Debugging and Monitoring Malware Network Activities with Haka Ancel & Talbi

Malware analysts have an arsenal of tools with which to reverse engineer malware but lack the means to monitor, debug and control malicious network traffi c. In this paper we propose the use of Haka, an open source security-oriented language, to address this problem. The rationale for this is fourfold: fi rst, Haka features a grammar that allows one to naturally express malware protocol dissectors. Second, Haka provides the most advanced API for packet and stream manipulation. One can drop, create and inject packets. Haka also supports on-the-fl y packet modifi cation. For example, this enables us to hijack some botnet commands to automatically disinfect a set of compromised computers if the malware supports such C&C commands (e.g. uninstall). Third, Haka has an interactive mode that enables it to break into particular packets/streams and inspect their content. Finally, Haka provides a dedicated and customizable tool (Hakabana) to provide a real-time visualization of malware network activities through Kibana dashboards. In this paper we will a provide a set of protocol dissectors and security rules in order to monitor the C&C activities of well-known malware families and show some statistics and interesting results from our tracking of real-word C&C traffi c.