427 Botnet fm qxd



Download 6,98 Mb.
Pdf ko'rish
bet239/387
Sana03.12.2022
Hajmi6,98 Mb.
#878307
1   ...   235   236   237   238   239   240   241   242   ...   387
Bog'liq
Botnets - The killer web applications

www.syngress.com
296
Chapter 8 • IRC and Botnets
427_Botnet_08.qxd 1/8/07 4:10 PM Page 296

weight for a good number of hosts, you can assume that all the clients in this
channel are infected, too. Some of them might not have been ordered to scan
or might for some reason not be responding to the hacker’s commands.
Here we want to draw your attention to a channel where a number of
hosts are all behaving badly in the same way, which strongly implies that they
are under remote control. In addition, the IRC version of the TCP work
weight is a weaker statistical measure than the TCP work weight used in the
TCP port report. It is calculated the same way in terms of SYN count, FIN
count, and so on. However, in this case we don’t insist on a strength value of
approximately 1 SYN per second.Three SYNS and no FINS and no data
packets will in this case still get you 100 percent for a host.This could detect
some cases of weak scanning done by a botnet mesh. But it also could result
in false positives where there are one or two hosts with high work weights in
an IRC channel with many other hosts. Again, the goal is to show multiple
scanners in a botnet mesh, which leads you to suspect that the entire set of
hosts in that channel is infected. When in doubt, you can also look at the
TCP port reports to see if the host is scanning from the pure anomaly detec-
tion point of view. We will touch on this idea more in a moment and in the
next chapter, when we talk about tricks for searching the ourmon logs.
Notes from the Underground…
Hackers and Channel Names
We have seen some really bad choices for channel names from those on
the dark side. For example, 
xploit
or 
lsass445
might not have been the
best choices. The latter is particularly bad given that it alludes to the
exploit being used to grow the number of hosts in the botnet. That
said, there is no telling why human beings pick the channel names they
pick. The only true recourse for the analyst is to be knowledgeable
about which channel names are normal locally and to investigate new
ones if local security policies allow such investigation.

Download 6,98 Mb.

Do'stlaringiz bilan baham:
1   ...   235   236   237   238   239   240   241   242   ...   387



Ma'lumotlar bazasi mualliflik huquqi bilan himoyalangan ©hozir.org 2024
ma'muriyatiga murojaat qiling
kiriting | ro'yxatdan o'tish
    Bosh sahifa
юртда тантана
Боғда битган
Бугун юртда
Эшитганлар жилманглар
Эшитмадим деманглар
битган бодомлар
Yangiariq tumani
qitish marakazi
Raqamli texnologiyalar
ilishida muhokamadan
tasdiqqa tavsiya
tavsiya etilgan
iqtisodiyot kafedrasi
steiermarkischen landesregierung
asarlaringizni yuboring
o'zingizning asarlaringizni
Iltimos faqat
faqat o'zingizning
steierm rkischen
landesregierung fachabteilung
rkischen landesregierung
hamshira loyihasi
loyihasi mavsum
faolyatining oqibatlari
asosiy adabiyotlar
fakulteti ahborot
ahborot havfsizligi
havfsizligi kafedrasi
fanidan bo’yicha
fakulteti iqtisodiyot
boshqaruv fakulteti
chiqarishda boshqaruv
ishlab chiqarishda
iqtisodiyot fakultet
multiservis tarmoqlari
fanidan asosiy
Uzbek fanidan
mavzulari potok
asosidagi multiservis
'aliyyil a'ziym
billahil 'aliyyil
illaa billahil
quvvata illaa
falah' deganida
Kompyuter savodxonligi
bo’yicha mustaqil
'alal falah'
Hayya 'alal
'alas soloh
Hayya 'alas
mavsum boyicha

yuklab olish