427 Botnet fm qxd

Case Study #4: Bot Server
Case study #4 is about how we can detect an on-campus botnet server
(C&C). Ourmon has the IRC report mentioned before and also a small set of
RRDtool-based graphs, as seen in Figure 6.4.The graph shows the total net-
work count of important IRC protocol message counts including JOIN,
PINGS, PONGS, and PRIVMSGS. We suspect you can spot the anomaly.
PING and PONG messages are used between servers and clients to maintain
connectivity ( JOINS too for that matter). Our normal count for PING and
PONG messages is about 30 per sample period (a sample period is the 30-
second fundamental ourmon sample time). All of a sudden PINGs and
PONGS have gone way up. Wonder why? Simple. A botnet client was turned
into a botnet server and all of a sudden had around 50,000 remote botnet
clients. Our IRC report shows the amazing upsurge in connectivity as well.
We will return to this botnet server case in a later chapter.
Figure 6.4
IRC Message Counts
www.syngress.com
226
Chapter 6 • Ourmon: Overview and Installation
427_Botnet_06.qxd 1/8/07 3:14 PM Page 226

Tools & Traps…
Botnet Servers and Clients
Botnet servers can have thousands of clients. Typical IRC channels used
for chat by real human beings will not have that many clients. At our
school we have never seen an IRC channel with more than 50 hosts in
it used for real human chat. Thus, if you see an IRC channel with 36,000
hosts in it, you can be fairly sure you have a botnet server.
A botnet client is a piece of software. It may download a new ver-
sion of itself. It can take commands from the C&C server. Thus, a botnet
client can become a botnet server at any time. Or it can change its IRC
channel, port, remote botnet server IP, and probably other attributes as
well, including the set of attacks it uses. It is just software and it can
always download a new version with more capabilities. 

Download 6,98 Mb.

Do'stlaringiz bilan baham: