware variant has surfaced. Talos is identifying this new malware variant as Nyetya. The sample leverages EternalBlue, EternalRomance, WMI, and PsExec for lateral movement inside an affected network. The presentation will be divided in two parts:

the first part will describe Nyetya: how it works, the integrated exploits, Doublepulsar modifications, the “encryption” of the infected systems… This part will be focused on the analysis of the malware (reverse engineering)
the second part will describe the incident response performed by Cisco Advanced Services Incident Response in Ukraine focused on M.E.Doc software. This part will contains the techniques used by the attackers to massively compromised M.E.Doc users. A timeline will be exposed and detailed

avatar for David Maynor

David Maynor

Cisco Talos

Paul Rascagnères

Security Researcher, CISCO Talos
Paul is a security researcher within Talos, Cisco’s threat intelligence and research organization. As a researcher, he performs investigations to identify new threats and presents his findings as publications and at international security conferences throughout the world. He has... Read More →

Friday December 8, 2017 11:10 - 11:50
Corum Allée du Saint-Esprit, 34000 Montpellier, France


Math + GPU + DNS = Cracking Locky Seeds in Real Time without Analyzing Samples
We propose and implement a sublinear hash-collision method on a GPU to search for dynamic Locky DGA seed in real-time DNS query traffic. By combining real-time DNS traffic and this fast search method, we successfully detected all dynamic Locky DGA seeds within seconds from their first appearance, and predicted all future C&C names from those seeds. These C&C names are distributed to production systems used by ISPs worldwide, where they’re blocked. They’re also shared with DGArchive and the security community.


Yohai Einav

Principal Security Researcher, Nominum
Yohai Einav is a 14-year cybersecurity veteran and presently a lead security researcher at Nominum. In his current role, he manages threat analysis projects with a specific focus on Botnets and their DNS signal. He is also the lead author of the company’s security reports. Yohai’s... Read More →

Hongliang Liu

Principal Data Scientist, Nominum
Dr. Hongliang Liu, Principal Data Scientist at Nominum, received his PhD degree in Physics in 2011. Dr. Liu has been working on defeating DDoS attacks known as Pseudo Random Subdomain (PRSD) attacks which rely on the worldwide DNS infrastructure and building machine intelligence for... Read More →

Friday December 8, 2017 11:50 - 12:30
Corum Allée du Saint-Esprit, 34000 Montpellier, France


Hunting Attacker Activities - Methods for Discovering, Detecting Lateral Movements
When attackers intrude into a network by APT attack, malware infection spreads to many hosts and servers. In incident investigations, it is important to examine what actually happened during lateral movement through log analysis and forensic investigation of infected hosts. However, in many cases, there may not be sufficient logs left on the host, which makes it difficult to reveal what attackers did on the network.
Therefore, we investigated attackers’ activities after network intrusion by investigating C2 servers and decoding the malware communication. As a result, we found that there are some common patterns in lateral movement methods and tools that are often used.
In addition, we analyzed the tools and Windows commands and investigated the logs recorded on the host upon execution. As a result, it was revealed that the tools’ execution logs are not recorded with the Windows default settings.

This presentation will explain some attack patterns and typical tools used in lateral movement that are identified through our research. We will also demonstrate how to investigate or detect incidents where such tools and commands are used.

avatar for Keisuke Muda

Keisuke Muda

Analyst, Internet Initiative Japan (IIJ)
Keisuke Muda is an analyst of the Security Operation Center at Internet Initiative Japan Inc. (IIJ), an Internet service provider company in Japan. As a member of IIJ SOC, he analyzes logs sent from various devices installed at IIJ SOC customers’ networks. He also researches and... Read More →
avatar for Shusei Tomonaga

Shusei Tomonaga

Malware Analyst / Forensic Investigator, JPCERT/CC
Shusei Tomonaga is a member of the Analysis Center of JPCERT/CC. Since December 2012, he has been engaged in malware analysis and forensics investigation, and is especially involved in analyzing incidents of targeted attacks. In addition, he has written up several posts on malware... Read More →

Friday December 8, 2017 12:30 - 13:00
Corum Allée du Saint-Esprit, 34000 Montpellier, France



Malware, Penny Stocks, Pharma Spam - Necurs Delivers
Email threats have always been a major part of the threat landscape. As the use of exploit kits and other malware distribution techniques have decreased, malicious spam campaigns play an even greater role in the distribution of malware to organizations around the globe.

Enter Necurs, the biggest player in the spam game today. Over the past couple of years, Necurs has singlehandedly transformed the email threat landscape and continues to innovate with regards to the distribution of malware downloaders. Widely considered to be the largest spam botnet on the planet, Necurs is responsible for a large percentage of the overall spam volumes seen around the globe every day. For being such a major threat, very little information has been published regarding its makeup and how it’s being operated by cybercriminals.

This talk will take a deep dive on the botnet itself and the ways in which C2 is handled. This includes analysis of some of the major spam campaigns for which it has been responsible including both malware distribution and other non-malware based campaigns, including stock based pump-and-dump. Additionally, we will discuss details of the C2 infrastructure and DGA capabilities we’ve observed over the last several months. We will also cover the modular nature of the Necurs malware itself, and how this multi-faceted threat is capable of generating revenue and damaging organizations without sending a single email.


Warren Mercer

Warren Mercer joined Talos coming from a Network Security background, having worked for previous vendors and the financial sector. Focusing on Security Research and Threat Intelligence, Warren finds himself in the deep, dark and dirty areas of the Internet and enjoys the thrill of... Read More →

Jaeson Schultz

Jaeson Schultz is a Technical Leader for Cisco Talos Security Intelligence & Research Group. Cisco's Talos Group is dedicated to advancing the state-of-the-art of threat defense and enhancing the value of Cisco's security products. Jaeson has over 20 years’ experience in Information... Read More →

Friday December 8, 2017 14:00 - 14:30
Corum Allée du Saint-Esprit, 34000 Montpellier, France


Thinking Outside of the (Sand)box
During my talk, I will outline the current state of apps that try to break the Android sandbox model, either by directly exploiting the Android device or by trying to circumvent the protections in place. In the past, there has been mentions of malware families that try to interfere with the Android system the same way Windows malware frequently does – by implementing function hooks or code injection. My talk will also show the difficulties faced by malicious authors, their creativity, goals and ways that Android system security features prevent such behaviour.


Łukasz Siewierski

Senior IT security specialist, Google
Łukasz is a reverse engineer on the Android Security Anti-malware team. In his role he focuses on the analysis and detection of potentially harmful applications, making Android a more secure environment. Prior to Google Łukasz worked at CERT.pl, where he was involved in incident... Read More →

Friday December 8, 2017 14:30 - 15:10
Corum Allée du Saint-Esprit, 34000 Montpellier, France


Advanced Threat Hunting
Many threat intelligence teams are small and must make limited resources work in the most efficient way possible. The data these teams rely on may be quite high volume and potentially low signal to noise ratio. The tools used to collect and exploit this data have finite resources and must be leveraged at the highest utilization possible. Additionally, these tools must be applied to the most valuable data first.

This talk presents a process that your team can implement to make your threat and malware hunting more efficient. The core of this process uses YARA rules to process files from an arbitrary source in volume. From that core, it covers methods of prioritizing the output of the rules based on the team’s priority and the confidence in the quality of the rules. Using this process, files are submitted to sandboxes for automated analysis. The output of each of these systems is then parsed for certain qualities that would increase or decrease the value of the information to the team. Attendees will take away not only a solid process that they can implement in their own organizations, but also a list of gotchas and problems that they should avoid.


Robert Simmons

Director of Research Innovation, ThreatConnect
Robert Simmons is Director of Research Innovation at ThreatConnect, Inc. With an expertise in building automated malware analysis systems based on open source tools, he has been tracking malware and phishing attacks and picking them apart for years. Robert has spoken on malware analysis... Read More →

Friday December 8, 2017 15:10 - 16:00
Corum Allée du Saint-Esprit, 34000 Montpellier, France