427 Botnet fm qxd

about the login types listed in the event log at
http://technet2.microsoft.com/WindowsServer/en/library/e104c96f-e243-
41c5-aaea-d046555a079d1033.msp, or search Microsoft for 
audit logon events.
In addition, we looked for instances of logon type 3 in which the origi-
nating workstation name differed from the victim’s computer and where the
domain name is the name of the attacking computer. In most environments,
this should be a rare occurrence.The victim’s computer would have to be
actively sharing files and adding local accounts from the other computer as
users on the victim’s computer.
Figure 5.4
Failed Login Record
To clinch the deal, password-guessing attacks occur much more rapidly
than any human can type.This won’t be the case every time.The password-
guessing tools we have captured can throttle down the attack frequency (
x
attacks over 
y
hours), so it might not be so obvious (see Figure 5.5).
www.syngress.com
Botnet Detection: Tools and Techniques • Chapter 5
185
427_Botnet_05.qxd 1/9/07 9:59 AM Page 185

Figure 5.5
A Password-Guessing Attack
Both Phatbot and Rbot provide other clues that a password-guessing
attack is real. Earlier in the book we listed the default userids they both can
use.You might not see this in every attack, but if the bot hasn’t gathered any
userids locally yet, or if the gathered userids haven’t gotten in, the bot might
try userids from the default list.They almost always try Administrator, so if
you have renamed this account, its appearance in a failed login attempt raises
the probability that this is an attack. If you see attempts using userids of
Administrador, then administrateur as the login ID, you can be sure that this is
password-guessing attack and that a bot (likely Phatbot, Rbot, or another
related bot family) is attacking the victim’s computer. If the attempts happen
to take place during times that no one is supposed to be working in that
department, you can be even more certain.
So, what’s the point of analyzing this data? You are examining this com-
puter because someone already said it was virus infected or because one of
your intelligence sources spotted it talking to a known C&C server. Here’s
the value of this analysis:The computers listed in the workstation field of the
failed login records type 3 login, where the workstation field differs from the
victim’s computer name, are all infected computers. Using this technique
during the analysis phase, we have found over 200 infected computers that
were part of one botnet.This is despite the fact that we actively scan for bot

Download 6,98 Mb.

Do'stlaringiz bilan baham: