427 Botnet fm qxd

Detecting an IRC Botnet Server
In this section we look at details for “Case Study #4: Botnet Server.
”
Around Thanksgiving Day 2005 we unfortunately had a botnet client on
campus with the IP address of 192.168.2.51. If we look at a slightly simplified
TCP port report line for this IP address at 11:06 PST, we see the data shown
in Table 8.6.
Table 8.6
TCP Report for IP Address 192.168.2.51
Timestamp
Ip
Apps Work SA/S L3D/L4D Port Signature
11:06 PST
192.168.2.51 IP
38
0
47/3
[139,25][445,72]
[3816,2]
From the application flags (IP), this appears to be a system using IRC that
is also scanning into our darknet. It is also using the conventional ports of 139
and 445 for its scanning attacks. It’s a botnet client on a channel called 
f7,
as
we learned later. If we come back and look at the same data in the next hour,
we find the data shown in Table 8.7.
Table 8.7 
192.168.2.51, Later in the Day
Timestamp
Ip
Apps Work SA/S L3D/L4D
Port Signature
12:35 PST
192.168.2.51 IP
13
25
2881/1747 [139,20][445,65]
[1037,2]
[1041,3][1042,2]*
This host is still scanning but it has now acquired 2881 friends in its 30-
second period at 1747 ports, and all 10 port signature buckets are full too (not
all shown). In addition, note how the work weight has gone down, but the
SA/S value is now nonzero. It appears that the system in question is starting
to act like a server. So what happened? The bot client was turned into a bot
server. Of course, given the tendency of P2P applications like BitTorrent to
have large numbers of peers, maybe it’s an infected bot client with a local user
(or the remote hacker?) running BitTorrent. As it turns out, there are other
simpler ways to detect a bot server.
So how can you detect a bot server? Some of the simpler ways are:

Download 6,98 Mb.

Do'stlaringiz bilan baham: