To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
----------
On 09/01/07, Sean Zadig <[EMAIL PROTECTED]> wrote:
> To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
> ----------
> Greetings all,
>
> I'm looking for suggestions on innovative ways to find zombie machines on my
> networks. Right now, we're looking for IRC traffic and doing some checking
> for connections to C&C machines (using Shadowserver and various other C&C
> lists).
>
> Do any of you have any recommendations for other methods? So far, I haven't
> been able to find too much zombie activity, but I have a feeling it's there.
> We simply have too many machines for there not to be some activity.
Hi Sean,
If you're already using snort, plus bleeding IRC sigs, then you can
still look at things like:
1. portscan traffic originating from your network (when a zombie gets
a scan command it will trip all sorts of portscan sensors)
2. if you're domain admin, you can ask your windows boxes for things like:
a. contents of %WINNT%/system32/drivers/etc/hosts (is that the right path?)
there will often be entries like 127.0.0.1 liveupdate.symantec.com
if you've got nasties
b. new entries in the HKLM/Software/Windows/.../Run /RunOnce keys
c. AV sigs being out of date can indicate some kind of problem as well
- with Symantec AV you can also query this information from the
Windows registry
Might be easier to do this with a HIDS - see #5
3. for UNIX, evidence of infection from Kaiten, Lupper, Mare, ShellBot
etc. in apache logs. I've seen many attempts at compromising web apps
such as Mambo, AWStats, PHPBB, PHPNuke, etc. by these kinds of bots.
( example http://www.nz-honeynet.org/papers/mambo-exploit-obfuscated.pdf )
4. If you're using an HTTP proxy, check the logs of that for
suspicious files being downloaded. Otherwise, keep an eye on ftp,
tftp, wget and curl downloads from machines which shouldn't be
downloading stuff. This may include firewall logs of port 80 outbound
being dropped if you're firewall forces stuff to go via an HTTP proxy.
5. HIDS such as OSSEC or GFI Languard noticing filesystem changes.
6. Some malware will also re-assign the default DNS servers that the
machine is querying. You might want to check on what traffic is
outbound to 53/udp and /tcp if you're expecting everything to be
resolved by your internal DNS servers.
As other people have said, nepenthes is also a great tool and will
enable you to get copies of malicious binaries more easily than the
traditional methods of forensics.
cheers,
Jamie
--
Jamie Riden, CISSP / [EMAIL PROTECTED] / [EMAIL PROTECTED]
NZ Honeynet project - http://www.nz-honeynet.org/
_______________________________________________
To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
All list and server information are public and available to law enforcement
upon request.
http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
