Botconf Author Listing

Hide away! A well-obfuscated malicious application can run on a device for a long time without detection, avoiding the-cat-and-mouse race between attackers and defenders. Still, how easy is it to protect an application from antivirus detection? Are attackers winning the race? We encountered a specialized service that offered protection of Android applications when investigating malicious actors involved in a Russian Android botnet. We seized this unique opportunity and plunged into a deep technical investigation that shed light into the automatic operations of malware protection services and the revenues and capabilities of the people managing them.

During the last couple of years there has been an important surge on the use of HTTPs by malware. The exact reason for this increase is not completely understood yet, but it is hypothesized that it was forced by organizations only allowing web traffic to the Internet and that using HTTPs makes the malware similar to normal connections. Therefore, there has been a growing interest in understanding the usage of HTTPs by malware. This paper describes our research to obtain large quantities of real malware traffic using HTTPs, our use of man-in-the-middle HTTPs interceptor proxies to open and study the content and our analysis of how the behavior of the malware changes after being intercepted. Our research goal is to understand the use of HTTPs in malware traffic and the impact of intercepting its traffic. After our analysis we conclude that the use of a interceptor proxy in a network should be carefully considered.

Nowadays there are a lot of tools to analyze traffic, but the most important thing to have is the experience and knowledge of a malware analyst. The goal of the workshop is to give a hands-on experience on analyzing the behavior of malware and botnet traffic in the network by studying their web patterns and their traffic behavior. The workshop will use both pcap files of real malware captures and real normal captures. Participants will learn a proven approach on how to do their traffic analysis, how to recognize malicious connections, how to separate normal behaviors from malicious behaviors, how to recognize anomalous patterns and how to deal with large amounts of traffic. Analyzing only malware traffic may not be so complicated for some people, but accurately separating it from normal traffic is harder.

The most important lesson of the workshop is not how to use wireshark or tcpdump. The workshop transmits the experience of recognizing the malicious actions of malware in the network. How to identify when malware tries to hide, how to recognize the encryptions, how to discard false connections, etc. The participants should leave with a good set of knowledge about obtain an overall analysis picture of the traffic to recognize if there are malicious behaviors on it.

A normal computer infected with malware is difficult to detect. There have been several approaches in the last years which analyze the behavior of malware and obtain good results. The malware traffic may be detected, but it is very common to miss-detect normal traffic as malicious and generate false positives. This is specially the case when the methods are tested in real and large networks. The detection errors are generated due to the malware changing and rapidly adapting its domains and patterns to mimic normal connections. To better detect malware infections and separate them from normal traffic we propose to detect the behavior of the group of connections generated by the malware. It is known that malware usually generates various related connections simultaneously and therefore it shows a group pattern. Based on previous experiments, this paper suggests that the behavior of a group of connections can be modelled as a directed cyclic graph with special properties, such as its internal patterns, relationships, frequencies and sequences of connections. By training the group models on known traffic it may be possible to better distinguish between a malware connection and a normal connection.