Links to the reports for each day:

• Botconf 2017 – Day One
• Botconf 2017 – Day Two

Formatting for justice: crime doesn't pay, neither does rich text

Anthony Kasza • @anthonykasza • Palo Alto Networks

The speaker presents the Rich Text Format (RTF) developed by Microsoft in 1987. He explains that hexadecimal content as well as functions can be interpreted directly and highlights the techniques used to insert obfuscated code into certain RTF objects.

He then presents several tools for generating RTF files that include executable code, as well as analysis suites such as rtfdump, rtfobj, and pyRTF. Beyond manual analysis, it is possible to identify suspicious patterns using simple Yara rules that monitor values such as insrsid, rsidtbl, ddeauto, etc.

He concludes with the use of the DDEAUTO feature, which we have already dedicated an article.

Presentation support.

PWS, common, ugly but effective

Paul Jung • @__Thanat0s__ • Excellium

The speaker presents an overview of password-stealing malware (PWS). This malware can generally steal the following information:

• Identifiers in the browser
• Configuration files
• registry database
• Cryptocurrency wallets
• Serial numbers
• Screenshots
• Keyboard strokes
• etc.

These malware programs are distributed quite openly on forums; the situation is such that the authors carefully craft the software's presentation and provide comparative advertising videos to promote their product. A veritable parallel economy…

Nyetya malware & MeDoc connection

Paul Rascagnes • @r00tbsd • Talos, Cisco

The speaker revisits the Nyetya/NotPetya incident and explains how Talos was able to trace the infection back to its source. Several of their clients were reporting infections, while the team's honeypot systems weren't recording any new infections. Analysts then turned to their clients' IT systems and ultimately identified ME Docs as the common link.

The remainder of the conference presents a detailed analysis of the malware, which recalls information already published, and compares the characteristics of Nyetya and BadRabbit in passing:

Math + GPU + DNS = cracking Locky seeds in real time without analyzing samples

Yohai Einav • Nominum, Akamai
Yuriy Yuzifovich • Nominum, Akamai

The speakers briefly recap the popularity of ransomware, which stems from a simple reason: we all have data we value on our devices. They then explain the typical operating method of ransomware, which queries its command and control (C&C) server to obtain an encryption key used in the infection. Therefore, if these requests are blocked at the DNS level, it is possible to prevent the malware from functioning.

The problem is that the vast majority of ransomware relies on Domain Generation Algorithms (DGAs) and therefore uses ephemeral domains for communication. Like pseudo-random number generators, these algorithms remain predictable as long as the "seed" with which they were initialized is known. Researchers started with a simple principle: by knowing the algorithm used and observing domain names in real-time use, it is possible to find the seed and thus know all the domains that will be used by an infection campaign.

By using the DNS feed accessible to Nominum (50 million unique domains per day) and knowing the DGA used by Locky, the speakers were able to set up a computing platform that was able to find the seeds used in campaigns in a reasonable time.

Hunting attacker activities – methods for discovering, detecting lateral movements

Keisuke Muda • JPCERT/CC
Shusei Tomonaga • @shu_tom • JPCERT/CC

The speakers presented the detection methods used to identify lateral movement within a Windows environment. Their work was based on concrete analyses of five APTs that targeted Japan, noting that recurring patterns consistently appeared.

To do this, they rely on internal Windows logs and those generated by the Sysmon utility, which can provide additional information. The advantage of this approach is to detect patterns using legitimate tools or not directly associated with malware (such as PsExec), which would therefore go undetected by antivirus software.

The result of the research was published as a website, describing each tool and behavior tested and the associated traces.

Malware, penny stocks, pharma spam – Necurs delivers

Jason Schultz • @jaesonschultz • Talos, Cisco

The speaker presents the history of the Necurs botnet. First identified in December 2012, it is responsible for distributing 90% spam emails observed by Cisco. Among the interesting characteristics of this botnet are the following:

• Very few IP addresses are reused, making this type of marker useless for tracking or blocking spam.
• The distribution appears to be done via addresses derived from data leaks and common "aliases" (e.g., admin, webmaster, info, sales)
• Locky is primarily distributed through this botnet.

Thinking outside the (sand)box

Łukasz Siewierski • @maldr9id • Google

The speaker presents the new security measures implemented in the latest versions of Android, including application sandboxing which allows granularity in the permissions system.

Faced with this situation, malware authors rely on three main methods:

• Social engineering: highlighting messages that lead the user to believe that the requested permissions are legitimate.
• Exploiting an existing component: Xposed is a framework that allows "hooking" system calls, commonly used by modders to alter the behavior of their devices. If the component is active, malware simply attaches itself to permission requests to grant them automatically. Note that Xposed is a fairly "low-level" component that must be installed manually and therefore does not affect the majority of potential malware targets.
• Rooting the terminal: exploiting a vulnerability on the device is ultimately the most direct method to bypass the protections in place.

Advanced threat hunting

Robert Simmons • @MalwareUtkonos • Threat Connect

The speaker begins by reminding us that there are several types of Threat Intelligence, each with its own methods and applications:

• Tactical
• Technical
• Operational
• Strategic

The presentation focuses on the tactical side. Considering that most teams have limited staff, they must work with limited resources and a constant flow of data and information. It is therefore imperative to streamline tasks as much as possible. A few examples are given:

• Automate as many low-value tasks as possible (first-level malware analysis).
• Facilitate the sharing and traceability of indicators (centralize and version all detection rules)
• Prioritize the processing of alerts to focus on the most relevant events (high importance, high indicator reliability)
• Define performance indicators to assess the system's effectiveness and identify areas for improvement.