Fully understanding a botnet often requires a researcher to go beyond standard reverse-engineering practice and explore the malware’s network traffic. The latter can provide meaningful information on the evolution of a malware’s activity. However, it is often disregarded in malware research due to time constraints and publication pressures.
The workshop is about overcoming such constraints by providing a powerful workflow to conduct quick analysis of malicious traffic. The data science approach presented capitalizes on open-source tools (Wireshark/Tshark, Bash with GNU parallel) and valuable python libraries (ipython, mitmproxy, pandas, matplotlib). During the workshop, participants will do practical technical labs with datasets from our recent botnet investigation. They will learn how to quickly find patterns, plot graphs and interpret data in a meaningful way. Although the exercises will focus on botnet’s data, the tools and skills learned will be useful to all sorts of context. Moreover, to ensure that participants take the most out of the workshop, it will be built in a way to allow them to easily replicate the data-analysis environment at home and reproduce similar analysis with their own traffic data.
Workshop Outline
- Introduction to the workshop
- Overview of the Linux/Moose botnet
- The datasets available: Pcaps and mitmproxy logs
- Overview of the tools we will use
- Network traffic and C&C protocol analysis
- Lab 1: Find the potential victims that have been targeted by the botnet’s scanner
- Lab 2: Find and extract the C&C traffic in the Pcaps
- Lab 3: Find the list of proxy clients IPs and evaluate if the list changes through time
- Decrypted HTTPS traffic data analysis
- Lab 4: Find the list of websites targeted by the botnet and graph them based on the proxy client IP
- Lab 5: Graph the total number of requests made per proxy client through time
- Lab 6: Find whether proxy clients are re-using their fake social media accounts
