427 Botnet fm qxd

Table 9.3
Ourmon IRC Summarization: Channel #y3##
Msg 
#y3##
Stats Maxworm
Server? Sport/dport
First_ts
192.168.2.3 53
54
H
2366/28555
Oct_16_22:
18:46_PDT
10.0.0.1
53
66
S
28555/2366
Oct_16_22:
18:46_PDT
So the problem is that we have a very small IRC network with one local
host and a very strange channel name. We had not seen this channel name
before.The work weight is of a middle value and is not a smoking gun in
terms of scanning. If the local client 192.168.2.3 had a work weight of 99, we
could be more confident about scanning behavior. Assume that this channel
appeared yesterday. We don’t happen to have yesterday’s packets to help us
investigate what was actually going on. Here we can use the 
ircfr 
IRC flight
recorder program to see what if anything might be learned about suspicious
borderline channels such as this one.
The program 
ircfr
is a sniffing tool supplied with ourmon. It is new and as
a result is rather primitive. It can be found in
/home/mrourmon/src/tools/ircfr. See the README in that directory for
installation.The basic idea is that it captures IRC payloads (PRIVMSG or
JOIN) and stores them in a few days’ worth of files.The file for yesterday is
called 
ircfr.yesterday.txt
.The file for today is called 
ircfr.today.txt
, At midnight the
file for today is moved to become the file for yesterday.Then 
ircfr 
is restarted
to capture today’s output. All we really need to do is find the stored files for
ircfr
and use 
grep
to pick out the channel name as follows:
# grep "channel=#y3##" ircfr.yesterday.txt
ircfr.yesterday.txt:
IRCMSG: PRIVMSG: s=192.168.2.3 -> d=10.0.0.1
dport=28555 sflag=0, channel=#y3## clen=5: p=[PRIVMSG ##y3## :[DOWNLOAD]:
Downloaded 175.5 KB to c:\windows\system32\winl0gon.exe @ 175.5 KB/sec.]
The packet payload is an IRC 
PRIVMSG
command with data.The data
tells us that a piece of malware called 
winl0gon.exe
was downloaded. So
#y3##
is a botnet channel.

Download 6,98 Mb.

Do'stlaringiz bilan baham: