427 Botnet fm qxd



Download 6,98 Mb.
Pdf ko'rish
bet315/387
Sana03.12.2022
Hajmi6,98 Mb.
#878307
1   ...   311   312   313   314   315   316   317   318   ...   387
Bog'liq
Botnets - The killer web applications

www.syngress.com
Using Sandbox Tools for Botnets • Chapter 10
383
427_Botnet_10.qxd 1/9/07 3:06 PM Page 383

Tools & Traps…
Using the Live CWSandbox
A live version of CWSandbox can be accessed at the project homepage
www.cwsandbox.org and at the Sunbelt ResearchCenter at http://
research.sunbelt-software.com/Submit.aspx. After submitting a suspi-
cious file, your e-mail address, and an optional comment, you simply
have to wait until the analysis report is sent to you. Depending on the
current file queue length and on whether the submitted malware file
has previously been analyzed, this can happen immediately or take some
minutes.
Those programs that successfully have used an IRC connection have con-
nected to IRC servers at 317 different IP addresses and have used 120 dif-
ferent TCP ports. Because the IRC servers could be identified only by their
IP addresses, it is possible (and probable) that, due to using dynamic DNS ser-
vices, not all of these hosts are unique. We could presume that two different
bot applications that connect to the same channel on the same host and use
the same channel password are only two variants of one and the same mal-
ware and, therefore, belong to the same botnet. Since we have found 590
unique host-channel-password combinations, this would mean that we have
found 590 different botnets. We can presume that two connections to the
same channel using the same channel password but connecting to different
IRC servers also belong to the same botnet.This is probable but might not
hold in every case, so the number of unique botnets found decreases to 497.
Figure 10.6 shows a diagram of the dispersion for the 50 most seen channel-
password combinations.The x-axis holds the different channels and the y-axis
shows the number of found malware samples that connect to each channel.
The top position was the channel 
#dd
in combination with the password
dpass
, which we have seen 95 times, followed by 
#hotgirls
(no password) with
44 and 
#i#
(
@d00k@
) with 38 instances.
As mentioned, we have found 120 different TCP ports. Most of them
appeared only once or a few times, which leads to the suspicion that these
were used in malware that is only rarely spread or is a test or beta version. Of

Download 6,98 Mb.

Do'stlaringiz bilan baham:
1   ...   311   312   313   314   315   316   317   318   ...   387



Ma'lumotlar bazasi mualliflik huquqi bilan himoyalangan ©hozir.org 2024
ma'muriyatiga murojaat qiling
kiriting | ro'yxatdan o'tish
    Bosh sahifa
юртда тантана
Боғда битган
Бугун юртда
Эшитганлар жилманглар
Эшитмадим деманглар
битган бодомлар
Yangiariq tumani
qitish marakazi
Raqamli texnologiyalar
ilishida muhokamadan
tasdiqqa tavsiya
tavsiya etilgan
iqtisodiyot kafedrasi
steiermarkischen landesregierung
asarlaringizni yuboring
o'zingizning asarlaringizni
Iltimos faqat
faqat o'zingizning
steierm rkischen
landesregierung fachabteilung
rkischen landesregierung
hamshira loyihasi
loyihasi mavsum
faolyatining oqibatlari
asosiy adabiyotlar
fakulteti ahborot
ahborot havfsizligi
havfsizligi kafedrasi
fanidan bo’yicha
fakulteti iqtisodiyot
boshqaruv fakulteti
chiqarishda boshqaruv
ishlab chiqarishda
iqtisodiyot fakultet
multiservis tarmoqlari
fanidan asosiy
Uzbek fanidan
mavzulari potok
asosidagi multiservis
'aliyyil a'ziym
billahil 'aliyyil
illaa billahil
quvvata illaa
falah' deganida
Kompyuter savodxonligi
bo’yicha mustaqil
'alal falah'
Hayya 'alal
'alas soloh
Hayya 'alas
mavsum boyicha

yuklab olish