427 Botnet fm qxd

(www.symantec.com/security_response/writeup.jsp?docid=2005-100715-
4523-99).
Last we have our channel 
alien
.This turns out to be a false positive.
Although we won’t show the information here, there wasn’t any useful infor-
mation in the TCP port report that clearly indicated that this was a scan. No
well-known attacked ports were shown. In this case, by sheer dumb luck we
know who was using the host in question, so we asked them, and they said,
“It’s a game.” Sometimes asking people might be what you need to do. If
someone says, “Well, no, I don’t use IRC,” you know you have a security
problem. Of course, once again we can watch the IRC channel with tools
like ngrep to see if people are talking or game commands are going by, or just
maybe there are bot commands such as the ones we saw in our example.
Let’s summarize the analysis techniques we might use to decide if an IRC
channel is hostile or not:
1. If the channel has a number of hosts in it attacking a few ports, it is
probably automated and evil. Use the IRC evil channel report and
associated TCP port report summarizations and 30-second logs to
give you more details as necessary.You might need to do some
research on whether or not the ports are being scanned planetwide
(see dshield.org or isc.sans.org).
2. Watch the IRC channel names over time and learn which IRC
channels are used for legitimate traffic.This might help you note new
and possibly suspicious channel names if they show up. Of course,
users might always have a new chat channel, too.
3. You can always watch the channel with a sniffer like ngrep to deter-
mine if the traffic is suspicious.
4. Once you learn about a bad botnet server, you should note its IP
address and check the IRC logs carefully to see if that IP address
shows up with other hosts.The odds are high that those hosts are
infected as well.

Download 6,98 Mb.

Do'stlaringiz bilan baham: