427 Botnet fm qxd

;; QUESTION SECTION:
;exploited.lsass.org.
IN
A
;; ANSWER SECTION:
exploited.lsass.org.
56070
IN
A
10.0.0.1
exploited.lsass.org.
56070
IN
A
10.2.2.3
exploited.lsass.org.
56070
IN
A
192.168.249.146
;; AUTHORITY SECTION:
lsass.org.
68614
IN
NS
ns.dns.somecountry.
lsass.org.
68614
IN
NS
ns.dns2.somecountry.
;; ADDITIONAL SECTION:
ns.dns.somecountry.
68572
IN
A
10.3.4.5
$ dig -x 192.168.249.146
;; QUESTION SECTION:
;146.249.168.192.in-addr.arpa. IN
PTR
;; AUTHORITY SECTION:
168.192.in-addr.arpa.
1800
IN
SOA
dnsserver.enormoussu.edu
- --
Nancy Netadmin
Voice
: XXX.123.1234
BIGISP Operations & Systems Engineer Fax
: XXX.123.1345
Computing Center
Email
: nancyn@bigisp.net
This message poses some interesting questions, including:
■
What does it mean?
■
Where did I put the aspirin again?
■
What can we do about it?
■
How can we prevent it from happening again?
Nancy has been kind enough to tell us that we have a bot server on our
campus. We should disconnect it from the Internet immediately and sanitize
the host and any other local hosts that might be taking part in the botnet.
However, forensics and cleanup, although mentioned later in the chapter, are
www.syngress.com
136
Chapter 5 • Botnet Detection: Tools and Techniques
427_Botnet_05.qxd 1/9/07 9:59 AM Page 136

not germane to our discussion at this point.The point is that the DNS name
exploited.lsass.org was being used by a botnet so that botnet clients could find
a botnet server.Typically, botnet experts have observed that a botnet will ren-
dezvous on a DNS name using dynamic DNS.The clients know the DNS
name and can check it to see whether the IP address of the server has
changed.This is one method the botnet owner can use to try to keep the
botnet going when the botnet server itself is destroyed.The botnet master has
to get another IP address and use Dynamic DNS to rebind the existing name
to a new IP address. Getting another IP address is not that hard if you own
50,000 hosts. One lesson is simple: A botnet client can become a botnet
server at any time.This system might have started as an ordinary bot and
gotten promoted by its owner. Another one is fairly simple and obvious too
but needs repeating:Take down the botnet server as quickly as possible.
The DNS information in the message shows the DNS name to be
mapped to several IP addresses, including one on the local campus. It also
shows the DNS servers (presumably sites hosting dynamic DNS).The 
dig –x
command was used to do a reverse PTR lookup (IP address to DNS name)
of the IP address to show which DNS site (the local site) was hosting the
PTR record itself.
Notes from the Underground…

Download 6,98 Mb.

Do'stlaringiz bilan baham: