I’ve made it through the June and July 2013 posts on Malware Traffic Analysis. I’m starting to understand his process more, and partially how he came to follow that process.
Mainly from what I could tell, and was confirmed in the blog posts, and via twitter, The site explodes malware on systems and gets pcaps for those systems. Then looks to see what call outs are there. The exercises and blog posts, so far, have only shown 1 ip address. Which makes it easier than a full corporate network to find the traffic.
Something I noticed. While Malware Traffic Analysis says to configure Wireshark one way, the blog posts of late show it’s now configured a little differently.