Index
463
TCP, 222–223, 237, 246, 255–272,
283, 301
UDP, 246, 273–275, 283
port scanning, 156
port signatures, 257, 261–262
ports
blocking, logging, 149–150
and botnet recruitment, 42–46
checking your computer’s open,
103
vulnerable, 213, 262
Preboot
Execution Environment
(PXE), 347
Pretty Park bot client, 7–8
PRIVMSG IRC protocol message,
289
probes, network
monitoring with,
140–141
Process Explorer, 74, 199–201
Process Explorer/Monitor, 183
Protected Storage Service (Windows
2000), 382–383
protocols.
See specific protocol
Provos, Nils, 178
pwdump2, 3, 4, 43
PXE (Preboot
Execution
Environment), 347
PXE Windows Image Using Linux,
347
Pyramid of Internet Piracy, 57
R
Rainbow tables, 44
rallying botnet clients, 37–41
Ransom A Trojan, 69
ransomware, 60–61, 69
RBot, 14–15, 34–41, 104–111, 129,
131, 181–182, 186, 205
RCPView, 74
recruiting, and botnets, 42–46
Register of Known Spam Operations
(ROKSO), 441
registry
Agobot entries, 113–114
Mytob entries, 125–126
RBot entries, 106
SDBot entries, 101–102
Spybot entries, 120–122
Windows, modification by botnets,
131
Relay Black Lists (RBL), 53
remote access, Rbot and, 34
Remote Access Trojan (RAT),
33–34, 100, 443
remote
administration tools, 87
REN-ISAC (Research and
Education
Network–Information
Sharing and Analysis Center),
403, 436
reporting
abuse, 134, 138–139
of botnet back to botherder, 62
botnets to authorities, 434–438
DNS records, 82
UDP port, 246
reports
C&C botnets, 436–437
converting XML to HTML, 359
CWSandbox analysis, 349–351,
359–369, 388–389
email syn port (ourmon), 275–278
IRC (ourmon), 290–298
Protected Storage Service
(Windows 2000), 382–383
TCP port, 222–223, 246, 255–272
UDP port, 273–275
Research and Education Network—
Information
Sharing and
Analysis Center (REN-
ISAC), 403
resources
See also
Web sites
antivirus Web sites, 398–399
Bleedingsnort, 170
firewalls, books on, 150
forensic, 207
honeypots, 179
intelligence.
See
intelligence
resources
ourmon tool, 219
Symantec’s Web site, 137
TCP/IP protocols, 321
WildList Organization
International, 164–165
Rockefeller, John D., 62
Roesch, Martin, 168
Rootkit Revealer, 38, 183
rootkits, 38
routers, firewalls
and logging,
148–150
RRDtool, 144, 220, 226, 230, 231,
235, 242, 248–250, 291
RSPAN (Cisco), 213
Rutkowska, Joanna, 352
S
SAM password crackers, 43
sandboxes.
See
CWSandbox
Sandnet, 347
Santy worm, 322
scanning
detecting TCP- or UDP-based
exploits, 246
on-demand, on-access, 214
services, 167
tools used by botnets, 42
tools and vulnerability attacks,
32–33
Schneier, Bruce, 426
scoopy doo tool, 351
SDBot, 9–10, 41–42, 98–104, 129
searching
ourmon event logs,
325–329, 340–341
securing botnet clients, 37–41
security
effective practices, 430–434
policies, process, 426–428
Security Accounts Manager (SAM)
database, 61
server bot mesh, 225
servers
Command and Control.
See
Command and Control
servers
IRC botnet, detecting, 304–308
Service Control Manager (SCM),
370
Service Pack 2, Windows XP, 132
ServU Secure, 57
Shadowserver Foundation, 179,
401–402
signature detection vs. anomaly-based
tools, 252–253
signatures
antivirus, 162–163
attack, 158
port, 257
Silktools for flow analysis, 147
Singh, Kapil Kumar, 444
Sinit P2P botnet, 86
sinkholing servers, 83
Siwek, Stephen E., 55
Slade, Robert, 155
Smurf attacks, 49
sniffers, network monitoring with,
140–141, 143
sniffing
infected hosts, 435
IRC messages, 329–333, 341
SNMP Remote Monitoring
(RMON), 141
SNMP tools, network monitoring
with, 143–146
Snort intrusion detection, 168–172,
253
Sober worm, 125
SoBig vrus, 27
Social Security Account Numbers
(SSANs), 61
software
See also specific product
antivirus (A/V), 161–165, 214
engineering, halting problem,
425–426
open source vs. commercial, 174
Sourcefire Vulnerability Research
Team (VRT), 169
Spafford, Eugene, 173
spam
and abuse, 139–140
Blue Security anti-spam company,
438–444
botnet-spam, 51–55, 62–69
detecting with ourmon, 242
in Instant Messaging (SPIM), 10,
16, 32
preventing, 421–423
427_Botnet_Index.qxd 1/9/07 3:00 PM Page 463