Loading…
Botconf 2017 has ended
Tuesday, December 5
 

14:00 CET

Botnet Tracking and Data Analysis Using Open-Source Tools
Fully understanding a botnet often requires a researcher to go beyond standard reverse-engineering practice and explore the malware’s network traffic. The latter can provide meaningful information on the evolution of a malware’s activity. However, it is often disregarded in malware research due to time constraints and publication pressures.
The workshop is about overcoming such constraints by providing a powerful workflow to conduct quick analysis of malicious traffic. The data science approach presented capitalizes on open-source tools (Wireshark/Tshark, Bash with GNU parallel) and valuable python libraries (ipython, mitmproxy, pandas, matplotlib). During the workshop, participants will do practical technical labs with datasets from our recent botnet investigation. They will learn how to quickly find patterns, plot graphs and interpret data in a meaningful way. Although the exercises will focus on botnet’s data, the tools and skills learned will be useful to all sorts of context. Moreover, to ensure that participants take the most out of the workshop, it will be built in a way to allow them to easily replicate the data-analysis environment at home and reproduce similar analysis with their own traffic data.
Workshop Outline
  • Introduction to the workshop
    • Overview of the Linux/Moose botnet
    • The datasets available: Pcaps and mitmproxy logs
    • Overview of the tools we will use
  • Network traffic and C&C protocol analysis
    • Lab 1: Find the potential victims that have been targeted by the botnet’s scanner
    • Lab 2: Find and extract the C&C traffic in the Pcaps
    • Lab 3: Find the list of proxy clients IPs and evaluate if the list changes through time
  • Decrypted HTTPS traffic data analysis
    • Lab 4: Find the list of websites targeted by the botnet and graph them based on the proxy client IP
    • Lab 5: Graph the total number of requests made per proxy client through time
    • Lab 6: Find whether proxy clients are re-using their fake social media accounts
Speakers
avatar for Olivier Bilodeau

Olivier Bilodeau

Cybersecurity Research Lead, GoSecure
avatar for Masarah Paquet-Clouston

Masarah Paquet-Clouston

Security Researcher, GoSecure
Masarah Paquet-Clouston is a security researcher at GoSecure, a PhD student at Simon Fraser University in criminology and one of Canada’s decorated 150 scientific innovators. With her background in economics and criminology, she specializes in the study of markets behind illicit... Read More →

Tuesday December 5, 2017 14:00 - 18:00 CET
Université de Montpellier (Faculté de droit et science politique) 14 Rue du Cardinal de Cabrières, 34000 Montpellier, France
  Workshop

14:00 CET

Cyber Threat Intel & Incident Response with TheHive, Cortex & MISP
Agenda:
  • Cyber Threat Intel & Incident Response in 2017
  • MISP, TheHive & Cortex Overview,
  • Installing & configuring the product stack
… Bringing it all together
  • An IR case study,
  • Dealing with notifications,
  • How CTI feeds IR,
  • How IR feeds CTI,
  • The CTI-IR cycle: case study
Speakers
avatar for Saâd Kadhi

Saâd Kadhi

A convinced archeofuturist and a true retromodernist with a serious knack for individualistic altruism, I have been working in the wonderful field of Incident Response, Digital Forensics and hubris, er, Threat Intelligence for a decade. I am the leader of TheHive Project and I currently... Read More →
JL
RV

Raphaël VINOT

CERT Operator & MISP core developper, CIRCL
I'm one of the core developer of MISP Threat Sharing and especially working on all the APIs and interactions with 3rd party tools.

Tuesday December 5, 2017 14:00 - 18:00 CET
Université de Montpellier (Faculté de droit et science politique) 14 Rue du Cardinal de Cabrières, 34000 Montpellier, France
  Workshop

14:00 CET

Python and Machine Learning: How to Clusterize a Malware Dataset
The goal of this workshop is to present how to use python to make machine learning. We take examples of security data like malware and we explain how to transform data to use algorithms of machine learning. We detail the different algorithms and the different librairies Scikit-learn and Tensorflow.

The algorithms help to clusterize quickly a database malware to create yara signature for using in Incident Response. The participants will work on little dataset and develop some code based on theses librairies and create yara signature.
Speakers
avatar for Sébastien Larinier

Tuesday December 5, 2017 14:00 - 18:00 CET
Université de Montpellier (Faculté de droit et science politique) 14 Rue du Cardinal de Cabrières, 34000 Montpellier, France
  Workshop
 
Wednesday, December 6
 

09:00 CET

Registration / Coffee
Wednesday December 6, 2017 09:00 - 10:00 CET
Corum
  Organisation

10:00 CET

Opening
Speakers
avatar for Éric Freyssinet

Éric Freyssinet

Chairman / Chief Scientific Advisor, Botconf / Gendarmerie nationale
Chairman of the organising committee. French law enforcement cybercrime specialist. PhD in computer science.

Wednesday December 6, 2017 10:00 - 10:30 CET
Corum
  Organisation

11:10 CET

Get Rich or Die Trying
In a World where oil is scarce and people click mail attachments they really shouldn’t, One Man sets out on an epic journey for glory, conquest, and other people’s money. So begins the amazing tale of the “Oil bot” campaign: a tale of a single man who ran a sting operation on a good share of the industrial sector, armed with nothing but his supply of off-the-shelf RATs, his very subpar OPSEC standards, and his Nigerian hutzpah. The talk will follow the entire course of Check Point’s investigation into this affair – from the few emails that didn’t add up, through the campaign’s not-so-intricate C&C infrastructure, to the point where we were inside the campaign, looking at all the incredulous details. How do you scam people into scamming other people? What leads a fraudster to leave a trail of incriminating footprints?

And what does a Nigerian scammer want with an energy company, anyway? One thing’s for sure: In this brave new world, the Nigerian prince is no longer happily calling to inform you that you should transfer your money to them; it is you who is angrily calling your bulk provider, asking where all your money went.
Speakers
avatar for Or Eshed

Or Eshed

Lead Threat Intelligence Analyst, Check Point
Or Eshed - Lead threat intelligence analyst in Check Point’s threat intelligence group. Has 10 years of experience in intelligence and investigations. Expertise in data analysis and pattern recognition.
avatar for Mark Lechtik

Mark Lechtik

Malware Resarch Team Leader, Check Point
Mark is the malware research team leader in Check Point, and has been working there in several research positions for the past 4 years. He was born in Russia, but lives most of his life in Israel, where he graduated the Ben-Gurion university with a B.Sc in communication system engineering... Read More →

Wednesday December 6, 2017 11:10 - 11:40 CET
Corum
  Presentation

18:45 CET

Cocktail
Wednesday December 6, 2017 18:45 - 20:00 CET
Corum
  Break
 
Thursday, December 7
 

08:30 CET

Registration / Coffee
Thursday December 7, 2017 08:30 - 09:20 CET
Corum
  Organisation

14:00 CET

Malpedia: A Collaborative Effort to Inventorize the Malware Landscape
In this paper, we introduce Malpedia, our take on a collaborative platform for the curation of a coherent corpus of cleanly labeled, unpacked malware samples. Illustrating one of the use cases for this data set, we provide a comparative overview of structural characteristics for more than 300 families of Windows malware.
Speakers
MC

Martin Clauß

Wissenschaftlicher Mitarbeiter, Fraunhofer FKIE
SE
EP
avatar for Daniel Plohmann

Daniel Plohmann

Malware analyst, Fraunhofer FKIE
Daniel Plohmann works as a senior analyst for Fraunhofer FKIE, taking apart malware families and botnet instances. His PhD research at University of Bonn focuses on automation and improving the efficiency of reverse engineering as an instrument for in-depth analysis. As a Teaching... Read More →

Thursday December 7, 2017 14:00 - 15:00 CET
Corum
  Paper

15:30 CET

Coffee break
Thursday December 7, 2017 15:30 - 16:00 CET
Corum
  Break

16:30 CET

Stantinko: a Massive Adware Campaign Operating Covertly since 2012
Stantinko is a botnet that we estimate infects around half a million machines mainly located in the Russian Federation and Ukraine. In addition to its prevalence, Stantinko stands out because of its use of advanced anti-analysis techniques, the heavy usage of encryption to hide malicious code and the use of anti-virus evasion tricks that allowed them to stay under the radar for the past five years. While its main purpose is to commit advertisement fraud, Stantinko also installs a backdoor allowing them to run arbitrary code on the victim’s machine.

The Stantinko malware family dates back to at least 2012. We noticed a significant change in the group’s toolset that occured at the beginning of 2015, which made it way more difficult to track them and to gather all the pieces necessary to conduct a complete analysis of this notably undocumented threat.

When we began our analysis, we were not sure at what kind of malware we were looking at. It took us some time to understand Stantinko’s purpose because of its fileless modular architecture. After reverse-engineering its network protocol, we were able to collect the modules that contain the actual malicious code and were able to slowly draw the big picture. We found out that its malicous activities include advertising fraud, Facebook fraud and brute-forcing administrator credentials of Joomla and WordPress Content Management Systems. At this point, it became clear to us that we were looking at a crimeware botnet.

This presentation will cover the findings from our six-month hunt after this large-scale stealthy botnet.
Speakers
MF

Matthieu Faou

Malware Researcher, ESET
Matthieu Faou is a malware researcher at ESET where he performs in-depth analysis of malware. He finished his Master’s degree in computer science at École Polytechnique de Montréal and at École des Mines de Nancy in 2016. In the past, he has presented at conferences such as BlueHat... Read More →
avatar for Frédéric Vachon

Frédéric Vachon

Malware Researcher, ESET
Frédéric Vachon is a Malware Researcher at ESET. Formerly History student, he traded his love for old stories to play with rusty computer language like assembly. He cherishes the past and can’t quite understand why modern GUI supplanted good old terminal based UI.

Thursday December 7, 2017 16:30 - 17:30 CET
Corum
  Presentation

17:30 CET

Lightning talks
Thursday December 7, 2017 17:30 - 18:30 CET
Corum
  Lightning talks

20:00 CET

Reception
Thursday December 7, 2017 20:00 - 23:30 CET
TBA
  Reception
 
Friday, December 8
 

09:00 CET

Registration / Coffee
Friday December 8, 2017 09:00 - 09:40 CET
Corum
  Organisation

09:40 CET

Formatting for Justice: Crime Doesn't Pay, Neither Does Rich Text
Due to it’s flexibility and capacity for embedding other objects, the rich text format (RTF) is a preferred file type used by both precision and quantity focused threat actors. This presentation will discuss the state of threats making use of the file format and provide a brief overview of how the file format is constructed. The presentation will also explain results of exploratory experiments conducted to achieve a deep comprehension of the file format’s structure. Best practices for building protections in organizations will be discussed. Techniques developed while hunting for specific features across large sample sets will be shared.
Speakers
avatar for Anthony Kasza

Anthony Kasza

Senior Threat Researcher, Palo Alto Networks
Anthony Kasza is a Senior Threat Researcher for Palo Alto Networks. At Palo Alto Networks, Anthony is responsible for discovering new and tracking known threats to ensure context around customer detections. Prior to Palo Alto Networks, Anthony was responsible for creating scalable... Read More →

Friday December 8, 2017 09:40 - 10:10 CET
Corum
  Presentation

10:10 CET

PWS, Common, Ugly but Effective
PassWord Stealer (PWS) are around since more than a decade now. They are legions. Some like Pony, aka FareIT are well known. But nobody takes really time to explain what is around, what it is capable of and how this little industry works.

However, they are still a common threat actively used according to our incidents logs.
A PWS is not a RAT we made this distinction. The aim of a PWS is to be launched, steal a lot of credentials and optionally keylog and/or drop another payload.

Sadly nobody cares about them anymore when they fire an antivirus inside a company.
To illustrate this, my presentation will go thought a couple of PWS that I meet, and I will an overview of the history and capabilities of the threat, give tricks and tools/script needed to identify and decipher them. A couple of these decoding/identification tools are freely available to the community and not written by me, this task may be achieved by a lot of security people without even any skills in reverse engineering.

Finally I will try to summarize these threats by giving to the participants a clear view of what is available in the field.
Speakers
avatar for Paul Jung

Paul Jung

Senior security consultant, Excellium Services
Paul Jung is since a long time a security enthusiast. He works in the security field in Luxembourg since more than a decade. During this time, Paul has covered operations as well as consulting within various industries. He possesses a wide range of skills and experiences that enable... Read More →

Friday December 8, 2017 10:10 - 10:40 CET
Corum
  Presentation

10:40 CET

Coffee break
Friday December 8, 2017 10:40 - 11:10 CET
Corum
  Break

11:10 CET

Nyetya Malware & MeDoc Connection
The 27th of June 2017, a new wormable malware variant has surfaced. Talos is identifying this new malware variant as Nyetya. The sample leverages EternalBlue, EternalRomance, WMI, and PsExec for lateral movement inside an affected network. The presentation will be divided in two parts:

the first part will describe Nyetya: how it works, the integrated exploits, Doublepulsar modifications, the “encryption” of the infected systems… This part will be focused on the analysis of the malware (reverse engineering)
the second part will describe the incident response performed by Cisco Advanced Services Incident Response in Ukraine focused on M.E.Doc software. This part will contains the techniques used by the attackers to massively compromised M.E.Doc users. A timeline will be exposed and detailed
Speakers
avatar for David Maynor

David Maynor

Cisco Talos
PR

Paul Rascagnères

Security Researcher, CISCO Talos
Paul is a security researcher within Talos, Cisco’s threat intelligence and research organization. As a researcher, he performs investigations to identify new threats and presents his findings as publications and at international security conferences throughout the world. He has... Read More →

Friday December 8, 2017 11:10 - 11:50 CET
Corum
  Presentation

11:50 CET

Math + GPU + DNS = Cracking Locky Seeds in Real Time without Analyzing Samples
We propose and implement a sublinear hash-collision method on a GPU to search for dynamic Locky DGA seed in real-time DNS query traffic. By combining real-time DNS traffic and this fast search method, we successfully detected all dynamic Locky DGA seeds within seconds from their first appearance, and predicted all future C&C names from those seeds. These C&C names are distributed to production systems used by ISPs worldwide, where they’re blocked. They’re also shared with DGArchive and the security community.
Speakers
YE

Yohai Einav

Principal Security Researcher, Nominum
Yohai Einav is a 14-year cybersecurity veteran and presently a lead security researcher at Nominum. In his current role, he manages threat analysis projects with a specific focus on Botnets and their DNS signal. He is also the lead author of the company’s security reports. Yohai’s... Read More →
HL

Hongliang Liu

Principal Data Scientist, Nominum
Dr. Hongliang Liu, Principal Data Scientist at Nominum, received his PhD degree in Physics in 2011. Dr. Liu has been working on defeating DDoS attacks known as Pseudo Random Subdomain (PRSD) attacks which rely on the worldwide DNS infrastructure and building machine intelligence for... Read More →
AS

Friday December 8, 2017 11:50 - 12:30 CET
Corum
  Presentation

12:30 CET

Hunting Attacker Activities - Methods for Discovering, Detecting Lateral Movements
When attackers intrude into a network by APT attack, malware infection spreads to many hosts and servers. In incident investigations, it is important to examine what actually happened during lateral movement through log analysis and forensic investigation of infected hosts. However, in many cases, there may not be sufficient logs left on the host, which makes it difficult to reveal what attackers did on the network.
Therefore, we investigated attackers’ activities after network intrusion by investigating C2 servers and decoding the malware communication. As a result, we found that there are some common patterns in lateral movement methods and tools that are often used.
In addition, we analyzed the tools and Windows commands and investigated the logs recorded on the host upon execution. As a result, it was revealed that the tools’ execution logs are not recorded with the Windows default settings.

This presentation will explain some attack patterns and typical tools used in lateral movement that are identified through our research. We will also demonstrate how to investigate or detect incidents where such tools and commands are used.
Speakers
avatar for Keisuke Muda

Keisuke Muda

Analyst, Internet Initiative Japan (IIJ)
Keisuke Muda is an analyst of the Security Operation Center at Internet Initiative Japan Inc. (IIJ), an Internet service provider company in Japan. As a member of IIJ SOC, he analyzes logs sent from various devices installed at IIJ SOC customers’ networks. He also researches and... Read More →
avatar for Shusei Tomonaga

Shusei Tomonaga

Malware Analyst / Forensic Investigator, JPCERT/CC
Shusei Tomonaga is a member of the Analysis Center of JPCERT/CC. Since December 2012, he has been engaged in malware analysis and forensics investigation, and is especially involved in analyzing incidents of targeted attacks. In addition, he has written up several posts on malware... Read More →

Friday December 8, 2017 12:30 - 13:00 CET
Corum
  Presentation

13:00 CET

Lunch
Friday December 8, 2017 13:00 - 14:00 CET
Corum
  Break

14:00 CET

Malware, Penny Stocks, Pharma Spam - Necurs Delivers
Email threats have always been a major part of the threat landscape. As the use of exploit kits and other malware distribution techniques have decreased, malicious spam campaigns play an even greater role in the distribution of malware to organizations around the globe.


Enter Necurs, the biggest player in the spam game today. Over the past couple of years, Necurs has singlehandedly transformed the email threat landscape and continues to innovate with regards to the distribution of malware downloaders. Widely considered to be the largest spam botnet on the planet, Necurs is responsible for a large percentage of the overall spam volumes seen around the globe every day. For being such a major threat, very little information has been published regarding its makeup and how it’s being operated by cybercriminals.


This talk will take a deep dive on the botnet itself and the ways in which C2 is handled. This includes analysis of some of the major spam campaigns for which it has been responsible including both malware distribution and other non-malware based campaigns, including stock based pump-and-dump. Additionally, we will discuss details of the C2 infrastructure and DGA capabilities we’ve observed over the last several months. We will also cover the modular nature of the Necurs malware itself, and how this multi-faceted threat is capable of generating revenue and damaging organizations without sending a single email.
Speakers
NB
EB
WM

Warren MERCER

Talos
Warren Mercer joined Talos coming from a Network Security background, having worked for previous vendors and the financial sector. Focusing on Security Research and Threat Intelligence, Warren finds himself in the deep, dark and dirty areas of the Internet and enjoys the thrill of... Read More →
JS

Jaeson Schultz

CISCO Talos
Jaeson Schultz is a Technical Leader for Cisco Talos Security Intelligence & Research Group. Cisco's Talos Group is dedicated to advancing the state-of-the-art of threat defense and enhancing the value of Cisco's security products. Jaeson has over 20 years’ experience in Information... Read More →

Friday December 8, 2017 14:00 - 14:30 CET
Corum
  Presentation

14:30 CET

Thinking Outside of the (Sand)box
During my talk, I will outline the current state of apps that try to break the Android sandbox model, either by directly exploiting the Android device or by trying to circumvent the protections in place. In the past, there has been mentions of malware families that try to interfere with the Android system the same way Windows malware frequently does – by implementing function hooks or code injection. My talk will also show the difficulties faced by malicious authors, their creativity, goals and ways that Android system security features prevent such behaviour.
Speakers
LS

Łukasz Siewierski

Reverse Engineer, Google
Łukasz is a Reverse Engineer on the Android Security team at Google, where he takes apart malware and figures out how to stop it from working. Previously he was taking apart security incidents at the .pl domain registry, figuring out how to prevent them from happening in the future... Read More →

Friday December 8, 2017 14:30 - 15:10 CET
Corum
  Presentation

15:10 CET

Advanced Threat Hunting
Many threat intelligence teams are small and must make limited resources work in the most efficient way possible. The data these teams rely on may be quite high volume and potentially low signal to noise ratio. The tools used to collect and exploit this data have finite resources and must be leveraged at the highest utilization possible. Additionally, these tools must be applied to the most valuable data first.

This talk presents a process that your team can implement to make your threat and malware hunting more efficient. The core of this process uses YARA rules to process files from an arbitrary source in volume. From that core, it covers methods of prioritizing the output of the rules based on the team’s priority and the confidence in the quality of the rules. Using this process, files are submitted to sandboxes for automated analysis. The output of each of these systems is then parsed for certain qualities that would increase or decrease the value of the information to the team. Attendees will take away not only a solid process that they can implement in their own organizations, but also a list of gotchas and problems that they should avoid.
Speakers
avatar for Robert Simmons

Robert Simmons

Director of Research Innovation, ThreatConnect
Robert Simmons is Director of Research Innovation at ThreatConnect, Inc. With an expertise in building automated malware analysis systems based on open source tools, he has been tracking malware and phishing attacks and picking them apart for years. Robert has spoken on malware analysis... Read More →

Friday December 8, 2017 15:10 - 16:00 CET
Corum
  Presentation

16:00 CET

Closing ceremony
Friday December 8, 2017 16:00 - 16:30 CET
Corum
  Organisation
 
Thursday, December 6
 

10:50 CET

Coffee break
Thursday December 6, 2018 10:50 - 11:10 CET
Corum
  Break

15:30 CET

Coffee break
Thursday December 6, 2018 15:30 - 16:00 CET
Corum
  Break
 
Friday, December 7
 

10:40 CET

Coffee break
Friday December 7, 2018 10:40 - 11:10 CET
Corum
  Break
 
Filter sessions
Apply filters to sessions.
Tuesday, December 5
Wednesday, December 6
Thursday, December 7
Friday, December 8
Thursday, December 6
Friday, December 7
  • Break
  • Lightning talks
  • Organisation
  • Paper
  • Presentation
  • Reception
  • Workshop
    • Corum
    TBA
    Université de Montpellier (Faculté de droit et science politique)