The expansion and specifically the sophistication of botnets has brought with it an increased use of cryptography for safe-guarding communication channels between bots and their command-and-control instances. Asymmetric encryption (or public-key cryptography) currently poses a major challenge for malware analysts. In this regard, understanding the communication protocol is a critical requirement in the analysis of botnets.
The goal of this short-talk is to present a generic, fully automated method for tracking botnet communication protocols and a prototype implementation for recovering obfuscated network traffic. Our method arises from the need of constantly analyzing highly active botnet families while sparing significant reverse engineering effort. The results show that our approach successfully obtains changes in message structures by circumventing encryption and interacting directly with the bots.