Loading…
Botconf 2017 has ended

Log in to bookmark your favorites and sync them to your phone or calendar.

Malware distribution (botnet related) [clear filter]
Wednesday, December 6
 

11:10 CET

Get Rich or Die Trying
In a World where oil is scarce and people click mail attachments they really shouldn’t, One Man sets out on an epic journey for glory, conquest, and other people’s money. So begins the amazing tale of the “Oil bot” campaign: a tale of a single man who ran a sting operation on a good share of the industrial sector, armed with nothing but his supply of off-the-shelf RATs, his very subpar OPSEC standards, and his Nigerian hutzpah. The talk will follow the entire course of Check Point’s investigation into this affair – from the few emails that didn’t add up, through the campaign’s not-so-intricate C&C infrastructure, to the point where we were inside the campaign, looking at all the incredulous details. How do you scam people into scamming other people? What leads a fraudster to leave a trail of incriminating footprints?

And what does a Nigerian scammer want with an energy company, anyway? One thing’s for sure: In this brave new world, the Nigerian prince is no longer happily calling to inform you that you should transfer your money to them; it is you who is angrily calling your bulk provider, asking where all your money went.

Speakers
avatar for Or Eshed

Or Eshed

Lead Threat Intelligence Analyst, Check Point
Or Eshed - Lead threat intelligence analyst in Check Point’s threat intelligence group. Has 10 years of experience in intelligence and investigations. Expertise in data analysis and pattern recognition.
avatar for Mark Lechtik

Mark Lechtik

Malware Resarch Team Leader, Check Point
Mark is the malware research team leader in Check Point, and has been working there in several research positions for the past 4 years. He was born in Russia, but lives most of his life in Israel, where he graduated the Ben-Gurion university with a B.Sc in communication system engineering... Read More →


Wednesday December 6, 2017 11:10 - 11:40 CET
Corum
 
Thursday, December 7
 

16:30 CET

Stantinko: a Massive Adware Campaign Operating Covertly since 2012
Stantinko is a botnet that we estimate infects around half a million machines mainly located in the Russian Federation and Ukraine. In addition to its prevalence, Stantinko stands out because of its use of advanced anti-analysis techniques, the heavy usage of encryption to hide malicious code and the use of anti-virus evasion tricks that allowed them to stay under the radar for the past five years. While its main purpose is to commit advertisement fraud, Stantinko also installs a backdoor allowing them to run arbitrary code on the victim’s machine.

The Stantinko malware family dates back to at least 2012. We noticed a significant change in the group’s toolset that occured at the beginning of 2015, which made it way more difficult to track them and to gather all the pieces necessary to conduct a complete analysis of this notably undocumented threat.

When we began our analysis, we were not sure at what kind of malware we were looking at. It took us some time to understand Stantinko’s purpose because of its fileless modular architecture. After reverse-engineering its network protocol, we were able to collect the modules that contain the actual malicious code and were able to slowly draw the big picture. We found out that its malicous activities include advertising fraud, Facebook fraud and brute-forcing administrator credentials of Joomla and WordPress Content Management Systems. At this point, it became clear to us that we were looking at a crimeware botnet.

This presentation will cover the findings from our six-month hunt after this large-scale stealthy botnet.

Speakers
MF

Matthieu FAOU

Malware Researcher, ESET
Matthieu Faou is a malware researcher at ESET where he performs in-depth analysis of malware. He finished his Master’s degree in computer science at École Polytechnique de Montréal and at École des Mines de Nancy in 2016. In the past, he has presented at conferences such as BlueHat... Read More →
avatar for Frédéric Vachon

Frédéric Vachon

Malware Researcher, ESET
Frédéric Vachon is a Malware Researcher at ESET. Formerly History student, he traded his love for old stories to play with rusty computer language like assembly. He cherishes the past and can’t quite understand why modern GUI supplanted good old terminal based UI.


Thursday December 7, 2017 16:30 - 17:30 CET
Corum
 
Friday, December 8
 

09:40 CET

Formatting for Justice: Crime Doesn't Pay, Neither Does Rich Text
Due to it’s flexibility and capacity for embedding other objects, the rich text format (RTF) is a preferred file type used by both precision and quantity focused threat actors. This presentation will discuss the state of threats making use of the file format and provide a brief overview of how the file format is constructed. The presentation will also explain results of exploratory experiments conducted to achieve a deep comprehension of the file format’s structure. Best practices for building protections in organizations will be discussed. Techniques developed while hunting for specific features across large sample sets will be shared.

Speakers
avatar for Anthony Kasza

Anthony Kasza

Senior Threat Researcher, Palo Alto Networks
Anthony Kasza is a Senior Threat Researcher for Palo Alto Networks. At Palo Alto Networks, Anthony is responsible for discovering new and tracking known threats to ensure context around customer detections. Prior to Palo Alto Networks, Anthony was responsible for creating scalable... Read More →


Friday December 8, 2017 09:40 - 10:10 CET
Corum

11:10 CET

Nyetya Malware & MeDoc Connection
The 27th of June 2017, a new wormable malware variant has surfaced. Talos is identifying this new malware variant as Nyetya. The sample leverages EternalBlue, EternalRomance, WMI, and PsExec for lateral movement inside an affected network. The presentation will be divided in two parts:

the first part will describe Nyetya: how it works, the integrated exploits, Doublepulsar modifications, the “encryption” of the infected systems… This part will be focused on the analysis of the malware (reverse engineering)
the second part will describe the incident response performed by Cisco Advanced Services Incident Response in Ukraine focused on M.E.Doc software. This part will contains the techniques used by the attackers to massively compromised M.E.Doc users. A timeline will be exposed and detailed

Speakers
avatar for David Maynor

David Maynor

Cisco Talos
PR

Paul Rascagnères

Security Researcher, CISCO Talos
Paul is a security researcher within Talos, Cisco’s threat intelligence and research organization. As a researcher, he performs investigations to identify new threats and presents his findings as publications and at international security conferences throughout the world. He has... Read More →


Friday December 8, 2017 11:10 - 11:50 CET
Corum

14:00 CET

Malware, Penny Stocks, Pharma Spam - Necurs Delivers
Email threats have always been a major part of the threat landscape. As the use of exploit kits and other malware distribution techniques have decreased, malicious spam campaigns play an even greater role in the distribution of malware to organizations around the globe.


Enter Necurs, the biggest player in the spam game today. Over the past couple of years, Necurs has singlehandedly transformed the email threat landscape and continues to innovate with regards to the distribution of malware downloaders. Widely considered to be the largest spam botnet on the planet, Necurs is responsible for a large percentage of the overall spam volumes seen around the globe every day. For being such a major threat, very little information has been published regarding its makeup and how it’s being operated by cybercriminals.


This talk will take a deep dive on the botnet itself and the ways in which C2 is handled. This includes analysis of some of the major spam campaigns for which it has been responsible including both malware distribution and other non-malware based campaigns, including stock based pump-and-dump. Additionally, we will discuss details of the C2 infrastructure and DGA capabilities we’ve observed over the last several months. We will also cover the modular nature of the Necurs malware itself, and how this multi-faceted threat is capable of generating revenue and damaging organizations without sending a single email.

Speakers
WM

Warren MERCER

Talos
Warren Mercer joined Talos coming from a Network Security background, having worked for previous vendors and the financial sector. Focusing on Security Research and Threat Intelligence, Warren finds himself in the deep, dark and dirty areas of the Internet and enjoys the thrill of... Read More →
JS

Jaeson Schultz

CISCO Talos
Jaeson Schultz is a Technical Leader for Cisco Talos Security Intelligence & Research Group. Cisco's Talos Group is dedicated to advancing the state-of-the-art of threat defense and enhancing the value of Cisco's security products. Jaeson has over 20 years’ experience in Information... Read More →


Friday December 8, 2017 14:00 - 14:30 CET
Corum

15:10 CET

Advanced Threat Hunting
Many threat intelligence teams are small and must make limited resources work in the most efficient way possible. The data these teams rely on may be quite high volume and potentially low signal to noise ratio. The tools used to collect and exploit this data have finite resources and must be leveraged at the highest utilization possible. Additionally, these tools must be applied to the most valuable data first.

This talk presents a process that your team can implement to make your threat and malware hunting more efficient. The core of this process uses YARA rules to process files from an arbitrary source in volume. From that core, it covers methods of prioritizing the output of the rules based on the team’s priority and the confidence in the quality of the rules. Using this process, files are submitted to sandboxes for automated analysis. The output of each of these systems is then parsed for certain qualities that would increase or decrease the value of the information to the team. Attendees will take away not only a solid process that they can implement in their own organizations, but also a list of gotchas and problems that they should avoid.

Speakers
avatar for Robert Simmons

Robert Simmons

Director of Research Innovation, ThreatConnect
Robert Simmons is Director of Research Innovation at ThreatConnect, Inc. With an expertise in building automated malware analysis systems based on open source tools, he has been tracking malware and phishing attacks and picking them apart for years. Robert has spoken on malware analysis... Read More →


Friday December 8, 2017 15:10 - 16:00 CET
Corum