#BotConf 2014 Summary

I attended along with a couple of colleagues the massively successful and informative conference regarding a number of topics including ;

  • Botnets
  • DNS analysis
  • Static analysis of Malware
  • Landscape threats 
  • Legal implications
  • Vendor perspectives
  • Government & CERT challenges

Hosted by Eric Freyssinet the event was over 3 days in Nancy, a number of well respected community gave talks on the current and past challenges faced. I've summarised some of the ' stand out', for me talks. These are a personal preference!  A full list is available.

Day 1. NCA, UK.

The first day consisted of some content related to challenges faced by UK Law enforcement in relation to Botnets including, ' ZeuS', the biggest Botnet and one to gain both multinational as well as community attention.  The National Crime Agency gave some interesting insight ( and techniques!) into how they investigated and 'took down' the variant.

The NCA demonstrated some excellent coordination with other parties in what was considered a landmark achievement crossing 'domains' of not only political, metaphysical and personal constraints. A genius moment was described in deciphering the algorithm used in the DGA which allowed the NCA to eventually defeat the purchase of further domains.

This resulted in a national programme of awareness and a new website driving home the size of the challenge faced, not only to commercial users but for the first time in the UK to home users a campaign which was demonstrated across TV, Radio and online.

Day 2,  Mark Arena Intel 471

A really excellent and insightful look into the dark world of deception and stunning use of combining a 'nose' for a scent and OSINT by Mark who was tasked with resolving the theft of a Bitcoin wallet transaction - a lot of what was discussed was and still is understandably redacted  - his use of OSINT and ability to use the tools at his disposal demonstrated the lack of anonymity of the crypto currency provides.

Mark continued with a demonstration on 'doxing' the accused, and attribution although was never committed 100%, the evidence discussed was impressive.

 

Day 3,  Dhia Lite OpenDNS 

Dhia, an OpenDNS employee demonstrated in depth the capabilities provided by using OpenDNS. DNS as discussed is a critical part of a botnet infrastructure and provides insight into the behavior which is sometimes missed due to political reasons in commercial areas.

The concept of 'Fast Flux' domains is not a new one, its been used in many large scale crime botnets to quickly distribute domains to botnets, we first saw the ability of Fast Flux in ZeuS.

Dhia demonstrated the technical details of what the OpenDNS project does and was able to extract some massive data regarding ZeuS.

  • ASN's
  • TTL's
  • Geo distribution
  • IP information

Some excellent work being done in relation to botnet analysis by OpenDNS, its time for Google DNS to do the same.

All the talks,papers and associated materials being progressively uploaded to here. Thanks to all the speakers, attendees and organisers.

 

Next years conference has already been announced for December 2015