Brett Stone-Gross and Tillmann Werner


13-16 June 2016


24 Seats


4200$ CAD before May 1,
5000$ CAD after.

Learn how to apply reverse-engineering to botnet takeover attacks. This 4-day training will teach the fundamentals of botnet command-and-control protocol reversing, identifying and breaking cryptography, as well as reconstructing botnet topologies and identifying weaknesses in their infrastructure. Students will learn to use this knowledge to design botnet takeover attacks and practice their skills in various hands-on exercises.

Part 1: Introduction to Botnet Analysis

The first part of the training will start with a refresher on bots and botnet architectures. Students will then dive into fundamental approaches of botnet analysis and solve various hands-on exercises to confirm them. We will use both static and dynamic analysis methods to extract relevant pieces of information from malware samples.

Part 2: Reverse Engineering Network Protocols and Encryption

A good understanding of network protocols used by bots to communicate with their command-and-control servers is crucial for further analysis of botnet infrastructures and the design of counter attacks. Students will reconstruct and rebuild respective functionality of samples of well-known cybercrime malware families and targeted attack tools.

Many bots use cryptography to protect their communication from signature-based detection and make disruption efforts more difficult. Students will also learn methods to identify and reverse engineer encryption algorithms and produce decryption tools.

Part 3: Attacking Botnets

Botnets, like any complex distributed system, contain vulnerabilities that can be exploited. This part of the training will teach students various techniques to find weaknesses in various botnets to perform reconnaissance, send fake information to the control panel, or disrupt the infrastructure with specially crafted traffic. Sometimes, such weaknesses can be used to gain control over a botnet and take over its infrastructure. For example, botnet infrastructures used in APT campaigns often have design flaws that provide access to the backend. Hands-on exercises will demonstrate how to bypass authentication mechanisms, perform DDoS and traffic amplification attacks, and launch various botnet sterilization attacks. Further, students will learn how to identify and analyze domain generation algorithms (DGAs) and how to use this knowledge to take control over a botnet.

Part 4: Advanced Botnet Infiltration

In the final part of the training, students will dive into more advanced topics such as poisoning attacks against peer-to-peer botnets, remote cleanup operations, and backend deanonymization. Based on reverse engineering a malware’s protocol and encryption, bot emulators can be developed to track commands and configurations in a botnet. Students will get to try some of these techniques in our lab with real-world malware.

Part 5: Botnet Takeover Challenge

Students will apply the knowledge acquired during the training in a final botnet takeover exercise. This will require them to reverse engineer a malware sample, understand how it works, and to develop their own takeover strategy.

Covered Topics

  • Centralized Botnets
    • IP-based/Domain-based
    • DNS to IP Mapping
    • Proxies/Compromised Servers
  • Domain Generation Algorithms
    • Time-based
    • Seed-based
    • Non-deterministic
  • Peer-to-Peer Networks
    • Structured/DHT
    • Unstructured
  • Malware families
    • Zeus variants
    • Cryptowall
    • Conficker
    • Kelihos
    • Gameover Zeus
    • ZeroAccess


This training is intended for people who have a reverse engineering background and want to start using their skills to fight botnets, and those who work in the computer security industry (CERT members, SOC analysts, incident handlers, malware investigators) and want to learn about more offensive approaches against the threats they deal with.



  • Decent programming skills in C and a modern scripting language are required
  • A general understanding of the x86 assembly language
  • Experience with the standard reverse engineering workflow in the Windows environment (unpacking, dumping, disassembling of usermode code, …)
  • Profound knowledge of the TCP/IP stack and common Internet protocols

In order to get the most out of the class, all students must meet the requirements listed above. To assess your skills, we have prepared a simple challenge made available here. The password on the zip is: infected, and the goal of the challenge is to analyze the sample to determine the correct passphrase (passed as the first command line argument) to print out a special message. If you can solve the challenge, you should enjoy this class!


  • A laptop with a wireless network card

Minimum Software to Install

  • Some virtualization software (VirtualBox or VMWare is recommended)
  • A virtual machine running Windows XP or newer
  • IDA Pro 6.x (preferably 6.8 or newer)
  • Hex-Rays decompiler is highly recommended but not required
  • OllyDbg


Dr. Brett Stone-Gross is a security researcher that specializes in malware analysis, reverse engineering, and attack attribution. Brett has authored more than a dozen publications presented at top computer security conferences around the world. His work has led to the disruption of large-scale cybercriminal operations, including botnets that were used for financial theft, click-fraud, spam and fake antivirus software.

Tillmann Werner is a researcher that fights advanced cyber threats. He specializes in malware reverse-engineering and is continuously developing strategies for proactive botnet mitigation. As a member of the Honeynet Project, Tillmann is actively involved with the global computer security community and is a regular speaker on the international conference circuit.


Click here to register.