Automated extraction of botnet IoCs at large scale
The premise of detecting and blocking a botnet is to collect its binary samples (malware) and quickly extract IoC information such as C2 domain names and IPs, which have now become an important part of threat intelligence data. Relying on 360's massive samples and our global deployment of honeypots, we can collect the latest botnet samples in real time, and then combine binary analysis and sandbox technology to automatically extract IoC information such as C2 domains and ips, . At present, we can automatically extract more than 200 botnet families for IoCs.
Botnet C2 Tracking
The purpose of the C2 tracking project is to gain visibility of what they are doing, such as what the attack commands are, who is the target, what attack method is being used, etc.
The FunctionDB project mines basic block (Basic Block) level code and data information from our large number of labeled samples, such as instruction mnemonics and strings, Then use machine learning to correlate and cluster this information, and the final result can be used for the identification of unknown samples, such as finding out multiplexing from known family samples from unknown samples code and data to assist manual analysis.