Malware analysis & C2 covert channels
In the internal network of a large organization, there may be a large number of security measures or products in place, such as antivirus, Intrusion Prevention/Detection Systems (IPDS), Firewalls, security patch management, etc., and there is still some malware, mostly APT threats, that goes undetected. One of the activities that malware will conduct is “phone home”, to either fetch updates and instructions from the remote Command and Control (C&C) servers, or send back stolen information. It is challenging, but also may be proven fruitful to proactively detect these malware phone-home activities. But before that, an analyst must be aware of the most common techniques which were used in order for attackers to exfiltrate data through these channels. The first part of this thesis covers tools and techniques for malware analysis and reverse engineering, as well as the setup and documentation of a basic lab environment. The second part focuses on analyzing and documenting core techniques and attributes of known Command and Control channels for Malware communication (C2 channels) and examines implementations of such covert channels through common computer network protocols. In the final part, we propose and develop a covert data exfiltration method based on established techniques.