427 Botnet fm qxd

you had a host that was sending half its packets to port 139 and the
other half to port 445, you would see a port signature like this: [139,
50] [445,50]. In other words, 50 percent go to each port. Notice how
192.168.153.150 and 192.168.153.151 in Table 7.3 are sending
packets to ports 139 and 445. However, other ports are in the port
signature as well.This could be due to a Web-based client running
along with a bot, or it might be due to the bot itself using the Web
somehow. We do not know.The port signature as a field is important
enough that we named the entire report after it.
W
ARNING
Ports are tricky. In some sense, they are both useful and useless. They
are useful in that innocent applications use them all the time. For
example, ports 80 and 443 are used by Web servers and Web clients to
access the Web servers. On the other hand, malware could choose to
use a well-known port for an IRC command and control connection
(like port 80). Or an employee at work trying to hide use of a P2P
application like BitTorrent might run it on port 80. Always remember
that spoofing is possible. Typically, benign systems do not spoof, of
course. 
Analysis of Sample TCP Port Report
Now let’s go through the small set of IP addresses in our port report and ana-
lyze them. Remember that our addresses are sorted in ascending order and
that 192.168 addresses belong to the home network.
10.0.0.1
The 
R
flag indicates RESETS are coming back.The work weight is 100 per-
cent. L3D/L4D indicates this host is talking to many local hosts at only one
port. One destination port is the target (port 5900).This is a scanner, plain
and simple. At this point if you don’t know what is going on, use a search
engine and search on 
TCP port 5900
. In this case we can rapidly learn that
port 5900 is associated with a the Virtual Network Connection (VNC) appli-

Download 6,98 Mb.

Do'stlaringiz bilan baham: