427 Botnet fm qxd

ELEFANT. Searching through the university’s Web pages revealed a Web page
for the chemistry department’s lab network that touted ELEFANT as the
most important computer in their lab.The Web page also identified the lab
manager’s name, phone number, and e-mail address.
Once we are confident in the IP address associated with an attacker, the
help desk ticket is assigned to our networking group.The networking group
places the switch port associated with the attacker into a network jail,
although our kindler, gentler customer service interface calls it a “network
quarantine” when speaking to our customers.The networking group then
confirms the building and room information directly from the switch, to con-
firm the data base entries we posted earlier.
Once the computer’s location has been determined, the help desk ticket is
assigned to our desktop support techs, who arrange for it to be retrieved for
our quick forensic exam and reimaging. We had determined early in the pro-
cess that with this bot, reimaging was preferable to attempting to remove the
virus and chancing that we would miss something. Reimaging also gave us
the opportunity to remove the offending local administrator accounts.
As we processed systems, we realized that we needed to collect and corre-
late information about all the systems we had identified. For that we estab-
lished a spreadsheet that brings together all the relevant information.That
way, if we see a system in an event log two months from now, we can confirm
whether the system was reimaged since the time of the new sighting or if this
is a reinfection.
We are now experimenting with using a tool called NTSyslog, available
for download at http://sourceforge.net/projects/ntsyslog, to automatically for-
ward the Security Event logs to a central syslog server.The central syslog
server formats the data for an SQL database and then will run the above
query in near real time.This has the effect of turning this approach into an
early warning tool instead of a recovery tool.
Firewall Logs
In addition to the logs we’ve already discussed, you should gather any firewall
logs.The default location for Windows XP firewall logs is in
%WinDir%\pfirewall.log. By default, firewall logging is not turned on. It can
be and should be turned on by group policy and configured so the user can’t

Download 6,98 Mb.

Do'stlaringiz bilan baham: