Links to the reports for each day:

• Botconf 2017 – Day One
• Botconf 2017 – Day Three

KnightCrawler

Félix Aimé • @felixaime • GReAT, Kaspersky

The speaker presents his "KnightCrawler" tool, developed to detect "watering hole" attacks. It detects malicious content (such as exploit kits) injected into legitimate websites. Three use cases are considered:

• Direct injection of contents
• Manipulating a booby-trapped script
• Display of malicious advertisements

Analyzing these attacks is complicated by the fact that, being rather targeted, several conditions must generally be met to trigger an attack: IP geolocation, browser fingerprinting, etc. The speaker therefore set up a distributed infrastructure to automate searches for suspicious content, before concluding with a few examples of attacks identified by his tool.

Presentation support

The (makes me) WannaCry Investigation

Alan Neville • @abnev • Symantec

The speaker begins by putting the WannaCry infection figures into perspective in relation to recent major "epidemics":

• 2003: Blaster reaches 16 million machines
• 2008: Conficker affects 15 million systems
• 2017: WannaCry only caused 300,000 victims

He continues with a technical description of the malware, before presenting internal feedback from Symantec. Their initial detections date back to February 2017, when it was being distributed without ETERNALBLUE. A campaign was then identified in March/April, where it was deployed via backdoors already in place. Regarding the May attack, the high speed of malware propagation made it impossible to identify the initial vector.

Malware Uncertainty Principle

Maria Jose Erquiaga • @MaryJo_E • Cuyo University

The speaker described a malware analysis project targeting systems using HTTPS for communication. Initially, they set up a relatively simple analysis lab using the mitmproxy tool. Subsequently, sample selection was performed by scanning TLS blacklists to identify and obtain the malware responsible for these communications.

The presentation then moves on to several encountered cases, focusing in particular on instances where malware uses a binary protocol below the TLS layer. In such cases, simple traffic analysis is no longer sufficient; in-depth malware analysis is necessary.

Knock Knock… Who’s there? admin admin, Get In!

Anna Shirokova • @AnnaBandicoot • Cisco

The speaker presents brute-force attacks in the CMS landscape. Although relatively unsophisticated, the sheer number of accessible, unprotected sites makes these attacks profitable, judging by their current prevalence.

During the first part of her presentation, she listed the history of the most well-known "brute-forcer" malware such as FortDisco, Mayhem, and Aethra. Among the methods frequently used are the following:

• Vertical brute-force: searches for multiple identifiers on a site at once; ;
• Horizontal brute-force: executes the same pair of credentials on different sites. This method has the advantage of limiting the frequency of attempts on individual sites and therefore has a greater chance of bypassing brute-force protections.

She then focused on the Sathurbot botnet, first detected in 2013. It is built on a modular principle, with "backdoor," "downloader," and "web crawler" functionalities. The latter uses advanced operators from several search engines to find exposed WordPress and Joomla! CMSs.

Automation Attacks at Scale

Will Glazier • @WGlazier21 • Stealth Security Inc

Following on from the previous conference, the speaker presented a market of automated attack tools such as brute-forcers and Trojans. These tools come with pre-configured settings containing pre-registered targets. An analysis of these settings allowed researchers to determine that 10% of the targets are among the top 1,000 most visited websites in the world (Alexa ranking). Tests conducted by the presenter showed that a simple script scanning Pastebin for specific patterns returned 20,000 identifiers per day, highlighting the effectiveness of methods that are far from sophisticated.

The speaker then went on to describe additional ways to combat this family of threats:

• Analysis of HTTP requests to find patterns specific to attack tools; ;
• Machine learning applied to HTTP sessions to identify the behaviors of simulated browsers (e.g., Selenium or PhantomJS); ;
• Threat intelligence to cut off the attacker's sources (e.g., identify a data leak and reset account passwords before they are exploited); ;
• Analysis of behaviors beyond individual requests.

Malpedia: A Collaborative Effort to Inventorize the Malware Landscape

Daniel Plohmann • @push_pnx • Fraunhofer FKIE

The speaker presents a malware encyclopedia project. The idea is to classify each piece of malware uniquely, referencing the platform it affects, the type of malware, and any associated Yara rules.

In order to maintain a healthy corpus, the first step is to use information focused on static analysis to obtain easily reproducible results.

Beyond that, database enrichment follows a few fundamental principles:

• Ensure that the content is representative; ;
• Being multi-platform oriented – even though Windows is very well represented; ;
• Use non-packaged content; ;
• Apply precise labels to the samples; ;
• Document the information; ;
• Control the distribution of and access to the database.

The project is currently online: https://malpedia.caad.fkie.fraunhofer.de

Access to generic information is free, while access to the extended section is exclusively subject to validation by the authors.

Presentation support

YANT – Yet Another Nymaim Talk

Sebastian Eschweiler • Crowdstrike

The speaker presents his experience analyzing the Nymaim malware. Unlike the unsophisticated techniques discussed in other conferences, this malware possesses several anti-analysis features such as obfuscation, encryption of its own code, the use of anti-sandbox techniques, and the execution of x64 code from x86 instructions.

The presenter details several of the techniques used by the malware and how to decode them.

Augmented Intelligence to Scale Humans Fighting Botnets

Yuriy Yuzifovich • Nominum, Akamai

The speaker focuses on DNS traffic and works with various providers, gaining access to over 100 billion DNS queries per day. The analytics team uses this data to combat botnets by monitoring the use of temporary domain names (DGAs) employed by malware.

They developed a tool that primarily relies on known DGA algorithms to predict the domains used for communication between a bot and its C&C client. The tool also monitors the emergence of new domain names and applies machine learning algorithms to discern patterns that may originate from unknown DGAs, and classifies domain names according to known families or correlations found between values.

Stantinko: a Massive Adware Campaign Operating Covertly since 2012

Matthieu Faou • ESET
Frédéric Vachon • ESET

The speakers presented the results of their study of the Stantinko botnet. The investigation began with a single report from a specific client concerning strange behavior in their IT system.

The analysis first identified the main component: adware that injects advertisements into victims' browsers. However, the malware doesn't stop there; it also installs a modular backdoor system, integrating features such as installing malicious browser extensions, SEO fraud, and brute-force attacks.

The malware also features anti-detection and anti-analysis mechanisms, including the encryption of code and communications with a unique key per infection.