Loading…
Botconf 2017 has ended
View analytic
Tuesday, December 5 • 14:00 - 18:00
Botnet Tracking and Data Analysis Using Open-Source Tools

Log in to save this to your schedule and see who's attending!

Fully understanding a botnet often requires a researcher to go beyond standard reverse-engineering practice and explore the malware’s network traffic. The latter can provide meaningful information on the evolution of a malware’s activity. However, it is often disregarded in malware research due to time constraints and publication pressures.
The workshop is about overcoming such constraints by providing a powerful workflow to conduct quick analysis of malicious traffic. The data science approach presented capitalizes on open-source tools (Wireshark/Tshark, Bash with GNU parallel) and valuable python libraries (ipython, mitmproxy, pandas, matplotlib). During the workshop, participants will do practical technical labs with datasets from our recent botnet investigation. They will learn how to quickly find patterns, plot graphs and interpret data in a meaningful way. Although the exercises will focus on botnet’s data, the tools and skills learned will be useful to all sorts of context. Moreover, to ensure that participants take the most out of the workshop, it will be built in a way to allow them to easily replicate the data-analysis environment at home and reproduce similar analysis with their own traffic data.
Workshop Outline
  • Introduction to the workshop
    • Overview of the Linux/Moose botnet
    • The datasets available: Pcaps and mitmproxy logs
    • Overview of the tools we will use
  • Network traffic and C&C protocol analysis
    • Lab 1: Find the potential victims that have been targeted by the botnet’s scanner
    • Lab 2: Find and extract the C&C traffic in the Pcaps
    • Lab 3: Find the list of proxy clients IPs and evaluate if the list changes through time
  • Decrypted HTTPS traffic data analysis
    • Lab 4: Find the list of websites targeted by the botnet and graph them based on the proxy client IP
    • Lab 5: Graph the total number of requests made per proxy client through time
    • Lab 6: Find whether proxy clients are re-using their fake social media accounts

Speakers
avatar for Olivier Bilodeau

Olivier Bilodeau

Cybersecurity Research Lead, GoSecure
avatar for Masarah Paquet Clouston

Masarah Paquet Clouston

Security Researcher, GoSecure
Masarah is a security researcher at GoSecure and one of Canada’s decorated 150 scientific innovators. With her background in economics and criminology, she specializes in the study of market dynamics behind illicit online activities. Her primary goal is to conduct scientific research... Read More →


Tuesday December 5, 2017 14:00 - 18:00
Université de Montpellier (Faculté de droit et science politique) 14 Rue du Cardinal de Cabrières, 34000 Montpellier, France