ISOI XIX Agenda TENTATIVE 31 August -- 01 September 2017 Bochum, Germany Hosted by: G Data Software AG

Wednesday, 30 August 2017: Evening Meet-Up information on the ISOI XIX webpage:

Thursday, 31 August 2017:

NOTE: Breakfast will *not* be available at the meeting venue, so please take your breakfast at your hotel or elsewhere.

08:00 - 09:00 Registration

09:00 - 09:15 Welcome to ISOI XIX
- Fergie: Welcome
- Kai Figge, G Data Software AG, Managing Director & Cofounder: Welcome!

09:15 - 10:00: Inbar Raz (PerimeterX): "Do Tinder Bots Dream of Electric Toys?"

Session description: With an estimated 50 Million user base, Tinder is a the new scam battlefield. Fake, automated profiles are used for luring victims into giving away their credit card data, or into surfing to otherwise malicious websites. In this talk I'll describe the research, how I came to discover that Bots were not an isolated case, and how I uncovered the pattern behind generating the profiles. I'll also break down the infrastructure behind the operation, and show who's behind a campaign that spawned over multiple countries and continents. I'll give multiple examples, from Tinder as well as from other platforms, of how bots operate under the radar of the site owners and carry out their agenda.

10:00 - 10:45: Daniel Plohmann (Froenhofer): "Code Cartographer's Diary"

Session description: In this presentation, I would like to give an update on the journey of creating a manually curated, high-quality malware corpus: "Malpedia". This is a follow-up for the introductory talk I gave at ACSC in March (

I'll explain the method of gathering samples of distinct malware families and versions, as well as unpacking and distilling them into a unified, streamlined collection. Right now (2017-06-14), the corpus consists of 519 families and 1,480 samples, out of which are ~70% unpacked/dumped and 40% covered by YARA. In this regard, the data set has already proven pretty useful for better understanding aspects of "quality" in YARA rules since we can test for both FPs and FNs over time to keep the rules accurate and see which types of strings perform well.

10:45 - 11:15: Break

11:15 - 12:00: Peter Kruse (CSIS): Lets Light Up Cacat: A Crimimal Operation in progress

Session description: This IT-criminal outfit have stolen millions of euros using simple tricks and tools, but in a very fashioned and creative way.

This presentation will show how CaaS is used in the real world, and who the author of the service most likely is, as we have been able to track him down and combine his different identities across multiple different profiles e.g. social medias and online auction services.

During this presentation I shall light up every step in these attack: from compromising web sites, uploading phishing kits/sites, cash-out money, compromising ADSL routers, deleting traces, establishing new targets, etc.

I will also document how the use of Maltego transforms can make your own investigation fly and I will also make some of our internal Maltego transforms available to the audience.

This IT-criminal group primarily targeting Banks in Europe and also Apple and is operating from Romania and the UK.

12:00 - 13:00 Lunch

13:00 - 13:45 Anders Fogh (G Data): Offensive CPU

Session description: Most current malware relies on operating system interfaces to do their malice. With operating systems continually evolving to become more secure we must ask ourselves how malware authors will respond in the future. One possible response is that next generation malware will make use of how current CPUs are implemented to bypass operating system defenses. In this talk we will take a high-level look at modern Intel CPUs: how they work below the surface and how the CPU design itself hollows out the security model they are supposed to provide. The talk will give a basic overview of how malware can create a covert command and control channel without leaving traces in the operating system. We will also touch on circumventing exploit mitigations, CPU based keyloggers and breaking cryptographic keys through the abuse of how the modern CPUs are designed.

13:45 - 14:30 Paul Burbage (Flashpoint Intel): Necurs: Latest Happenings on the Largest Botnet in the World

Session description: The Necurs botnet is arguably one of the largest botnets in the world. We have been monitoring this botnet for close to two years now and it does not appear to be going away any time soon. This presentation will cover some technical background on this botnet including the infrastructure, historical malware campaigns from the spam module, and some attribution not previously, publicly disclosed.

14:30 - 15:00 Break

15:00 - 15:45: Kent Backman (RSA): FakeNews Ops An analysis of an ongoing nation-state Internet influence campaign

Session description: In February 2017, Chief Investigate Correspondent for Yahoo News, Michael Isikoff reported on a fake online news article purported to be from a real journalist. In "The authors are real. The articles are fake. Who is behind the sinister 'CGS' website?", Mr. Isikoff described how an article appearing on the website was attributed to the very real journalist Bruce Riedel. The fake article outlined how Saudi Arabia was behind the 9/11 terrorist attack. However, Mr. Riedel did not write this article, and Mr. Riedel's public and private views were the exact opposite of that championed in the fake news. But this was not the only fake news article identified on the CGS website. Isikoff "documented multiple other examples of phony advocacy and analysis pieces on CGS Monitor, appearing under the names of other well-known scholars who had never written them or even seen them."

We decided to look into the question on who is behind this website, and with some analytical support from PassiveTotal, discovered that the CGS Monitor website is one of seven websites in four different languages linked to the same entity by a common Google Analytics ID. While Isikoff and colleagues suggested that Russia, known for other fake news campaigns, might be behind CGS Monitor, in this talk, RSA researcher Kent Backman will present evidence that CGS Monitor and the six other websites are all almost certainly associated with an influence operation, most likely sponsored by a nation state. We look at examples of how this multipronged disinformation campaign has had substantive propagative effects on other often-trusted content sources, such as Wikipedia.

15:45 - 16:30: Armin Buescher (Symantec): The numbers behind APT

Session description: Reports of targeted attacks have been a growing trend over the last couple of years. With over 400 publicly released APT-related reports containing thousands of indicators of compromise (IOCs), this talk will visualize the quantities and qualities of APT attacks and outline trends in the targeted attack landscape through a data-driven analysis of the report artifacts.

Presenting actual attack data in a quantitative fashion allows us to give an overview of the APT landscape as publicly known at this time. The main tool used to extract report artifacts is called "IOC parser" and was open-sourced under MIT license and shared with the security community by the author in January 2015 ( We have used the parser to extract more than 37,000 unique attributes of reported APTs that we enriched with metadata using internal and external data sources. In addition to the extraction of IOCs we are using Natural Language Processing to analyze the sentiment, (marketing) terminology, and topics across the reports.

Our analysis of the report artifacts allows us to uncover relationships and commonalities between different cases. Where other APT-related presentations are detailing a specific attack campaign and/or actor, we try to give a comprehensive overview based on how the APT landscape is perceived through the security vendor's publications.

6:30 - 17:15: Matthias Seitz (SWITCH-CERT): DNS Firewall use cases and lessons learned

Session description: SWITCH-CERT is operating a DNS Firewall (DNS RPZ) for the NREN and also other customers for more than two years and is currently protecting more than 200'000 users from malware and phishing.

The main points this talk will cover are:
- A short introduction to DNS RPZ/DNS Firewall
- A closer look to some incidents in which a DNS Firewall is a great help
- An overview of the current RPZ provider / DNS Firewall market
- Lessons learned and best practices for RPZ implementation

ISOI Fun Night activities: Dinner and Coctails on G Data campus.

Friday, 01 September 2017:

NOTE: Breakfast will *not* be available at the meeting venue, so please take your breakfast at your hotel or elsewhere.

08:00 - 09:00 Registration

09:00 - 09:45: Emilio Casbas (Verizon): Brand monitoring as a security issue

Session description: The counterfeiting market makes-up a vast global business where the fraud estimations are harder to quantify than any other illegal activity. The existing datasets are largely incomplete and limited in terms of quality. The last report ("Trade in Counterfeit and Pirated Goods, 2016") published by the Organization for Economic Cooperation and Development (OECD) show that trade in counterfeit amounted to up to 2.5% of world trade in 2013. Counterfeiting is a global issue which has become more complex as black market activities moved to internet. The online counterfeiters create thousands of websites with different approaches as part of their strategy to lure unsuspected shoppers. This talk presents the most common tactics of the online counterfeiters and their relation with the "Black market commoditization". It will show its resilience against takedown efforts and it will provide some guidance about how to detect them. Finally, a new kind of threat intelligence feed -focused to the targeted industry- has been generated (currently integrated into VT) and it will be explained with different use cases which the security industry is missing to cover nowadays.

09:45 - 10:30: Rod Rasmussen (APWG): APWG Global Phishing Survey 2016 - Back to the Future

Session description: The APWG released a comprehensive review of phishing in 2016 that included worldwide phishing data that showed that phishing was going stronger than ever, using new and old techniques. This session will get past the headlines to dig into how phishers are setting up their sites, doing their targeting, and registering more domain names than ever. We'll also talk about ways we can better work together to share more intel in real time and get

10:30 - 11:00: Break

11:00 - 12:00: Gabor Szappanos (Sophos): The Story of Ancalog

Session description: Microsoft Office documents provide a great opportunity to deliver malware creations: most of the users consider these documents safe and open them without a sense of danger, especially if there are no macros in them. We experienced a resurgence of document exploit delivered malware in the past couple of years. Our research revealed that the Office exploit builders played an important role in this resurgence: they made exploitation available for the masses. What once was the realm of state sponsored groups now is a playground of cybercriminals. One of the commercially available exploit builders, the Ancalog Multi Exploit Builder, was particularly popular in the year 2016. The presentation will look into the history of the Ancalog builder, starting with the first appearance on the scene, then the development of the tool leading to the later rebranding to OffensiveWare Multi Exploit Builder.

12:00 - 13:00 Lunch

13:00 - 13:45: Inbar Raz (PerimeterX): Coffee is On The House

Session description: Loyalty cards are the way businesses increase their revenue. By offering benefits such as rewards and permanent discounts, they convert customers into recurring revenue.

One common form of Loyalty card is the prepaid card: Customer load their cards with money and use it at their convenience. And where there's money, there's an incentive for the cybercriminal.

A large coffee shop chain in Israel chose to use these cards. But a chain of vulnerabilities and poor security decisions allow an attacker to steal the funds from practically all cards. From Web Automation to Credit Card forgery - no obstacles were met.

In this talk I'll show how an attacker can buy anything they want at that chain, without having to pay even one cent of their own money.

13:45 - 14:30: Frederic Besler (VMRay): Countering innovative sandbox evasion techniques used by malware

Session description: This presentation gives an overview on state-of-the art sandbox evasion techniques used by malware. We divide these approaches into different categories, explore the various evasion techniques associated with each of these, and discuss how these techniques can be handled.

14:30 - 15:00: Break

15:00 - 15:45: Hillar Aarelaid (Estonian Central Criminal Police): The problem with /32 IoCs

Session description: An overview of problems/issues in reporting /32 IoCs due to residential broadband and NATs.

15:45 - 16:30: Panel Discussion:

The future of ISOI: What/Where/How do we want to move forward? A group discussion.