To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ---------- On Fri, 3 Mar 2006, John Lampe wrote:
[snip] > Are there any good books which contain a good bit of data regarding how > botnets work? "Internet Denial of Service: Understanding and Defending Against DDoS Attacks" ISBN 0131475378 Released recently and written in the main by Dave Dittrich of washington.edu > Are there any open-source IDS/IPS tools which do a good job of detecting > the majority of botnet clients and servers? I'd be interested in > generic rules which don't rely on srcport, dstport, srcip, dstip. i.e. > some shared feature of botnets which allows fingerprinting irregardless > of where the traffic is headed to or coming from. This relies on knowing the protocol. Outside of the nubile IRC approach you're probably out of luck. Google for sdbot, rxbot et al. Channel topics often have 'advscan' and the like which is useful in a sense but I can see those signatures having a pretty limited lifetime. The generic commands are pretty much static but the prefix (! , . etc) will fluctuate according to the build or codebase. > Are there any good scanners which detect botnet servers and clients. I > grepped through the Nessus plugins and only noted several bot-ish > plugins. Is there some inherent weakness with detecting botnet > servers/clients via an active network check? The last few I looked at were hacked Unreal ircd which said nothing until you presented the correct password. Even then, once in the source was modified to the point where no useful information was available. As in - no motd, obscured hosts, no channel clients list and a very restricted set of client->server commands. Engineered such that the bare essentials were available and nothing else in order to foil any potential spies or someone that might want to steal the net. Channel topic for binary updates or automated scanning and public chat for attacks were pretty much the only things that still worked. Regards, Jess. _______________________________________________ botnets mailing list To report a botnet PRIVATELY please email: [EMAIL PROTECTED] http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
