427 Botnet fm qxd

1. Look for evil channels and you can assume that more than a handful
(two or more) that are scanning IP hosts means you probably have a
scanning botnet.
2. Look for channels that you have never seen before and then keep an
eye on new names.
However, the latter point is vague.The question is, can you do anything
about a possible bot-related IRC channel before it attacks? One thing we can
do is branch out from ourmon and use other tools to keep an eye on packet
payloads. For example, we can choose to watch a suspicious IRC channel
with a tool like 
ngrep
and try to figure out what is going on with that
channel.That might work, or it might fail because the interesting events
already happened or nothing is happening now. Another possible tool is to use
a small sniffer supplied as an ourmon tool in the ourmon release called 
ircfr
(IRC flight recorder) that records all IRC traffic. With 
ircfr,
if you find a sus-
picious channel (say,
#y3##
for a channel name), you can go back in time
and check out yesterday’s log to see what messages, if any, appeared.This
could help you decide if an IRC channel is benign or “botty.”
Notes from the Underground…
Lost Botnet Hosts
A botnet host might or might not be used for an attack., so keep in mind
that it is always possible that the host might belong to a botnet (and
there might be IRC PING and PONG messages), but it might just sit there
waiting for orders. These orders might never come; the owner of the
botnet might be in jail or on a fishing trip. Another possibility is that the
owner might have lost track of the botnet host or simply chooses to not
use it, for some reason. For example, a botnet server might exist but be
unavailable to the hacker controlling it. This might be because a com-
munication channel to the botnet server was blocked at a router or fire-
wall. So, don’t be surprised if a botnet host just sits there. Sometimes
such hosts are passive. Sometimes they could be attacking in a subtle

Download 6,98 Mb.

Do'stlaringiz bilan baham: