By Yohai Einav, Amir Asiaee, Ali Fakiri-Tabrizi and Alexey Sarychev
Originally Posted on January 4, 2018
Earlier this month we took our show on the road, presenting some of our team's work at the Botconf conference in beautiful Montpellier, France. We could talk here for hours about the food, wine, culture, etc., but it would probably be more plausible for our readers to learn about the current developments in the war against bots first. So we'll start with that and perhaps get to the food discussion in the appendix.
Botconf is a stage for malware researchers and data folks to present their work and discuss it with their fellow researchers. This 'work' can be a detailed, to-the-bone analysis of a specific malware or a high-level description of a general approach for detection or analysis. Here are some talks that we found interesting -
Hunting Down Gooligan told the story of how Google and Check Point researchers worked together to take down one of the largest Android botnets of all time. If you're interested in learning about Gooligan or Ghostpush (a related Android malware family, which we at Nominum/Akamai have been blocking for years) - this is a good place to start.
In Get Rich or Die Trying we learned about an end-to-end investigation of the 'Oil Bot' by Check Point, starting with a suspected APT against the oil sector, which turned out to be just a less 'Advanced' attack by an amateur Nigerian scammer. If you want to learn about a malware analysis process and have some laughs, then this is a good one.
Knock Knock... Who's there? admin, Get In! An Overview of the CMS Brute-Forcing Malware Landscape (yes, this is the name!) was a very well delivered presentation about brute force attacks - starting with the history of brute force (with focus on the specific vulnerability of WordPress sites), then discussing different brute-forcing botnets and the techniques they use (with full analysis of the Sathurbot botnet). It is incredible to see how, in 2017, brute-force attacks are still successful.
Our team members delivered two sessions in the conference (also authored by Yuriy and Hongliang), and we won't be grading ourselves (since we are humble and splendid). The one thing that we'll say is that both our presentations focused on the future of threat intelligence - and AI is the future of threat intelligence - and the process that brings us to this future. This was quite a unique discussion topic in the conference, and the interest in this topic was echoed in our one-on-one discussions with other attendees.
In Augmented Intelligence to Scale Humans Fighting Botnets Amir introduced the audience to the different machine-based technologies developed by Nominum to augment the human ability to detect malicious domains and URLs (with focus on our clustering technology). If you've been following our blog you might already know about it, but in case you haven't - this talk is a good place to learn about our AI-based threat intelligence efforts.
Math + GPU + DNS = Cracking Locky Seeds in Real Time without Analyzing Samples (yes again, this is a single name!), delivered by Yohai and Alexey, told the story of how we cracked the Locky ransomware DGA and seed, which then allowed us to predict its C&C's and pre-block them for our customers. Beyond telling the particular story of Locky, this talk demonstrated the value of DNS data in the world of cybersecurity, as well as the value of (technically) thinking outside the box and using GPU, rather than CPU, to crack a DGA.
If you've read so far then you must be interested in hearing about our culinary adventures. Overall, they included a lot of good wine, great cheese, and some unfortunate ducks. For more specific details, recommendations, recipes, reservations etc. - please contact us privately; we are eager to talk.
Last but not least - we shouldn't forget to thank the organizers (and especially Éric Freyssinet) of this conference; Botconf was a really great, eye-opening, well-organized event.