BSides Birmingham 2023

Big Game Hunting: Scanning the Internet for Malware
10-28, 13:00–13:50 (US/Central), Ballroom D

In the ever-evolving landscape of cybersecurity, the hunt for malicious actors and their infrastructure is a relentless pursuit. In our experience, most of known-bad infrastructure is derived from endpoint or firewall alerts, and reported either during or after an attack. This presentation delves into the fascinating world of proactively scanning the internet to uncover malware Command and Control (C2) servers. We will shed light on the "why," "how," and the invaluable results achieved through these endeavors.

Our talk will showcase the techniques employed in actively scanning for malware, including the associated challenges and intricacies. We will demonstrate, with real-world examples, how this proactive approach grants us unique insights into attacker infrastructure, often before it becomes operational. By showcasing examples involving well-known malware strains and even Advanced Persistent Threat (APT) actors, we will illustrate the tangible benefits of this approach.

The talk begins with an overview of malware C2 architectures and technologies. We will also discuss what public research has already been done in this field, and show how we have improved upon it. This provides the basis for understanding how it is possible to scan for malware and why certain techniques work while others do not. With the foundations established, we then discuss the actual techniques which have been used to scan for web shells, commodity malware, as well as custom APT malware. After demonstrating the techniques and real-world examples, we will conclude with the technical challenges we encountered, providing insight to defenders on which signatures and policies are best used to detect and stop C2 traffic.

Talk Categories

Blue, Purple, Technical

Skyler Onken has been in the tech and security industry since 2003. He began as a Data Warehousing Engineer, but quickly found an interest in security by working as a Web Application Security Tester. Skyler's passion and empty pockets led him to beg and sneak his way into Black Hat where he became hooked and a lifelong hacker. After gaining an undergraduate degree, Skyler commissioned into the US Army as a Military Intelligence, and then Cyberspace Operations, officer. Skyler spent over 10 years in the Army working with the Department of Defense and United States Cyber Command (USCC). He served in various leadership and management positions, while simultaneously fulfilling technical roles like capability developer, and offensive operator. Most impactful from this service was his experience as a Mission Director for the Cyber National Mission Force, Director of the Joint Mission Operations Center - Georgia, and Master Operator for USCC and Joint Force Headquarters - Army.

Skyler is currently a Senior Principal Cyber Research Engineer at Palo Alto Networks, and an Army Reservist. He has a B.S in Computer Information Technology, and a M.S in Applied Computer Science. He holds a number of security certifications to include the OSCP, OSCE, GXPEN, GREM, and CISSP. He volunteers as member of the Association of U.S. Cyber Forces policy team working on legislation for the establishment of a U.S cyber service.