427 Botnet fm qxd

Table 5.4
Outbound Firewall Record Sort
Date
Time
Action
Protocol
SRC
-IP
DST
-IP
SRC
-P
o
rt
DST
-P
o
rt
Size
P
a
th
11/13/2006
18:50:52
CLOSE
T
CP
192.168.116.92
10.0.180.6
3389
3027
—
—
11/13/2006
18:44:24
DROP
UDP
192.168.118.4
239.255.255.250
8008
1900
129
RECEIVE
11/13/2006
18:51:15
DROP
UDP
192.168.116.176
255.255.255.255
68
67
328
RECEIVE
11/13/2006
18:51:18
DROP
UDP
192.168.116.176
255.255.255.255
68
67
328
RECEIVE
11/13/2006
18:43:47
DROP
UDP
192.168.118.176
255.255.255.255
68
67
328
RECEIVE
11/13/2006
18:55:40
OPEN
TCP
192.168.116.92
10.10.115.28
2531
80
—
—
11/13/2006
18:52:49
OPEN
TCP
192.168.116.92
10.79.200.5
4819
21
—
—
11/13/2006
18:55:45
OPEN
UDP
192.168.116.92
192.168.117.173
137
137
—
—
11/13/2006
18:56:46
OPEN
UDP
192.168.116.92
192.168.117.173
137
137
—
—
11/13/2006
18:57:31
OPEN
TCP
192.168.116.92
192.168.117.251
2291
139
—
—
11/13/2006
18:44:37
OPEN
UDP
192.168.116.92
192.168.150.128
1026
53
—
—
11/13/2006
18:44:37
OPEN
TCP
192.168.116.92
192.168.153.214
2418
135
—
—
11/13/2006
18:44:37
OPEN
TCP
192.168.116.92
192.168.153.214
2419
1025
—
—
11/13/2006
18:50:49
OPEN-
T
CP
10.0.180.6
192.168.116.92
3027
3389
—
—
INBOUND
11/13/2006
18:50:50
OPEN-
T
CP
10.1.11.229
192.168.116.92
33944
4044
—
—
INBOUND
www.syngress.com
Botnet Detection: Tools and Techniques • Chapter 5
197
427_Botnet_05.qxd 1/9/07 9:59 AM Page 197

Another tool you can use to automate your log analysis is Swatch
(http://swatch.sourceforge.net/), which can handle most kinds of logs, if
you’re prepared to spend the time normalizing logs (setting up mechanisms
for formatting them so that they can be read by applications other than the
one that created them), training Swatch in what to look for, and organizing
an appropriate report format. Set priorities for high-risk entry points, and
think proactively; the best forensics are done before the incident happens.
Antivirus Software Logs
The AV log files are in different locations, depending on your vendor. Users
might also change the locations. In practice we have been using the AV appli-
cation to locate and save copies of the logs it collects. Be sure at this time to
disable the antivirus scanning capabilities. Unless you do so, the AV tool could
delete some of your evidence later in the process, when we locate and turn
off the hide process.Then we’ll spend some time looking at what it reported.
Sometimes the AV tool grabs one of the bot files before the bot has a chance
to hide. If it did, the AV logs can tell you where the file was located and con-
sequently where you can find its brothers and sisters.You should locate and
copy the Quarantine folder to the memory stick for later analysis.The .ini
and configuration files of some of these tools have been a good source of
valuable information, including C&C server IP addresses, payload manager
userids and passwords, the network architecture (which ports are used for
what purpose), and the like. Symantec makes a tool called qextract, available
for download on the Symantec site, that will extract the original files from its
quarantine package.You can send the original files to the CWSandbox
(described in Chapter 10) to your AV vendor if its software was unable to
fully identify the virus, or to www.virus.org to be checked by 12 or so
antivirus packages. Figure 5.7 shows results from a malware scanning of files
that were sent to www.virus.org.

Download 6,98 Mb.

Do'stlaringiz bilan baham: