In incident response or intelligence gathering the question “what happened on the network” is commonplace. As adversaries are deploying remote access trojans onto target networks being able to answer that question depends upon your ability to understand the protocols being used. Some protocols are well understood by common utilities like wireshark, but what do you do when the protocol is foreign to your tools? You have to write a custom decoder. We will present Chopshop, an open source framework for protocol analysis and decoding. Chopshop tries to make the task of writing a custom protocol decoder as easy as possible by presenting a standard API for the decoder and a rich set of libraries. The decoders are modules that run on top of the framework, which makes sharing the decoders with third parties and partners considerably easier. We will demonstrate Chopshop in the context of the gh0st protocol (discussed in published reports such as The VOHO Campaign), a well-known remote access trojan.
Wesley Shields is an information security engineers for The MITRE Corporation, a not-for-profit organization that manages federally funded research and development centers. He works in the internal information security group on a specialized team of analysts and developers focused on dealing with targeted attacks, building custom tools and augment commercial capabilities to mitigate targeted attacks and produce actionable intelligence on adversarial activity.
Murad Khan is an information security engineers for The MITRE Corporation, a not-for-profit organization that manages federally funded research and development centers. Murad works in the internal information security group on a specialized team of analysts and developers focused on dealing with targeted attacks, building custom tools and augment commercial capabilities to mitigate targeted attacks and produce actionable intelligence on adversarial activity.