Hi [[ session.user.profile.firstName ]]

Cracking the Encrypted C&C Protocol of a New p2p Botnet

This session will explore how we cracked the encryption algorithm and decoded the command and control protocol of a p2p botnet that is being used by cybercriminals to control an advanced malware distribution system used for wide scale fraud and identify theft attacks.

The analysis starts with the discovery of an unusual traffic pattern from computers infected with a variety of malware in a real-world deployment. A relatively small group of infected computers (~300) from the monitored network were communicating with over 60,000 computers on the Internet, using what was obviously an encrypted command and control protocol. One infected computer was in communication with over 5,000 different peers in a single day.

The obvious conclusion was that this was a new p2p botnet that was being used to control these computers and infect them with a variety of malware. The scale of the infection and the number of different malware varieties involved indicated that this was a significant operation.

In this session we will describe how we used traffic analysis from our network sensors and malware samples in the lab to reverse engineer this bot, crack the encryption algorithm and decode the command and control protocol. In addition, we will describe the infection process, how the malware injects itself into a variety of system processes and how it protects itself from detection. We will provide a detailed analysis of how it maintains contact with its peers and discuss various approaches for infiltrating this botnet.

By examining the protocol in more detail, we can see how it is used by cybercriminals to manage a large multi-tiered botnet, which is then used to distribute additional malware components for a fee or launch widescale fraud or identity theft attacks.
Recorded Feb 28 2012 60 mins
Your place is confirmed,
we'll send you email reminders
Presented by
Kevin McNamee
Presentation preview: Cracking the Encrypted C&C Protocol of a New p2p Botnet

Network with like-minded attendees

  • [[ session.user.profile.displayName ]]
    Add a photo
    • [[ session.user.profile.displayName ]]
    • [[ session.user.profile.jobTitle ]]
    • [[ session.user.profile.companyName ]]
    • [[ userProfileTemplateHelper.getLocation(session.user.profile) ]]
  • [[ card.displayName ]]
    • [[ card.displayName ]]
    • [[ card.jobTitle ]]
    • [[ card.companyName ]]
    • [[ userProfileTemplateHelper.getLocation(card) ]]
  • Channel
  • Channel profile
Presentations from the BSides Events and Beyond
Presentations from the BSides Events and Beyond

Embed in website or blog

Successfully added emails: 0
Remove all
  • Title: Cracking the Encrypted C&C Protocol of a New p2p Botnet
  • Live at: Feb 28 2012 6:00 pm
  • Presented by: Kevin McNamee
  • From:
Your email has been sent.
or close