Chapter 10 • Using Sandbox Tools for Botnets

■
Some hostnames are resolved.
■
A C&C server is contacted using the IRC protocol.
■
A listening TCP server is created for incoming connections.
Interpreting an Analysis Report
The interpretation of an analysis report was explained in detail in this
chapter.
The races and hints of the most commonly performed malicious
operations of bots are shown:
■
How and where does the bot install its files, and how does it
ensure that they are automatically executed on system startup?
■
How are new hosts found for infection, and how are they probed
for common, known security leaks that could be exploited?
■
How is the local host protected against new infections?
■
How are local security and antivirus tools found and
disabled/modified to hide the bot?
■
How and to what are C&C servers connected?
■
What are traces of other malicious operations, such as sending
spam, performing DDoS attacks, stealing sensitive data from the
local system, or installing backdoors?
Bot-Related Findings of Our Live Sandbox
Some (unrepresentative) results of the analysis of 11,965 malware
samples at the University of Mannheim, Germany, were presented in
this chapter.
We have found 1815 bot applications that use the IRC protocol (or
slight modifications of that) to communicate with IRC servers on
317 different IP addresses using 120 different TCP ports.
These 1815 bots have used 497 different password-channel
combinations, which lets us assume we have found at most 497
different botnets.
www.syngress.com
Using Sandbox Tools for Botnets • Chapter 10
389
427_Botnet_10.qxd 1/9/07 3:06 PM Page 389

Download 6,98 Mb.

Do'stlaringiz bilan baham: