- Bell Aliant
- NHTCU & FBI
- Peter Allor
- Marcel van den Berg
- Rainer Böhme
- Bob Burls
- William Cheswick
- Carlos Cid
- Anton Chuvakin
- Dave De Coster
- Lord Errol
- Boris Goranov
- Martijn de Hamer
- Elly van den Heuvel
- Jaap-Henk Hoepman
- Bart Jacobs
- Sari Kajantie
- Mark Koek
- Jos Kuijpers
- Brett Lambo
- Eric Luiijf
- Scott McIntyre
- Milton Mueller
- Pär Österberg Medina
- Carol Overes
- Richard Perlotto
- David Rice
- Marcus Sachs
- Jacques Schuurman
- Alex Shipp
- Lance Spitzner
- Don Stikvoort
- Gigi Tagliapietra
- Jan Joris Vereijken
- Rémon Verkerk
- Randal Vickers
- David Watson
- Tillmann Werner
- Maurice Wessling
- Colin Whittaker
- Georg Wichersky
- Nicholas Witchell
- Dave Woutersen
Georg Wicherski is an undergraduate computer science student at the RWTH Aachen University, Germany and CTO of EmsiSoft GmbH, Austria. He has given talks at the Blackhat Asia, DeepSec and CCC conferences and has written articles for the French MISC magazine and the German c't magazine. His main interests are automated malware analysis, low-interaction honey pot development and botnet detection and tracking technology. His recent research focus was on performant botnet tracking on a global scale (as contractor for the German Federal Bureau for Information Security) and zero pre-knowledge, behavior-based malware detection without execution (for EmsiSoft GmbH).
Efficiently Spying on Botnets with botsnoopd Tuesday 16 September, 15:45-16:30, Penn RoomAccording to ShadowServer, there are more than 2.5k botnet C&C servers currently known and live, distributed all around the globe. There are, however, no solutions to track all these botnets in an efficient manner, with the good manageability known today. Current solutions either have a big management overhead, are custom-tailored to the needs of certain organizations, or even GUI applications.
We developed modular botnet tracking software in C++ that runs as a POSIX daemon, which is attached to a PostgreSQL database, using asynchronous I/O and name resolution. This software is able to track thousands of botnets using different C&C protocols on commodity hardware - given appropriate bandwidth. A powerful web interface that can be used by not-so-technical people is also provided.
This talk gives a brief overview on how we detect botnets, monitor them and how the software is organized. Recently observed botnets are given as usage examples.