To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ---------- I am not sure what everyone else does, but I generally just let my IDS alert me of detected IRC connections. This can require a bit of tweaking depending on your network size and AUP in place. For example, on the network I work with (~2200 users), IRC is something that is not allowed for all intents and purposes. So while I do get 100% complete false positives occasionally, I still end up with a few valid alerts that are for legitimate IRC user (web tech support or someone going on freenode). However, that's part of my job. If I received more false positives I'd probably tweak the rules more but they're pretty good.
I just look for PRIVMSG, JOIN, and some other things on all ports. I am not naive enough to think this will catch every possible instance. We've got a few other things in place, however, this catches 99% of the morons sending this stuff out anyway. My questions are: How often do you guys encounter botnets that are actually using encryption of some sort? (i.e. my rules won't be able to pick them up since I am looking for cleartext activity) Has anyone actually encountered any machines infected with the Gnutella style botnet (unencrypted or encrypted)? I've read and seen a few blips about botnets that use gnutella type networks to link up with one another and not standard IRCD type activity. I've also seen the same about some that are designed to check webpages for commands. I, however, have never actually encountered either of these types of trojan/bot software. Anyone else? Steven ----- Original Message ----- From: "Jose Nazario" <[EMAIL PROTECTED]> To: "Gadi Evron" <[EMAIL PROTECTED]> Cc: <[email protected]> Sent: Friday, March 03, 2006 10:09 PM Subject: Re: [botnets] finding botnets on a network/from samples > To report a botnet PRIVATELY please email: [EMAIL PROTECTED] > ---------- > On Sat, 4 Mar 2006, Gadi Evron wrote: > >> These filters work to a level.. but I believe what's required here is >> some insight as to how to detect botnets on a network, as well as get >> the C&C data from samples. > > detecting crypto where you don't expect it: marius eriksen's netics with > the appropriate pcap filters. > > follow the sample: IDA Pro, look for a JOIN, trace to/from there. > >> What are your tricks? What tools do you use? > > if you have a big network view, one of the things we do is watch for all > non-well known IRC server usage on common IRC ports. hand investigation > then. works pretty well, actually. > > ________ > jose nazario, ph.d. [EMAIL PROTECTED] > http://monkey.org/~jose/ http://infosecdaily.net/ > http://www.wormblog.com/ > _______________________________________________ > botnets mailing list > To report a botnet PRIVATELY please email: [EMAIL PROTECTED] > http://www.whitestar.linuxbox.org/mailman/listinfo/botnets > _______________________________________________ botnets mailing list To report a botnet PRIVATELY please email: [EMAIL PROTECTED] http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
