Uncovering And Visualizing Botnet Infrastructure And Behavior presented at deepsec 2017

by Josh Pyorre, Andrea Scarfo,

Summary : How much information about a botnet can one find using a single IP address, domain name or indicator of compromise (IOC)?
What kind of behavior can be determined when looking at attacker and victim infrastructure?
In an attempt to discover and analyze the infrastructure behind large-scale malware activity, we began our research with known indicators from popular botnets, such as Necurs.
Our presentation will highlight co-occuring malicious activities observed on the infrastructure of popular botnets.
We will demonstrate practical techniques for analyzing botnet and malware traffic to provide context that can be used in identifying actor and victim infrastructure and to discover additional IOC's.
We will also show how political and societal world events may influence specific types of malware activity based on locations and times of malware events.
Finally, we will demonstrate a visualization framework that can be used to better understand the connections between infrastructure, threats, victims, and malicious actors.