Minutes of the Botconf 2019 conference in Bordeaux

The seventh edition of the Botconf conference took place from 3 to 6 December 2019 in Bordeaux (France). This international event, devoted as its name suggests to the fight against botnets, has been organized since 2013 by the INTERNATIONAL BOTNETS FIGHTING ALLIANCE (IBFA), a non-profit organization largely supported by the French National Gendarmerie. Each year, it takes place in a different city, always in France up to now. However, it is worth being mentioned that all presentations are given in English.

It was the second time that members of the Cert-IST technical team took part to this event which, as time goes on, has become almost inevitable, if only because of the geographical proximity.

Here is to start with some general information about this 2019 edition:

• 73 submissions were received during the Call for Papers. One can hardly imagine how difficult it was for the organizing committee to make a choice.
• 3 simultaneous workshops (hence the need for participants to choose one of them) were scheduled on the first day: 2 were dedicated to Android malware analysis, while a last one demonstrated the creation of suricata rules for botnet detection and classification. Unfortunately, we were not able to attend these workshops.
• The 3 remaining days featured no less than 29 presentations, including a keynote, with a total of 50 speakers, for a little over 28 hours of talks in total.
• A slot of 1h30 was reserved for 19 lightening talks of 3 minutes each. Here, the speaker presents a technical idea, the foundations of a new open source project, which often allows him/her to launch a call for contributions. Here are some examples of the projects presented: Bitscout (a set of scripts to quickly create custom remote forensics bootable disks), MWDB (the CERT-PL’s malware database), Attacker IP Prioritization Blacklist (a smart IP blacklist creation algorithm), Android Malware Sandbox, etc.
• More than 300 attendees met at the event: essentially security experts from all over the world, working in various sectors such as energy, heavy industry, healthcare, governments, security vendors, etc.

First observation: the schedule was solid and the presentations were, with a few exceptions, very technical. In this sense, the layout of Botconf is rather close to that of the SSTIC conference, which takes place in Rennes every year. But while SSTIC is a general security conference featuring a vast variety of topics, Botconf is definitely focused on malware analysis and botnets fighting. This very specific placement is interesting since it gives very concrete talks (e.g. there is no presentation of techniques that can only be reproduced in a lab) but, as far as we are concerned, this also produced like a repetitive sensation around the end of the three days. Botconf remains nevertheless the only conference in France dealing with the fight against malware, and a rare one in the world on this specific matter. It should also be noted that Botconf was very well organized, taking into account the national strike actions this year in France, for example by providing buses to help attendees to travel between the city center and the venue.

This year's presentations can be divided into three categories:

1. Rare feedbacks from companies having directly faced various Internet threats. We will mention in this respect a presentation by Wavestone regarding the management of several crises at its customers’: successes, failures, surprises, a crisis mobilizing hundreds of people to finally find out a false positive, or finally some threat hunting that turns into an incident investigation following the discovery of a Conficker infection. This has been a fascinating conference, which feels like a real life experience, and which touches on our general CERT business. We ask for more!
2. Presentations of malware, botnets or threat groups. They make up the majority of the talks. They are particularly in line with the work we do as part of our “attack and IOC watch” service. Some of them describe the internal workings of an active botnet (communications, obfuscation, encryption), while others explain how a given network has been dismantled thanks to the international collaboration of public and private actors. The following talks can be cited in this regard:
   • A keynote dealing with the dismantling of the Retadup botnet during the summer of 2019 (CERT-IST/ATK-2017-116), a brilliant collaboration between the French national Gendarmerie, the FBI and Avast,
   • The analysis of Golden Chickens (a threat actor selling Malware as a Service, but rather dedicated to targeted attacks - CERT-IST/ATK-2018.146),
   • The analysis of Shaoye (aka Roaming Mantis), a botnet of Android smartphones active since 2017 in East and Southeast Asia,
   • The dismantling of the 3ve online advertising fraud network in 2018,
   • The internal development by La Poste of a tracker for Gootkit banking malware (CERT-IST/ATK-2016-055),
   • The analysis of the Backswap malware, its evolution and operation by a group targeting financial institutions and crypto-currency exchange (CERT-IST/ATK-2018.076),
   • The analysis of the way Emotet family of malware (CERT-IST/ATK-2017-057) is distributed in particular through compromised Wordpress sites, the implementation of its polymorphism,
   • The analysis of the modus operandi of the Winnti threat meta-actor (CERT-IST/ATK-2017-014). Historically categorized as cyber-espionage operations, the group’s actions are now trying to get even more profitable, e.g. by mining crypto-currencies on some compromised computers.
3. Presentations of useful tools and techniques when dealing with fighting botnets: emulators versus sandboxes, honeypots, long term execution (several weeks) of malware samples in controlled environments, an automatic Yara rule generator, ... We were particularly impressed by the CAPE open source project (Malware Configuration And Payload Extraction), an extremely ambitious fork of Cuckoo sandbox with a host of new analysis features that can be activated from a web interface: API monitor, decoding and decryption plugins, debugger, dumper and even import reconstruction. This presentation was supported by demonstrations which, although very technical, made it possible to realize the potential of the solution. CAPE can be tested for free via this link.

Finally, the team's favorite talk this year was the presentation made by Benoît Ancel (alias benkow_ - CSIS) on a malicious actor (allegedly an individual) that he calls Bagsu. Initially an old-fashioned carder stealing credit card numbers on its own in Germany via malware and various exploit kits, this hacker now coordinates interactions between customers (who request for example: "I would like 3000 infections in Japan") and his subcontractors (networks such as Emotet or TrickBot). In the middle of a mafia-like environment as one might imagine (negotiations, intimidations, arrangements, exchanges, recruitment of developers when negotiations fail), Bagsu is said to have generated millions of euros in profits during its 15 years of existence and appears to be a discreet but efficient intermediate with organized cybercrime. This presentation, very concrete, dynamic and full of humor, was the most applauded. It has also illustrated the structuring evolution that has been observed in the cybercrime economy in recent years: customers, service providers and resellers.

All in all, Botconf 2019 provided us with high-quality presentations, even if we may regret the lack of new information. Some of the presentations were announced with a given confidentiality level (like TLP Amber or Red), but they did not seem to provide much more information than what we already have in our attack database / MISP instance. Certain other talks related to quite dated events (for example the dismantling of the 3ve ad fraud network in 2018) and had sometimes already been given several times in 2019 at other conferences. But this feeling may simply be due to our quite good knowledge of malware and threat actor news, which we are closely monitoring as part of the Cert-IST’s “attack and IOC Watch” service.

Finally, Botconf remains a high-level conference, which we are very lucky to have in France. We recommend it to anyone not afraid of this technical approach (think of talking about yara syntax and memory dumps at breakfast). Such an event is also a very good opportunity to meet your counterparts and to exchange offline with them regarding feedback in cybersecurity.

The 2020 edition of Botconf will take place in Nantes.