427 Botnet fm qxd

Table 5.5 continued Process Explorer Running Processes
Process
PID
CPU
Description
Company Name
svchost.exe
488
Generic Host Process Microsoft Corp.
for Win32 Services
rshsvc.exe
600
RSH Service
Microsoft Corp.
SavRoam.exe
684
SAVRoam
Symantec
PSXRUN.EXE
856
Interix Subsystem 
Microsoft Corp.
Nonconsole Session 
Manager
zzInterix
2144
Interix Utility
Microsoft Corp.
EvMgrC.exe
976
1.17
Commvault Systems
mssearch.exe
1328
Microsoft PKM 
Microsoft Corp.
Search Service
mapsvc.exe
1412
Mapping Server
Microsoft Corp.
Service
sqlagent.exe
2724
Microsoft SQL Server Microsoft Corp.
Agent
svchost.exe
3196
Generic Host Process Microsoft Corp.
for Win32 Services
Rtvscan.exe
2188
Symantec AntiVirus
Symantec Corp.
lsass.exe
956
LSA Shell
Microsoft Corp.
PSXSS.EXE
896
Interix Subsystem 
Microsoft Corp.
Server
init
2156
Interix Utility
Microsoft Corp.
inetd
2432
Interix Utility
Microsoft Corp.
iexplorer.exe
3560
explorer.exe
8564
Windows Explorer
Microsoft Corp.
ccApp.exe
9208
Symantec User Session Symantec Corp.
VPTray.exe
8636
Symantec AntiVirus
Symantec Corp.
VPC32.exe
9524
Symantec AntiVirus
Symantec Corp.
iexplorer.exe
6712
sqlmangr.exe
9904
SQL Server Service 
Microsoft Corp.
Manager
mmc.exe
9344
Microsoft Man-
Microsoft Corp.
agement Console
procexp.exe
9184
Sysinternals Process 
Sysinternals
Explorer
Tcpview.exe
8716
3.52
TCP/UDP endpoint 
Sysinternals
viewer
www.syngress.com
Botnet Detection: Tools and Techniques • Chapter 5
201
427_Botnet_05.qxd 1/9/07 9:59 AM Page 201

The next snapshot,Table 5.6, is for the network connections and was
taken using TCPView.
Table 5.6
Network Connections of a Botnet
:3616
TCP
Victim3:2967
Victim3:0
LISTENING
:3616
TCP
127.7.15.36:2967
127.7.15.36:3440
CLOSE_WAIT
:3616
TCP
127.7.39.255:2967
127.7.39.255:2211
CLOSE_WAIT
:3616
TCP
127.7.39.255:2967
127.7.39.255:2212
CLOSE_WAIT
—————————SNIPPED 100+ entries————————
:3616
TCP
127.245.24.200:2967
127.245.24.200:2655 CLOSE_WAIT
:3616
TCP
127.246.198.40:2967
127.246.198.40:2649 CLOSE_WAIT
:3616
TCP
127.246.198.40:2967
127.246.198.40:2647 CLOSE_WAIT
:3680
TCP
Victim3:8592
Victim3:0
LISTENING
cvd.exe:320
TCP
Victim3:1040
Victim3:0
LISTENING
cvd.exe:320
TCP
Victim3:cvd
Victim3:0
LISTENING
cvd.exe:320
TCP
Victim3:4099
localhost:EvMgrC
ESTAB-
LISHED
EvMgrC.exe:976
TCP
Victim3:EvMgrC
Victim3:0
LISTENING
EvMgrC.exe:976
TCP
Victim3:EvMgrC
ESTABLISHED
iexplorer.exe:3560
TCP
Victim3:20462
Victim3:0
LISTENING
iexplorer.exe:3560
UDP
Victim3:tftp
*:*
lsass.exe:956
TCP
Victim3:1057
Victim3:0
LISTENING
lsass.exe:956
UDP
Victim3:isakmp
*:*
lsass.exe:956
UDP
Victim3:4500
*:*
lsass.exe:956
UDP
Victim3:1027
*:*
mapsvc.exe:1412
TCP
Victim3:740
Victim3:0
LISTENING
mapsvc.exe:1412
TCP
Victim3:742
Victim3:0
LISTENING
mapsvc.exe:1412
UDP
Victim3:743
*:*
mapsvc.exe:1412
UDP
Victim3:741
*:*
PSXSS.EXE:896
UDP
Victim3:649
*:*
rshsvc.exe:600
TCP
Victim3:cmd
Victim3:0
LISTENING
sqlservr.exe:400
TCP
Victim3:ms-sql-s
Victim3:0
LISTENING
sqlservr.exe:400
UDP
Victim3:ms-sql-m
*:*
www.syngress.com
202
Chapter 5 • Botnet Detection: Tools and Techniques
Continued
427_Botnet_05.qxd 1/9/07 9:59 AM Page 202

Table 5.6 continued
Network Connections of a Botnet
svchost.exe:1252
TCP
Victim3:epmap
Victim3:0
LISTENING
svchost.exe:1312
UDP
Victim3:1026
*:*
svchost.exe:1312
UDP
Victim3:1025
*:*
svchost.exe:1364
UDP
Victim3:ntp
*:*
svchost.exe:3196
TCP
Victim3:3389
Victim3:0
LISTENING
System:4
TCP
Victim3:sunrpc
Victim3:0
LISTENING
System:4
TCP
Victim3:microsoft-ds Victim3:0
LISTENING
System:4
UDP
Victim3:sunrpc
*:*
System:4
UDP
Victim3:microsoft-ds *:*
winlogon.exe:884
UDP
Victim3:1061
*:*
The first 100+ entries appear to be related to the Big Yellow Worm
exploit. Port 2967 is the port exploited by this worm.The 127.x.x.x addresses
listed are all considered loopback addresses, not external addresses.You will
also notice that the source and destination addresses are identical. Although
we’re not intimately familiar with the exploit, we assume that this behavior
has something to do with the exploit. Near the middle of the list you can
find iexplorer.exe, which is listening on ports 20462 and on the TFTP port.
You can use the list of ports that you determine are associated with the mal-
ware again when you perform firewall log analysis. Any traffic on one of these
ports means that the associated IP address is somehow related to the botnet.
Other odd ports turn out to be the result of an administrator that was
more comfortable with UNIX than with PCs. He loaded an application that
let him use UNIX commands instead of PCs. He did not know that it
opened up dangerous ports like rshell (rshsvc.exe) as well.
Next we use the System Internals tool Autoruns to gather the list of
applications that are started automatically on startup, logon, or logoff.This
report is quite lengthy, so we’ll only look at the snippet containing the known
malware that we found in Process Explorer and TCPView (see Table 5.7).
www.syngress.com
Botnet Detection: Tools and Techniques • Chapter 5
203
427_Botnet_05.qxd 1/9/07 9:59 AM Page 203

Table 5.7 
Autoruns Snippet Showing Malware Entry
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
+ ccApp
Symantec User Session
Symantec Corporation c:\program
files\common files\symantec shared\ccapp.exe
+ Microsoft
c:\windows\system32\iexplorer.exe
+ vptray
Symantec AntiVirus
Symantec Corporation c:\program
files\symantec antivirus\vptray.exe
Next we will get a directory list of the hard drive. Once the quick
forensic is completed, the hard drive will be reimaged so there won’t be an
opportunity to go back and look at the system again. For the directory listing
we bring up a command line (
Start | Run | cmd
) and change the direc-
tory to the root directory. We will gather two sets of directory listings, a
normal listing and a listing of hidden, system, and read-only files and folders:
C:\> dir /s >"e:\VICTIM3 061227\VICTIM3 061227 normal Directory listing.txt"
C:\> dir /s /ah /as /ar >"e:\VICTIM3 061227\VICTIM3 061227 hidden system
readonly Directory listing.txt"
This completes the snapshot of the victim’s system.
Next we’ll try to find files that are associated with the malware. In the
previous steps we noted the dates and times of activity known to be related to
the malware. Now we can use the search function to locate files that were
modified around the same time as the malware was active.This is an inexact
science and is usually performed by someone else, so we prefer the gatherer
to be inclusive rather than exclusive. In other words, we want to gather the
files unless there is little chance they can be related to the malware.The
reason we do this is that we have found some of our most valuable informa-
tion in the files we gather at this step.
One of the key files to look for is drwtsn32.log.This is the log that Dr.
Watson produces whenever an application fails. Malware has a pretty good
chance of causing a failure in a new system with an atypical configuration.
Dr. Watson grabs a snapshot of the system’s memory at the time of the failure.
In this snapshot we have found lists of systems successfully compromised,
along with the associated userids and passwords. In the instance of Rbot we
were chasing, the botherder used many batch files.These revealed the loca-
tions of malware-related executables. One of the batch files was used by the

Download 6,98 Mb.

Do'stlaringiz bilan baham: