Use Your Enemies: Tracking Botnets with Bots

Botnets are a curious thing for malware researchers. Although we’re constantly trying to shut them down and stop the responsible people, we’re also focusing a lot of attention on studying and analysing their inner workings in order to learn more about how they operate.

And the best strategy of getting information from a botnet is tricking it into sending everything to us on its own. In this talk we’ll describe our latest project, which does exactly that. We are reverse-engineering communication protocols, re-implementing them in python and impersonating real bots. This way, we can get fresh information/malware/spam/urls directly from a C&C, process it automatically, and react appropriately.

We want to share our insights from a year of tracking, compare our approach with more blackbox solutions (hint: there are advantages and disadvantages), and discuss some challenges and our solutions to them. Although we won’t focus on specific malware protocols, we’ll mention them in the passing.

Jarosław Jedynak is a malware analyst and security engineer at CERT.PL. His research interests focus on malware, especially P2P botnets. Additionally he is actively tracking new malicious campaigns, in order to disrupt criminal activity. In his free time, he is a passionate CTF player, and cofounder of p4 team.
Paweł Srokosz is a security researcher and a malware analyst at CERT.PL, constantly digging for fire and doing reverse engineering of ransomware and botnet malware. Free-time spends on playing CTFs as a p4 team member and studying Computer Science at Warsaw University of Technology.

Print Friendly, PDF & Email
Jarosław Jedynak

Jarosław Jedynak

Security Engineer/Malware Researcher at CERT.PL
Jarosław Jedynak


Software/security engineer, former malware analyst at @CERT_Polska_en, currently engineer at @google, cofounder of @p4_team.
@Viking_Sec A hint: starting RE with nymaim is a bit like starting sport with a double ironman marathon. But if you… - 6 days ago
Jarosław Jedynak

Latest posts by Jarosław Jedynak (see all)