427 Botnet fm qxd

infected drive off for forensic analysis. At some point, you need to get
the infected system off the air, so it doesn’t infect others.
■
Consider monitoring the infected host to see who else talks to it. See
Chapter 5 for mention of sniffers.You should analyze the local fire-
wall and network monitoring historical data for this same data.You
should analyze the local security event logs to see who attacked this
computer prior to its assimilation. Submitting malware found during
the quick forensics process to a malware analysis sandbox can identify
the initial C&C server, channel names, and passwords.
■
Contact other network domains to tell them about the remote con-
tacts discovered in the monitoring phase or analysis phase. Join the
industry intelligence sharing groups for your industry, like REN-
ISAC for higher education. See the ISAC Council at www.isac-
council.org. Consider other organizations like www.shadowserver.org
for botnets, www.castlecops.com/PIRT for phishing, and mailing lists
like Gadi Evron’s Botnet Digest (www.whitestar.linuxbox.org/
mailman/listinfo/botnets).
It’s a good idea to watch an infected host with a sniffer of some sort, as you
may see that a remote controller is talking to more than one host. Given con-
straints on time, this may be all an IT organization is able to do. In Chapter 5,
we talked about abuse e-mail lists and ways to find out whom to contact for
attacks from remote network domains. Politely ask the remote party to stop
scanning you, sending spam your way, or inform them that they have a botnet
C&C on their premises.This may be an act of compassion for some poor user
(or 100,000 poor users) you have never met, as now his or her box might get
cleaned up and further acts of identity theft might be prevented.This act may
be useful or useless. However, it is worth a shot, as communication channels
need to be part of the overall solution to the botnet problem.
Taken together, the previous set of measures might be regarded as funda-
mental, but that raises an interesting question. What else might we do? In the
remainder of this section, we are going to talk about a few other things you
could try that are more proactive and may not be for everyone. If you have
time and possibly security credentials, you can consider getting involved by
communicating and working with others about botnets.You can consider set-
ting up your own darknet or honeynets, or feeding any captured malware to a

Download 6,98 Mb.

Do'stlaringiz bilan baham: