Instructors: Brett Stone-Gross and Tillmann Werner
Dates: 15-18 June 2015
Capacity: 20 Seats
Learn how to apply reverse-engineering to botnet takeover attacks. This 4-day training will teach the fundamentals of botnet command-and-control protocol reversing, identifying and breaking cryptography, as well as reconstructing botnet topologies and identifying weaknesses in their infrastructure. Students will learn to use this knowledge to design botnet takeover attacks and practice their skills in various hands-on exercises.
Part 1: Introduction to Botnet Analysis
The first part of the training will start with a refresher on bots and botnet architectures. Students will then dive into fundamental approaches of botnet analysis and solve various hands-on exercises to confirm them. We will use both static and dynamic analysis methods to extract relevant pieces of information from malware samples.
Part 2: Reverse Engineering Network Protocols and Encryption
A good understanding of network protocols used by bots to communicate with their command-and-control servers is crucial for further analysis of botnet infrastructures and the design of counter attacks. Students will reconstruct and rebuild respective functionality of samples of well-known cybercrime malware families and targeted attack tools.
Many bots use cryptography to protect their communication from signature-based detection and make disruption efforts more difficult. Students will also learn methods to identify and reverse engineer encryption algorithms and produce decryption tools.
Part 3: Attacking Botnets
Botnets, like any complex distributed system, contain vulnerabilities that can be exploited. This part of the training will teach students various techniques to find weaknesses in various botnets to perform reconnaissance, send fake information to the control panel, or disrupt the infrastructure with specially crafted traffic. Sometimes, such weaknesses can be used to gain control over a botnet and take over its infrastructure. For example, botnet infrastructures used in APT campaigns often have design flaws that provide access to the backend. Hands-on exercises will demonstrate how to bypass authentication mechanisms, perform DDoS and traffic amplification attacks, and launch various botnet sterilization attacks. Further, students will learn how to identify and analyze domain generation algorithms (DGAs) and how to use this knowledge to take control over a botnet.
Part 4: Advanced Botnet Infiltration
In the final part of the training, students will dive into more advanced topics such as poisoning attacks against peer-to-peer botnets, remote cleanup operations, and backend deanonymization. Based on reverse engineering a malware's protocol and encryption, bot emulators can be developed to track commands and configurations in a botnet. Students will get to try some of these techniques in our lab with real-world malware.
Part 5: Botnet Takeover Challenge
Students will get to apply the knowledge acquired during the training in a botnet takeover exercise. This will require them to reverse engineer a malware sample, understand how it works, and to develop their own takeover strategy.
Covered topics:
*Centralized Botnets
- IP-based/Domain-based
- DNS to IP Mapping
- Proxies/Compromised Servers
*Domain Generation Algorithms
- Time-based
- Seed-based
- Non-deterministic
* Peer-to-Peer Networks
- Structured/DHT
- Unstructured
* Malware families
- Zeus/IceIX/Citadel/KINS
- Cryptolocker
- OS X Flashback
- Storm
- Conficker
- Kelihos
- Gameover Zeus
- ZeroAccess
Who should attend?
This training is intended for people who have a reverse engineering background and want to start using their skills to fight botnets, and those who work in the computer security industry (CERT members, SOC analysts, incident handlers, malware investigators) and want to learn about more offensive approaches against the threats they deal with.
Prerequisites:
- Students must have a general understanding of the x86 assembly language
- Experience with the standard reverse engineering workflow in the Windows environment (unpacking, dumping, disassembling of usermode code, ...)
- Profound knowledge of the TCP/IP stack and common Internet protocols
- Decent programming skills in a modern programming language (e.g., C, C++, Python, Ruby, Perl... well, maybe not Perl.)
Minimum Hardware:
- A laptop with a wireless network card
Minimum Software to install:
- Some virtualization software (VirtualBox or VMWare is recommended)
- A virtual machine running Windows XP or newer
- IDA Pro 6.x (preferably 6.5)
- Hex-Rays decompiler is highly recommended but not required
- OllyDbg
Dr. Brett Stone-Gross is a senior security researcher on the Dell SecureWorks Counter Threat Unit (CTU) research team where he specializes in malware analysis, reverse engineering, and attack attribution. Brett has authored more than a dozen publications presented at top computer security conferences around the world. His work has led to the disruption of large-scale cybercriminal operations, including botnets that were used for financial theft, click-fraud, spam and fake antivirus software. Prior to joining Dell SecureWorks, he worked at Lastline, Citrix Online, and the Los Alamos National Laboratory. Brett earned a Bachelor of Science in computer engineering, a Master of Science in computer science, and a Ph.D. in computer science from the University of California, Santa Barbara.
Tillmann Werner is a researcher with CrowdStrike where he fights advanced cyber threats. He specializes in malware reverse-engineering and is continuously developing strategies for proactive botnet mitigation. As a member of the Honeynet Project, Tillmann is actively involved with the global computer security community and is a regular speaker on the international conference circuit.
Click here to register.