reconstructing the timeline of the spread of the botnet.This will often show
the pattern called “fan out,” where the botnet infects a single computer in a
new subnet, then that computer fans out to infect others in the same subnet.
Using this technique we are able to turn the bot client attack vector into an
intelligence source.
Table 5.1
Sample Output
from Log Parser SQL Query
Targeted_
Attacking_
TimeGenerated
User
Computer
Workstation
8/3/2006 8:40:24
ATTACKER1\jdoe
VICTIM
ATTACKER1
8/3/2006 8:44:02
ATTACKER1\jdoe
VICTIM
ATTACKER1
8/3/2006 8:46:51
ATTACKER1\jdoe
VICTIM
ATTACKER1
8/3/2006 8:50:37
ATTACKER1\jdoe
VICTIM
ATTACKER1
8/3/2006 8:53:33
ATTACKER1\jdoe
VICTIM
ATTACKER1
8/3/2006 8:57:17
ATTACKER1\jdoe
VICTIM
ATTACKER1
8/14/2006 10:25:00
ATTACKER1\jdoe
VICTIM
ATTACKER1
8/14/2006 10:29:09
ATTACKER1\jdoe
VICTIM
ATTACKER1
8/14/2006 10:31:46
ATTACKER1\jdoe
VICTIM
ATTACKER1
8/14/2006 10:35:23
ATTACKER1\jdoe
VICTIM
ATTACKER1
8/16/2006 8:21:06
ATTACKER2\
VICTIM
ATTACKER2
Administrator
8/16/2006 8:21:07
ATTACKER2\
VICTIM
ATTACKER2
Administrator
8/16/2006 8:21:08
ATTACKER2\
VICTIM
ATTACKER2
Administrator
8/16/2006 8:21:09
ATTACKER2\
VICTIM
ATTACKER2
Administrator
8/16/2006 8:21:11
ATTACKER2\
VICTIM
ATTACKER2
Administrator
8/16/2006 8:21:13
ATTACKER2\
VICTIM
ATTACKER2
Administrador
8/16/2006 8:21:14
ATTACKER2\
VICTIM
ATTACKER2
Administrador
www.syngress.com
Botnet Detection: Tools and Techniques • Chapter 5
189
Continued
427_Botnet_05.qxd 1/9/07 9:59 AM Page 189
Table 5.1 continued
Sample Output from Log Parser SQL Query
Targeted_
Attacking_
TimeGenerated
User
Computer
Workstation
8/16/2006 8:21:15
ATTACKER2\
VICTIM
ATTACKER2
Administrador
8/16/2006 8:21:16
ATTACKER2\
VICTIM
ATTACKER2
Administrador
8/16/2006 8:21:17
ATTACKER2\
VICTIM
ATTACKER2
Administrador
8/16/2006 8:21:18
ATTACKER2\
VICTIM
ATTACKER2
Administrateur
8/16/2006 8:21:20
ATTACKER2\
VICTIM
ATTACKER2
Administrateur
8/16/2006 8:21:21
ATTACKER2\
VICTIM
ATTACKER2
Administrateur
8/16/2006 8:21:23
ATTACKER2\
VICTIM
ATTACKER2
Administrateur
8/16/2006 8:21:27
ATTACKER2\
VICTIM
ATTACKER2
Administrateur
You can find basic explanations in the accompanying help file and by
searching the Microsoft site for
Logparser
.There is also a much more in-depth
treatment of uses of Log Parser in the Syngress book,
Microsoft Log Parser
Toolkit,
written by Gabriele Giuseppini and Mark Burnett. Guiseppini is one
of the Microsoft developers of the tool.
The computers listed in the Attacking Workstation
column are the infected
systems, unless you can discover a legitimate reason for the failed attempt to
connect two workstations. For example, you might discover that a small group
of workstations in a lab have set up shares between them, and users periodically
connect workstations. For this reason, we include as much of the following
information as we can in the help desk ticket for this incident:
■
Computer
name and source
■
IP address and source
■
MAC address and source
www.syngress.com
190
Chapter 5 • Botnet Detection: Tools and Techniques
427_Botnet_05.qxd 1/9/07 9:59 AM Page 190
■
What was observed (e.g., password-guessing attack against Victim1)
■
Userid used
■
Date/time of the most recent attempt
■
User name
■
Building, room, and jack number
We discovered that it was necessary to know
what was solid information
(found in the logs) and what was derived (e.g., IP address from NSLookup of
computer name).The time last observed is important, especially in environ-
ments using DHCP, since you are only interested in the computer that held a
particular IP address during the time of the event observed in the logs. In our
case, the lookup
table we used for building, room number, and jack number
was horribly out of date and consequently inaccurate. If the computer was
online, the networking team could confirm the room number and data jack
by reading the switch that detected the computer.The most difficult part of
this process proved to be matching the infected machine with a user and
location.
Several critical pieces of our infrastructure are missing.There
is no asset
management system, so the asset database is not linked to the help desk
system.The database that links the building room and data jack information
to a switch port has not been kept up to date.The building maps to room and
data jacks haven’t been kept up to date, so we keep sending techs out to
rooms that no longer exist.There is no simple way to correlate the computer’s
NetBios name to its IP address and MAC address. Although
there is a stan-
dard naming convention for computers, it is loosely followed by other depart-
ments. It is next to impossible to find a computer of the name LAPTOP in a
population of 27,000 users. In XP, the security event log record only contains
the computer NetBIOS name, not
the IP address; the way our DNS is setup,
few of these NetBIOS names are found using nslookup.
Under these circumstances, we have had to find creative ways to locate
these infected computers. If the userid has portions of a name, we try student
and faculty records to see if there is a match or a short list of candidates.
Sometimes the computer
name is somewhat unique, and a search of the uni-
versity’s Web pages can win the prize. One tough case was a computer called
Do'stlaringiz bilan baham: