Lot of things to talk about in just one day at Botconf conference in Nancy, France. Great talks and amazing people, let’s do a short summary of some of them.
The conference started with a very interesting presentation from National Crime Agency (NCA) about Botnet takedowns, in which the process of taking down the Zeus Gameover botnet from a government agency point of view was explained. They pointed out that it takes a great deal of time, resources, and cooperation between the government and the private sector to take down a botnet as important as Zeus Gameover because of the different jurisdictions in different countries. The speakers explained the whole process, from the beginning of the hunt to the final operation that brought Zeus Gameover to its knees.
This excellent speech was complement by the last speech of the day by Karine e Silva, How to Dismantle a Botnet: the Legal Behind the Scenes, which was also focused in the legal scenario of all the process, and which kind of troubles arise when trying to coordinate efforts globally keeping in mind the current legislation of each country involved.
Another interesting talk performed by Daniel Plohmann and Laura Guevara introduced us to a wonderful Ida plugin called IDAScope. Designed to make things easier for all malware reversers, this plugin incorporates a menu that groups and shows information about all Windows syscalls, allowing the reverse engineer to visualize and access in an easy way the different calls, making it easier to spot critical functions, like the use of calls to connect to the internet, creating new processes or files and using crypto-related API functions.
Nick Sulivan, from Cloudflare, threw some light in some DDoS attacks, explaining the different types of attacks that Cloudflare had suffered in the recent years, and how the botnets performed them, along with very interesting information about the intel gathered from attacks. Cloudflare has successfully blocked huge DDoS attack, up to 500GB/s. In addition, they helped to reduce the amount of NTP services vulnerable to NTP reflection attack mostly used to perform this kind of huge DDoS attack among the Internet. Sulivan pointed out the importance of managing a quick response in patching 0days vulnerabilities, like Shellshock and heartbleed, since they received attacks within the first hour after disclousure.
In the last place, Peter Kleissner presented Virus Tracker, an automated sinkhole structure with DNS registration and all the problems he faced in this project. For example the reversing the DGAs of the different samples requires a large amount of time. There also are issues in acquiring the different domains that will be, in a future, used by the botnets to contact the bot master. Peter also made a lot of emphasis in the importance of cooperation between companies.
To conclude this short summary, what we have seen among all the speeches today is a huge need of cooperation and alliances between security companies, government and community in order to fight against the cybercrime.
You can see the full agenda of the conference here.
Ferran Pichel, Ramon Vicens, Victor Acin, Cyber Threat Analysts