Thursday 6 October 10:00 - 10:30, Green room
Benoit Ancel (Stormshield)
Mehdi Talbi (Stormshield)
Malware analysts have an arsenal of tools to reverse engineer malware but lack the means to monitor, debug and control the malicious network traffic. In this paper, we propose to use Haka — an open source security-oriented language — to address this problem. The rationale for this is fourfold: first, Haka features a grammar that allows one to naturally express malware protocol dissectors. Second, Haka provides a dedicated and customizable tool (Hakabana) to provide a real-time visualization of malware network activities through Kibana dashboards. Third, Haka has an interactive mode that enables it to break into particular packets/streams and inspect their content. Haka also features a stream-disassembler module that leverages the Capstone engine which enables disassembling the packet content into ASM instructions at the network level. Finally, Haka provides the most advanced API for packet and stream manipulation. One can drop, create and inject packets.
Haka also supports on-the-fly packet modification. This is one of the main features of Haka since all complex tasks such as resizing packets, setting correct sequence numbers are done transparently to the user. For example, this enables us to hijack some botnet commands to automatically disinfect a set of compromised computers if the malware supports such C&C commands (e.g. uninstall).
In this presentation we will showcase the monitoring of the C&C activities of a well-known malware family starting from the detection of the initial infection to the removal of the malware. All these steps are managed through advanced Haka security rules. Additionally, we will provide a set of protocols dissectors of well-known malware families and show some statistics and interesting results from our tracking of real-word C&C traffic.
Benoît Ancel is a French malware analyst who has worked in the Stormshield Security Team for three years. His research interests include malware hunting, reversing and botnet tracking. He spends his free time monitoring honeypots and providing IOCs.
Mehdi Talbi, Ph.D., is a security researcher at Stormshield where he contributes to the Haka open source project. His main interests are vulnerability exploitation techniques, reverse engineering, intrusion detection and network forensics. He has published more than 10 peer-reviewed papers in computer security conferences (ICICS, ARES), journals (Journal in Computer Virology) and magazines (MISC).