427 Botnet fm qxd



Download 6,98 Mb.
Pdf ko'rish
bet303/387
Sana03.12.2022
Hajmi6,98 Mb.
#878307
1   ...   299   300   301   302   303   304   305   306   ...   387
Bog'liq
Botnets - The killer web applications

www.syngress.com
370
Chapter 10 • Using Sandbox Tools for Botnets
427_Botnet_10.qxd 1/9/07 3:06 PM Page 370

Finding Out How New Hosts Are Infected
To find new infectable machines, a lot of malware probes remote hosts for
known vulnerabilities.There are several strategies for determining which hosts
to probe: Some malware generate random IPs, others scan complete (also ran-
domly chosen) IP ranges.There are also applications that use predefined
internal or external target lists. Internal lists are contained inside the malware
binary; external ones need to be reloaded from one or multiple possible loca-
tions from the Internet. After one potential target has been determined, it is
probed against one or several vulnerabilities. Since the possible exploits all
work in different ways and use several different target services, it is hard to
give a standard procedure of how to detect their usage from an analysis
report, but some clues will always be there. In any case, a connection to a
remote host needs to be established on one or more of the specific possible
ports. For some ports, any attempt to establish a connection is a promising
hint of an exploitation attempt. For example, although they are really old,
malware still searches for known security leaks in the 
LSASS 
and the 
DCOM
RPC Service
is searched.Therefore, often you will see outgoing connections
on TCP ports 135, 139 and 445. Because these ports normally are blocked by
CWSandbox by default, the connection establishment attempts will be
included in the 
.
The analysis report would
include some outputs like these:

remoteport="445" connectionestablished="0" socket="2700"/>
remoteport="445" connectionestablished="0" socket="2700"/>
remoteport="445" connectionestablished="0" socket="2700"/>
remoteport="445" connectionestablished="0" socket="2700"/>
remoteport="445" connectionestablished="0" socket="2700"/>

To get more information about these attempts, you should not forbid
connections to those ports. Furthermore, you should configure the
CWSandbox such that all communication data is logged. Even if this logging
is not enabled, the .cab file will contain the content of all TCP packets that

Download 6,98 Mb.

Do'stlaringiz bilan baham:
1   ...   299   300   301   302   303   304   305   306   ...   387



Ma'lumotlar bazasi mualliflik huquqi bilan himoyalangan ©hozir.org 2024
ma'muriyatiga murojaat qiling
kiriting | ro'yxatdan o'tish
    Bosh sahifa
юртда тантана
Боғда битган
Бугун юртда
Эшитганлар жилманглар
Эшитмадим деманглар
битган бодомлар
Yangiariq tumani
qitish marakazi
Raqamli texnologiyalar
ilishida muhokamadan
tasdiqqa tavsiya
tavsiya etilgan
iqtisodiyot kafedrasi
steiermarkischen landesregierung
asarlaringizni yuboring
o'zingizning asarlaringizni
Iltimos faqat
faqat o'zingizning
steierm rkischen
landesregierung fachabteilung
rkischen landesregierung
hamshira loyihasi
loyihasi mavsum
faolyatining oqibatlari
asosiy adabiyotlar
fakulteti ahborot
ahborot havfsizligi
havfsizligi kafedrasi
fanidan bo’yicha
fakulteti iqtisodiyot
boshqaruv fakulteti
chiqarishda boshqaruv
ishlab chiqarishda
iqtisodiyot fakultet
multiservis tarmoqlari
fanidan asosiy
Uzbek fanidan
mavzulari potok
asosidagi multiservis
'aliyyil a'ziym
billahil 'aliyyil
illaa billahil
quvvata illaa
falah' deganida
Kompyuter savodxonligi
bo’yicha mustaqil
'alal falah'
Hayya 'alal
'alas soloh
Hayya 'alas
mavsum boyicha

yuklab olish