427 Botnet fm qxd



Download 6,98 Mb.
Pdf ko'rish
bet324/387
Sana03.12.2022
Hajmi6,98 Mb.
#878307
1   ...   320   321   322   323   324   325   326   327   ...   387
Bog'liq
Botnets - The killer web applications

www.syngress.com
394
Chapter 11 • Intelligence Resources
427_Botnet_11.qxd 1/9/07 9:56 AM Page 394

It is imperative that you determine who has been logged on to the machine,
what access they had, and what data that machine or user has accessed. If client
information has been accessed, you may need to contact clients to inform them
that their personal or corporate information has been compromised.
The files making up the botnet should also be isolated to identify how to
properly remove it. Identifying the files used by the botnet will allow you to
look up removal methods on antivirus or security sites, as we discussed in
Chapter 5 and will discuss further in this chapter. Acquiring copies of the
botnet will also allow you to disassemble it to review information that is hard
coded into it.
Disassemblers
In addition to other tools and techniques mentioned elsewhere in the book
for gathering intelligence about botnets, including the tools and techniques in
Chapter 5, and the very promising sandbox technique mentioned in the 
previous chapter, one additional tool for extracting botnet intelligence is a
disassembler.
Disassembling is the process of translating an executable program into its
equivalent assembly (machine code) representation. Using disassemblers, one
may more closely analyze the functions of code segments, jumps, and calls.
Through these analyses, one can better understand the inner workings of a
given binary program and assess portions that may afford one the opportunity
to exploit the target program. Using a disassembler, you can view any infor-
mation that is hard coded into the program, inclusive to any IP addresses a
botnet sends information to, or data that might reveal its originating source.
At the very least, it will give you an indication of how the botnet was using
hosts on your network.
Several types of Windows-based disassemblers are available via the Web,
among the more popular being Hackman Disassembler, PE Explorer, and DJ
Java Decompiler.These disassemblers offer an intuitive graphical user interface
by which many aspects of the disassembled program in question can be deter-
mined quickly.
PE Disassembler
As seen in Figure 11.1, PE Explorer is a tool from Heaventools Software
(www.heaventools.com), and is used to disassemble Win32 executables, so you

Download 6,98 Mb.

Do'stlaringiz bilan baham:
1   ...   320   321   322   323   324   325   326   327   ...   387



Ma'lumotlar bazasi mualliflik huquqi bilan himoyalangan ©hozir.org 2024
ma'muriyatiga murojaat qiling
kiriting | ro'yxatdan o'tish
    Bosh sahifa
юртда тантана
Боғда битган
Бугун юртда
Эшитганлар жилманглар
Эшитмадим деманглар
битган бодомлар
Yangiariq tumani
qitish marakazi
Raqamli texnologiyalar
ilishida muhokamadan
tasdiqqa tavsiya
tavsiya etilgan
iqtisodiyot kafedrasi
steiermarkischen landesregierung
asarlaringizni yuboring
o'zingizning asarlaringizni
Iltimos faqat
faqat o'zingizning
steierm rkischen
landesregierung fachabteilung
rkischen landesregierung
hamshira loyihasi
loyihasi mavsum
faolyatining oqibatlari
asosiy adabiyotlar
fakulteti ahborot
ahborot havfsizligi
havfsizligi kafedrasi
fanidan bo’yicha
fakulteti iqtisodiyot
boshqaruv fakulteti
chiqarishda boshqaruv
ishlab chiqarishda
iqtisodiyot fakultet
multiservis tarmoqlari
fanidan asosiy
Uzbek fanidan
mavzulari potok
asosidagi multiservis
'aliyyil a'ziym
billahil 'aliyyil
illaa billahil
quvvata illaa
falah' deganida
Kompyuter savodxonligi
bo’yicha mustaqil
'alal falah'
Hayya 'alal
'alas soloh
Hayya 'alas
mavsum boyicha

yuklab olish