Botnets are a curious thing for malware researchers. Although we’re constantly trying to shut them down and stop the responsible people, we’re also focusing a lot of attention on studying and analysing their inner workings in order to learn more about how they operate.
And the best strategy of getting information from a botnet is tricking it into sending everything to us on its own. In this talk we’ll describe our latest project, which does exactly that. We are reverse-engineering communication protocols, re-implementing them in python and impersonating real bots. This way, we can get fresh information/malware/spam/urls directly from a C&C, process it automatically, and react appropriately.
We want to share our insights from a year of tracking, compare our approach with more blackbox solutions (hint: there are advantages and disadvantages), and discuss some challenges and our solutions to them. Although we won’t focus on specific malware protocols, we’ll mention them in the passing.