There are far too many pieces to the information security puzzle for one person to know them all. That’s OK, but there are still quite a few topics which warrant at least some basic level of understanding. One such topic is the typical malware kill chain. Those interested in different aspects of security may find they know nothing about this. They may also find the desire to learn.

If the best way to learn is by doing then let’s “do” some malware.

Students of this workshop will learn how to:

• Build (harmless) pluggable implants for Windows in C
• Run simple command-and-control and related services
• Tie these pieces together into a usable kill chain

Please note we will not cover evasive or persistence techniques. The instructor is not a malware expert and has no intentions (yet) of arming the populace.

This workshop aims to provide a bit of fun and understanding around botnets and the kill chains used to build them. Students will take away a basic but (hopefully) new perspective on something they may have only read about in passing, but more importantly a spark to encourage continued research and experimentation at home.

Prerequisites

Attendance Requirements

Students are expected to meet the following requirements before attending the workshop.

• Intermediate level programming experience. Core programming skills, statements, data types, data structures, control structures, I/O. (3+ years)
• Intermediate level C (not C++) programming experience. Intermediate level programming experience plus C-specific arrays, pointers, pointer arithmetic, structures, typecasting, memory management. (2+ years, >50% on https://www.tutorialspoint.com/cprogramming/cprogramming_online_quiz.htm)
• Novice level experience writing Go. Intermediate level programming experience plus Go-specific slices, maps, structures. (6+ months, >50% on https://www.tutorialspoint.com/go/go_online_quiz.htm)
• Fundamental understanding of networking and the internet. (HTTP, IP, DNS)

Environment Technical Requirements

Technical requirements for the workshop are as follows. Please note that in all cases students’ preferred technology may be substituted (Atom in place of VSCode, Python in place of Go, etc…), however no support or accommodation for any alternative choices will be provided. Students deviating from the prescribed requirements will be auditing the workshop, rather than actively participating. Students are strongly encouraged to match the instructors’ choices for simplicity. Students are advised to use HashiCorp Vagrant with VirtualBox to set up the environment. A Vagrantfile will be provided with workshop materials.

Requirement Details

• Development Environment
  • Windows 10 2004
  • Go 1.15
  • MinGW 8.1.0
  • Microsoft Visual Studio Code 1.48.1+
    • Go (golang.go) extension
    • Go extension required tools. Use “Go: Install/Update Tools” from the command palate to install all tools.
    • C/C++ (ms-vscode.cpptools) extension
    • Live Share (ms-vsliveshare.vsliveshare) extension (Recommended. Set up the extension with a Microsoft or GitHub account.)
  • Internet access
  • Network access
  • Ability to transfer files to Server
• Server (may be shared with Development Environment)
  • Network access (may be local or virtual)
  • Inbound access to port 80 from all other systems
• Utility Environment
  • Kali Linux 2020.3
  • Metasploit framework (installed by default)
  • Python 2.7 (installed by default)
  • Wget (installed by default)
  • PIP package Distorm3, version 3.3.4. pip install distorm3==3.3.4
  • Internet access
  • Network access
  • Ability to transfer files to Server
• Client
  • Windows 10 2004
  • Firefox 50.0.1 32-bit
    • Disable the MozillaMaintenance service
    • Disable automatic updating
  • No anti-virus or endpoint protection
  • Ability to modify system’s hosts file.
  • Network access to Server on port 80