BOTNET ACTIVITY MONITORING THROUGH PROCESS PUPPETEERING presented at bsideslisbon 2017

by Tiago Pereira,

Summary : Monitoring botnet activity to produce threat intelligence often requires the development of specialized tools that speak the malware protocol, join the botnet and extract relevant information or exploits some of its weaknesses. The development of these tools (often called trackers, crawlers or milkers) can be hard and time consuming as it involves long reverse engineering hours, re-implementing network protocols from scratch, and operating it without being detected by the botnet operators. This presentation will share a few fun moments developing and deploying these tools and show how to make the process (slightly...) less painful, by using memory injection and binary instrumentation to re-purpose real malware as a botnet monitoring tool, while disabling its malicious capabilities.