John Morris Kindsight
Kevin McNamee Kindsight
download slides (PDF)
This session will explore how we cracked the encryption algorithm and decoded the command and control protocol of the ZeroAccess p2p botnet that is being used to control an advanced malware distribution system used for widescale fraud and identify theft attacks.
The analysis starts with the discovery of an unusual traffic pattern from computers infected with a variety of malware in a real-world service provider deployment. In a single day, a relatively small group of infected computers (approx. 300) from the network were communicating with over 60,000 computers on the Internet, using what was obviously an encrypted command and control protocol.
We will then describe how we used traffic analysis from our network sensors and dynamic analysis of malware samples in the lab to reverse engineer this bot, crack the encryption algorithm and decode the command and control protocol. In addition, we will describe the infection process, how the malware injects itself into a variety of system processes and how it protects itself from detection. We will provide a detailed analysis of how it maintains contact with its peers and discuss various approaches for the infiltration and takedown of this botnet.
