Cyber-Bedrohungen im Maritimen Sektor -- Der Threat Intelligence Ansatz
Mar 1, 2018 13:00
Reale Bedrohung, angemessenes Handeln -- Threat Intelligence in KRITIS
Sep 20, 2017 10:00


If you are looking for a bachelor or master thesis, check the following topics or get in touch with me if you have something security-related in mind:

  • Malware analysis and software reverse engineering
    • Instrumenting malware execution
    • Hardware-based code tracing using Intel Processor Trace (IPT)
    • Reversing blockchain-based smart contracts
  • Threat intelligence
    • Leveraging text mining and artificial intelligence to consume and consolidate threat intelligence reports
  • Internet of Things (IoT)
    • Code tracing techniques for malware targeting IoT platforms (MIPS, ARM etc.)

In spring 2018, I will be teaching the following courses:

  • new! Practical Security Attacks and Exploitation (PRAX) - a practical course on security attacks and offensive techniques for Bachelor students
  • ATIS/SRE: Software Reverse Engineering (SRE) as part of the lecture ‘Ausgewählte Themen aus dem Bereich Internet und Sicherheit (ATIS)’. This course is part of the Master-Studiengang Internet-Sicherheit, but also open to other students.
  • INP: Internetprotokolle (Internet protocols)

Selected Publications

The following is a subset of my publications. See here for a list of all publications.

. P2PWNED: Modeling and Evaluating the Resilience of Peer-to-Peer Botnets. In 34th IEEE Symposium on Security and Privacy, S&P 2013. San Francisco, USA, 2013.


. CoCoSpot: Clustering and Recognizing Botnet Command and Control Channels Using Traffic Analysis. A Special Issue of The Computer Networks Journal On Botnet Activity: Analysis, Detection and Shutdown, Elsevier 2012, Journal publication, 2012.


. Manufacturing Compromise: The Emergence of Exploit-as-a-Service. 19th ACM Conference on Computer and Communications Security, CCS 2012, Raleigh, NC, USA, 2012.



More Publications

. Hiding in Plain Sight -- Advances in Malware Covert Communication Channels: Stegoloader and PlugX. Blackhat Europe. Amsterdam, The Netherlands, 2015.

PDF Slides

. PROVEX: Detecting Botnets with Encrypted Command and Control Channels. In 10th Conference on Detection of Intrusions and Malware & Vulnerability Assessment, DIMVA. Berlin, Germany, 2013.


. Identification and Recognition of Remote-Controlled Malware. Inauguraldissertation, PhD Thesis, Universität Mannheim, Germany, 2013.


. Exploiting Visual Appearance to Cluster and Detect Rogue Software. ACM’s 28th Symposium On Applied Computing (SAC), Coimbra, Portugal, 2013.


. Large Scale Analysis of Malware Downloaders. 9th Conference on Detection of Intrusions and Malware & Vulnerability Assessment DIMVA 2012, Heraklion, Greece, 2012.


. Prudent Practices for Designing Malware Experiments Status Quo and Outlook. 33rd IEEE Symposium on Security and Privacy (S&P) 2012, San Francisco, CA, USA, 2012.


. eID Online Authentication: Network Threat Model Attacks and Implications. 19 DFN Workshop 2012, Hamburg, Germany, 2012.

PDF Slides

Blog Posts

More Posts

The following blog was written while working for CrowdStrike. It is available at As malware and its authors continue to evolve, deciphering the purpose of specific malware-driven attacks has become more challenging. While some malware still has a feature-specific design such as DDoS tools or spam bots, it is becoming increasingly common for malware to have multiple uses for different missions. Recent banking trojans for example are likely to support remote access, which is not typically required to deliver web injects and steal credentials.


The following blog was written while working for CrowdStrike. It deals with the developments and the propagation of exploits surrounding CVE-2014-1761, a code execution vulnerability in Microsoft Word that was also leveraged in targeted attacks. The post shows how the events unfolded and shows which actors used exploits for the vulnerability at which point in time.

Read the full blog at


The following blog was written while working for CrowdStrike. It deals with a characteristic code invocation technique on 32-bit Windows that was discovered while analyzing malware linked to a targeted intrusion attributed to the VENOMOUS BEAR/Turla actor. The invocation technique leverages the window class “Shell_TrayWnd” to get a handle to explorer.exe, and uses SetWindowLong() to set a function pointer in extra window memory to the beginning of the injected shellcode.


While most of the stuff we analyze is Windows malware, when it comes to implementing detection or analysis approaches, we surely turn to GNU/Linux. One of the best tools I stumbled upon when it comes to profiling, i.e. analyzing the execution performance of C code under Linux is perf. Since most of the time we have to develop code that has to run fast, especially when dealing with carrier-grade network links of 10 GbE, profiling is inevitable.


As part of our research on botnets, we developed recognition techniques for botnet command and control flows, such as CoCoSpot. Obviously, we use these techniques to track C&C channels and their activities. Throughout our analysis period of more than three years, we have seen several botnets come and go. Some botnets have faced dedicated takedowns, such as Rustock, Mariposa, Mega-D, Kelihos and Pushdo, while others cease without further ado.


The following is a random subset of malware sample metadata of samples targeting Internet-of-Things devices. These samples and the infection sessions have recently been intercepted by our IoT collection honeypots. Consider these indicators as suspicious.

If you are looking for research collaboration on the topic of IoT malware or if you are interested in samples, please get in touch with me.