427 Botnet fm qxd

Table 8.5
Channel Hobo Hosts
Ip_src
Tmsgs Tprivmsgs
Maxworm Server?
Sport/dport
192.168.6.66
199
22
95
H
4929/504
192.168.7.77
159
0
40
H
1028/219557
10.38.4.27
756
7
50
S
25394/2777
When we go and look at our TCP port report summarization, we dis-
cover that 192.168.6.66 has indeed been scanning on ports 139 and port 445.
Those are classic ports for Microsoft-based exploits. If we aren’t convinced,
we might resort to other measures. For example, if your acceptable-use policy
lets you peek at data payloads, you might now use ngrep to look at host
192.168.6.66 or host 10.38.4.27 (because PRIVMSGS exist and at least one
host appears to be in contact with the server). A command like this could
reveal something interesting:
# ngrep host 192.168.6.66 or host 10.38.4.27
T
IP
If you are suspicious, watch traffic associated with the server’s IP
address. As a result you might see traffic with other infected hosts
that you did not yet suspect. If you find a suspicious server IP in the
IRC report, search all the way through that report. Note all the
channel names where the server’s IP address appears. As a result we
could learn that channels 
hobo 
and .
i-exp
have the same server.
As a result of watching the server, you might see an IRC payload like this:
PRIVMSG #.i-exp :[S]CAN WKSSVCE445: Exploiting IP: 192.1.2.4
Oops! You just caught the bad guys in the act. Apparently results for about
445 port scans are being reported, and a new IP on your net might have just
been infected.
Using honeypot technologies, we eventually determined that this partic-
ular bot is known as 
toxbot
. Symantec calls this one 
W32.Toxbot.AL
. See
Symantec’s web page for more information on this bug

Download 6,98 Mb.

Do'stlaringiz bilan baham: