This is a presentation that covers using the open source tool Chopshop developed by Mitre to decode the Mirai DDoS Botnet command and control traffic.
Malware must run, and most malware wants to communicate. This communciation can do various things for malware actors including but not limited to:
- Exfiltrating stolen data and credentials
- Sending DDoS attacks
- Sending and retieving malicious instructions
Identifying and understanding these communications could give us insight behind the tools, tactics and procedures used by malicious actors and their motives. Once you have a clear understanding of the malware traffic you can create network signatures to detect this traffic and use the communication details to anticipate future behavior. For instance, if you have a malware command and control server that sends a DDoS attack details to an infected computer. You can expect that their will soon be DDoS attack traffic coming from the infected host. Knowing the target, attack type and duration allows defenders to prevent this traffic by blocking the target and/or packet types. However not all malware communication is straight forward and easy to interpret. Often times the malware traffic is encoded or encrypted to prevent inspection by malware analysts and network defenders.
To solve this analysis on the malware can to be done to identify how to decode its traffic, then tools such as Chopshop can be used to automatically decode the traffic. Chopshop developed by Mitre corp. This tool takes pcap files and provides the ability to run modules against them to conduct analysis. In additional to providing modules for general use, users are able to create their own modules for particular malware they are interested in. In this presentation I have analyzed Mirai command and control traffic to develop a module that would decode this traffic and extract information.
- Most malware communicates as an essential part of its progression towards its objectives.
- Sometimes malware traffic is encoded or decrypted making it difficult to understand
- Tools like chopshop can be used to create modules that will automatically decode this traffic into a meaningful format.
With Mitre's Chopshop, I was able to create a module that would decipher the Mirai DDoS Botnet command and control traffic. This process can be adapted to decode any malware or network traffic.
In the future this research can be expanded upon by incorporating additonal modules and external libraries to provide coverage for more malware families.