427 Botnet fm qxd

1. Look at the RRDTOOL IRC network message counts.
2. Look for any IRC channel with too many hosts in it. For example, if
you know you have a normal channel called Ubuntu with 20 host
IPs in it and all of a sudden you have a channel with 200, 2000, or
200,000 hosts in it, it’s probably a botnet server channel! 
3. Look for any IRC server with unusual message counts.
Refer to Figure 8.3 and Figure 6.4 (Case Study #4) in the introductory
ourmon chapter. Figure 8.3 gives you normal IRC message counts for the
entire PSU network.These really are not very high either. Even the auto-
mated parts of IRC, like PING and PONG messages, are on the order of 44
pings per 30-second period, really 1 per second. Now what does Figure 6.4
tell you? All of a sudden we had 2k PINGS and PONGS a second. Large
jumps like this in basic message types are a simple giveaway.
Figure 8.3
Normal Weekly IRC Statistics 
Now let’s look at some report data from the IRC daily summarization.
channels sorted by evil factor:
channel
msgs
joins
privmsgs
ipcount wormyhosts
evil?
f
181779
153248
28531
47134
2629
E
x
88767
49495
39272
18098
1287
E
f-exp
20495
0
20495
5255
480
E
channels sorted by max messages (note e/E for possible evil channel):
channel
msgs
joins
privmsgs
ipcount wormyhosts
evil?
www.syngress.com
IRC and Botnets • Chapter 8
305
427_Botnet_08.qxd 1/8/07 4:10 PM Page 305

f
181779
153248
28531
47134
2629
E
x
88767
49495
39272
18098
1287
E
f-exp
20495
0
20495
5255
480
E
blahblah
16265
6939
9326
12
0
We have shown the beginning of the 
evil channel
and 
channels by max mes-
sages
subreports.The 
channels by max messages
subreport is really outstanding in
any number of ways. Note that channel 
blahblah 
was the busiest human IRC
channel for the day.That channel had only 12 IP hosts in it. On the other
hand, channel 
f
appears to have 47134 hosts in it.The broken-out listing of
hosts for that channel was amazing, but we are not going to show it here.
There was only one local IP host in it (the botserver). Of course, the message
counts for channel 
f 
are high, too, especially compared to the human 
blahblah
channel. Analysis of this report showed that channels 
f
,
x
, and 
f-exp
were all
used by the same botnet.They all had the same bot server.
One other really interesting thing to note is that the botnet shows up in
the evil channel sort, which at first makes no sense. Given one on-campus
host and 47,133 off-campus hosts in channel 
f
, why did 2629 of those off-
campus hosts appear to be scanners? We can only speculate here to some
extent, but it’s likely those off-campus hosts are trying to connect to the bot
server and failing.This could be because the botnet server has exhausted some
set of OS resources, so bot client wannabes cannot connect to it.This is one
reason that the TCP port report now shows one sample IP destination host.
(At that time it did not show a sample IP destination host.) If at the time it
had shown such an IP address destination, all the remote scanners would have
shown the IP destination of the local botnet server.
In summary, we have seen at least four ways to tell that you have a bot
server on campus:
1. Use the RRDTOOL strip charts to look for outlandish message
counts.
2. In the 
channels by max messages
subreport, look for channels with
abnormal host counts.Thousands are very likely to be abnormal.
Hundreds, depending on your site, could be abnormal.
3. In the 
channels by max messages
subreport, bot servers will have
abnormal amounts of messages, too.

Download 6,98 Mb.

Do'stlaringiz bilan baham: