Maintenance window scheduled to begin at February 14th 2200 est. until 0400 est. February 15th

(e.g. yourname@email.com)

Forgot Password?

    Defense Visual Information Distribution Service Logo

    AvengerCon VII: Covertly Infiltrating and Monitoring C&C Servers

    Advanced Embed Example

    Add the following CSS to the header block of your HTML document.

    Then add the mark-up below to the body block of the same document.

    UNITED STATES

    12.01.2022

    Video by Steven Stover 

    780th Military Intelligence Brigade (Cyber)

    Part of the AvengerCon VII presentations cleared for public release:

    Presented by MAJ Jonathan Fuller.

    Current techniques to monitor botnets towards disruption or takedown are likely to result in inaccurate data gathered about the botnet or be detected by C&C orchestrators. Seeking a covert and scalable solution, we look to an evolving pattern in modern malware that integrates standardized over-permissioned protocols, exposing privileged access to C&C servers. We implement techniques to detect and exploit these protocols from over-permissioned bots toward covert C&C server monitoring. Our empirical study of 200k malware captured since 2006 revealed 62,202 over-permissioned bots (nearly 1 in 3) and 443,905 C&C monitoring capabilities, with a steady increase of over-permissioned protocol use over the last 15 years. Due to their ubiquity, we conclude that even though over-permissioned protocols allow for C&C server infiltration, their efficiency and ease of use continue to make them prevalent in the malware operational landscape. This paper presents C3PO, a pipeline that enables our study and empowers incident responders to automatically identify over-permissioned protocols, infiltration vectors to spoof bot-to-C&C communication, and C&C monitoring capabilities that guide covert monitoring post infiltration. Our findings suggest the over-permissioned protocol weakness provides a scalable approach to covertly monitor C&C servers, which is a fundamental enabler of botnet disruptions and takedowns.

    Boiler:

    AvengerCon is a free security event hosted every fall by Maryland Innovation and Security Institute to benefit the hackers of the U.S. Cyber Command community and the U.S. Army 780th Military Intelligence Brigade. The event is open to all service members and employees of U.S. Cyber Command and Department of Defense personnel supporting cyberspace missions. AvengerCon features presentations, hacker villages, training workshops, and much more.

    The event is open to all service members and employees of U.S. Cyber Command and Department of Defense, and related partners supporting cyberspace missions.

    The views expressed are those of the presenter, and do not reflect the official position of the 780th Military Intelligence Brigade, U.S. Cyber Command, the Department of the Army, or Department of Defense.

    LEAVE A COMMENT

    VIDEO INFO

    Date Taken: 12.01.2022
    Date Posted: 01.04.2023 10:38
    Category: Series
    Video ID: 870227
    VIRIN: 221201-O-PX639-310
    Filename: DOD_109398151
    Length: 00:35:39
    Location: US

    Video Analytics

    Downloads: 1
    High-Res. Downloads: 1

    PUBLIC DOMAIN  

    This work, AvengerCon VII: Covertly Infiltrating and Monitoring C&C Servers, by Steven Stover, identified by DVIDS, must comply with the restrictions shown on https://www.dvidshub.net/about/copyright.

    MORE LIKE THIS

    CONTROLLED VOCABULARY KEYWORDS

    No keywords found.

    TAGS

    Cybersecurity
    AvengerCon VII

    OPTIONS

  •   Register/Login to Download

    • LEAVE A COMMENT