Botnet Mitigation Training

Next Course: 14-18 May 2012 (registration to free slots opens on 16 April)
Number of Attendees: 14 (1 granted slot per sponsoring nation; others can be assigned to the course if slots remain available)

Course description
The custom-designed 5 day course has been developed in cooperation with the University of Bonn, Germany. Training is focused on malware reverse engineering and other methods applicable to botnet infiltration. The main instructor will be world-renown cyber security and botnet researcher Tilman Werner (Honeynet project, Kaspersky).

Target Audience
Malware analysts (trainees), CERT technical staff, CNO technical staff, IT Security personnel (technical).

Course outline
Setting up a laboratory environment for botnet analysis.
Overview of malware spreading techniques and botnets.
Creation of botnets using botnet construction kits.

Botnet Analysis:
- Applied blackboxing.
- Overview of sandbox concepts.
- Static and dynamic analysis of botnet traffic.
- HTTP Botnet analysis and monitoring.

Comprehensive Introduction to Reverse Engineering of Malware:
- Overview of the x86 architecture and assembly primer.
- Reverse mapping of assembly to high-level languages.
- Static analysis tools, and IDA Pro.
- Dynamic analysis and debugging methodology.
- Shellcode investigation.
- Packers, unpacking, and sample reconstruction.

Multiple hands-on exercises for botnet takeover

Prerequisites
Participants of the course are expected to have good work experience in the Linux (as the work environment) and Windows environment (as the malware environment in this course).

The participant should have:
- Basic understanding of network traffic and malware.
- Able to use virtual machine technology (we use Virtual Box).
- Experience with firewalls (pref. IP Tables) and network traffic analysis (Wireshark and similar tools).
- Basic understanding of assembler and higher programming languages, so that analysed software fragments can be interpreted in the context.
- Experience with process and program debugging (optional).
- Programming experience in assembler or C(++) (optional).

Please be aware of the strong technical nature of this course, it is not intended for unexperienced IT security specialists.

Additional information about the course: Leo Oja (leo.oja-at-ccdcoe.org)