427 Botnet fm qxd

Download 6,98 Mb.

Pdf ko'rish

bet	307/387
Sana	03.12.2022
Hajmi	6,98 Mb.
	#878307

1 ... 303 304 305 306 307 308 309 310 ... 387

Bog'liq
Botnets - The killer web applications

www.syngress.com
Using Sandbox Tools for Botnets • Chapter 10
375
427_Botnet_10.qxd 1/9/07 3:06 PM Page 375

and some modified IRC servers do not answer with RFC conforming
messages or do not answer at all until the IRC client has authenticated com-
pletely. CWSandbox tries to recognize these custom protocols as well, but it is
obvious that this is only possible within a certain range of modifications.
Often the communications of these modified IRC servers can be read manu-
ally if the traffic-logging option is used. If an IRC communication can be
detected successfully, an output like the following will be contained in the
analysis report:
remoteport="7000" protocol="IRC" connectionestablished="1" socket="476">

topic_deleted=":.asc asn1smbnt 200 5 0 -b -r"/>

We see that a TCP connection was established to the host 203.115.204.58
on port 7000. Although port 7000 is not the most well known port associated
with IRC (that would be port 6667), it is a common choice, along with 6665
and 6666. After authenticating itself with the username
SIS-21920206516
and nickname
SIS-21920206516
, the client joins the channel
#n
using the
password
.n
. Some IRC servers are additionally secured with a server pass-
word; in that case the value used for that would also be included in the
report. Normally after joining an IRC channel, the channel topic is trans-
mitted automatically to the client. In the case of bots, this topic is mostly used
to send an initial command to the client, in this case
.asc asn1smbnt 200 5 0 -b
–r
(see Chapter 4 for further description of commonly used bot commands).
The last section of this chapter contains detailed information about the results
on IRC connections, which we were able to retrieve by analyzing over 1,800
found bot samples.
How Does the Bot Get Binary Updates?
Often the first thing malware does is to retrieve new files or instructions from
its operator.This is done to get code updates or actualized configuration data,
since the running malware might be an outdated version or might contain the
addresses of already shutdown machines. In the case of bots, this configuration
data is most often received via their C&C channels, but there are also variants
that try to get this data from hardwired URLs. In any case, you will see an

Download 6,98 Mb.

Do'stlaringiz bilan baham:

1 ... 303 304 305 306 307 308 309 310 ... 387