459
Index
180Solutions civil law suit, 17, 50, 61
A
AAS (Automated Analysis Suite),
350–351, 389
Abad, Christopher, 63, 424
abuse
e-mail, 134–139, 208
spam and, 139–140
access
brute-force, 34–36
login, restricting, 107
access control lists (ACLs), 140
adaptive learning, 151
administrator accounts, securing,
426–428
Adsense scam, 50–51
adware
See also
botnets, malware
installation, Clicks4Hire schemes,
63–69
Agobot, 10–11, 17, 52, 111–118,
129–131, 257–258
agreements, confidentiality, 404–407
aliases
Agobot, 112
Mytob bot, 124–125
RBot, 105
SDBot, 99
Spybot, 118–119
Alliance Against IP Theft,The, 22
Altiris, 206
analysis
See also
reports, reporting
code vs. behavior, 346
heuristic, intrusion detection,
165–168
Ancheta, Jeanson James, 18, 49
anomaly detection
e-mail, with ourmon, 275–278,
282
principles of, 157, 252–254, 280
TCP (ourmon), 255–272, 281
UDP (ourmon), 272–275, 282
anti-antivirus (Anti-A/V) tool, 37
anti-spam, 438–444
AntiHookExec, 183
antivirus (A/V)
and anti-antivirus (Anti-A/V)
tool, 37
informational
Web sites, 398–399
log analysis, 198–207
Microsoft reward program, 27
programs shutting off, 74
and security, 161–165
signatures, 162–163
software, 214
vendors and botnets, 12
architecture
CWSandbox, 352–353
ourmon tool, 227–231, 240
Arhiveus
ransomware Trojan, 69
ARP spoofing, 152, 153
Art of Computer Virus Research and
Defense,The
(Szor), 167
ATMs and phishing, 63
attack signatures
See also
signatures
HIDS and, 158
attacks
See also specific attack
password guessing, brute-force
access, 34–36
simple botnet, 18–19
SPIM (Spam
for Instant
Messaging), 10, 16, 32
tracing back to botherders,
392–398
against unpatched vulnerabilities,
32–33
Aucsmith, Dave, 423
authentication, and weak passwords,
108–110
Automated Analysis Suite (AAS),
350–351, 389
automated packet capture (ourmon),
314–324, 339–340
AutoRuns tool, 183, 203–204, 369
Avast, 168
B
backdoors
left by Trojans, 33–34
RBot exploits, 111
SDBots and, 9–10
Bagle
mass-mailing virus, 51
Baradley, Jordan, 16
BASE analysis tool, 169
Baylor, Ken, 5
behavior analysis, 346, 348
Bellovin, Steve, 294
Berkeley Packet Filter (BPF), 296
Big Yellow Worm, 203
binary updates, how bots get,
376–378
BitTorrent, 262, 270
black holes, 177
blacklists for spam weeding (DNS),
140
Blaster Worm, 21–22, 27, 91
Bleedingsnort resource, 170
blocking
botnet-related traffic, 418
vulnerable ports, 433
Blue
Security anti-spam company,
438–444
border firewalls, 152–153
bot servers and botnets, 30
botherders
motivations of, 75
and ransomware, 60–62, 69
tracing attacks back to, 392–398
botnet C&C described, 95
botnet
clients
and botnet servers, 227
IRC, detecting, 298–303
rallying, securing, 37–41
waiting for orders, retrieving
payload, 41–42
botnet detection
abuse e-mail, 134–139
darknets, honeypots, snares,
176–179
forensic techniques and tools for,
179–207, 212–213
with ourmon.
See
ourmon tool
botnet-spam
economics of, 62–69
phishing and, 51–55
botnets
See also specific botnet
alternative C&Cs, 78–79
clients. See
botnet clients
code-based and character-based
families of, 11–12
combating, 418–429
common, 98, 128
components of, 15–16
concepts and things that affect,
446–447
described, 3–4, 25, 30–31, 70–72
detecting.
See
botnet detection
determining if computers are part
of, 73–75
echo-based, 83–86
economics of spam, phishing,
62–69, 72–73
functions and impact of, 42–69
getting binary updates, 376–378
installation methods, 369–370
life cycle of, 31–36
lost hosts, 330–331
malicious operations performed
by, 378–383
obtaining information from,
346–348
and P2P, 452
reporting, 436–438, 443–444
reporting abuse, 138–139
responding to, reporting, 434–438
simple attack, 18–19
threat of, 2–4, 24, 26–27
viewing information on known,
399–403
BPF (Berkeley Packet Filter), 296
Braverman, Matthew, 14
broadcast domains described, 151
427_Botnet_Index.qxd 1/9/07 3:00 PM Page 459