The goal of the workshop is to give a the short introduction ofinto the analysis of malicious codes like the Zeus bot. During the exercise we will analyze the memory image of an infected machine. For that purpose REMnux and Kali Linux distribution are also suitable but REMnux is recommended. We will discuss the structure of the Zeus bot, and learn, how we can recognize it in a memory image.
As we analyze the memory image I will introduce the capabilities of the Volatility Framework. We will see how to find the Zeus in the memory image. We will learn what suspicious processes, suspicious network traffic and suspicious hard drive operations can be expected from a computer infected with this bot. By the end of the analysis, we will know how to identify an infected victim machine, and how the Zeus bot is trying to hide itself from an analyzer.