Hands on Cybersecurity Studies: Uncovering and Decoding Malware Communications with Dshell
Abstract
This report presents a hands-on exercise on basic software reverse-engineering with the ultimate objective of learning the way that a particular malware (malicious software) is communicating across a network, and developing software to detect and reveal these communications in plaintext, in vivo. Remote access trojans (RAT) are a type of malware that persist on the infected machine (bot) after compromise and provide the malicious actor in control of the malware with remote access to the infected machine via established command-and-control channels. As with all malware, RATs are typically spread through phishing emails or websites where the software is downloaded without the user knowing; it can also spread by taking advantage of vulnerabilities in software running on the victims devices. This report details the last of three software reverse-engineering exercises, which can be completed cumulatively or individually as each accomplishes a specific task and builds off the previous exercise. The effects and communications of RATs are demonstrated and participants are guided through a series of steps leveraging the US Army Combat Capabilities Development Command (CCDC) Army Research Laboratory's (ARLs) open-sourced network forensic analysis framework, Dshell, to develop a Dshell decoder that can decode the communications to enable detection and support mitigation.
Document Details
- Document Type
- Technical Report
- Publication Date
- Jun 23, 2020
- Accession Number
- AD1102548
Entities
People
- Daniel E. Krych
- Jaime C. Acosta
Organizations
- United States Army Research Laboratory