427 Botnet fm qxd

of a security breach, they give you an immediate start on
investigating what’s happened.
Q: 
Why ports 135-139 and port 445? Are you picking on Microsoft?
A: 
Yes, we are picking on Microsoft. In fact, historically for some reason dis-
tributed file systems have never been something you wanted to make
accessible via the Internet. Sun has had its problems with its Network File
System. However, in recent years many botnets have included exploits
explicitly targeting the Microsoft File Share system. In part this is due to
popularity and high usage; in part it’s due to numerous exploits (and lack
of patching).
Q: 
Are there other ports I need to watch?
A: 
Bots and other malware can often use any port (which is why you can’t
just stop IRC bots by blocking IRC ports), but they are often character-
ized by the use of a specific port. A number of Web resources list specific
threats by port, but you shouldn’t rely on their being 100 percent accu-
rate, comprehensive, and up to date.Try Googling 
bot ports
or 
Trojan ports
.
The threat analysis reports from Joe Stewart on www.LURHQ.com, now
merged with SecureWorks, are a great source of information on ports and
bot behavior.
Q: 
Is it possible for a switch in one location to port-mirror packets to a
switch in another location?
A: 
Yes. Cisco switches might have a feature called RSPAN, which can allow
this trick.
www.syngress.com
Botnet Detection: Tools and Techniques • Chapter 5
213
Frequently Asked Questions
The following Frequently Asked Questions, answered by the authors of this
book, are designed to both measure your understanding of the concepts pre-
sented in this chapter and to assist you with real-life implementation of these
concepts. To have your questions about this chapter answered by the author,
browse to 

Download 6,98 Mb.

Do'stlaringiz bilan baham: