Botconf Author Listing

A daily task of malware analysts is the extraction of behaviors from malicious binaries. Such behaviors include domain generation algorithms, cryptographic algorithms or deinstallation routines. Ideally, this tedious task would be automated. So far scientific solutions have not gotten beyond proof-ofconcepts. Malware analysts continue to reimplement behaviors of interest manually. However, often times they merely translate the malicious binary assembler code to a higher-level language. This yields to poorly readable and undocumented code whose correctness is not ensured. In this paper, we aim at overcoming these shortcomings by integrating Behavior-Driven Development in the malware analysis process. We explain in detail how the integration of Behavior-Driven Development into the malware analysis process can be done. In a case study on the highly obfuscated malware Nymaim, we show the feasibility of our approach.

We will present a general-purpose laboratory for large-scale botnet experiments. We reveal how several key points have been implemented, e.g., realistic simulation of the Internet or total observability within the laboratory. As a case study, we demonstrate the feasibility of our approach in simulating a large-scale takedown of the Citadel botnet. Additionally, we will show a screencast of the Citadel takedown.