427 Botnet fm qxd



Download 6,98 Mb.
Pdf ko'rish
bet310/387
Sana03.12.2022
Hajmi6,98 Mb.
#878307
1   ...   306   307   308   309   310   311   312   313   ...   387
Bog'liq
Botnets - The killer web applications

www.syngress.com
378
Chapter 10 • Using Sandbox Tools for Botnets
427_Botnet_10.qxd 1/9/07 3:06 PM Page 378




From this output we can learn the SMTP server (68.142.229.41), the used
authentication data (username:
kalonline@sbcglobal.net,
password:
vi3tridaz
) and
the recipient’s mail address (

). Furthermore, we can
read the mail body in plain text. Without doubt this is a notification mail,
which is used to inform the malware operator about a new infected host. As
we have seen, CWSandbox recognizes SMTP traffic and extracts all the rele-
vant data from it. Furthermore, it can be configured to trick the malware by
exchanging informational data with the SMTP server but only pretending to
send the e-mail.The attribute 
behavior=”Simulate_And_Log”
enables this fea-
ture during the malwares execution.There is another feature that constricts
the number of allowed SMTP send operations to limit the report size for
mass-mailing malware.
Huge botnets often are used to perform DDoS attacks. Commonly
known attacks are 
TCP Syn floods
,
UDP floods,
and 
ICMP floods
. If you find a
lot of notifications for such connections in your report that all use the same
target IP address, this is an assured evidence of such an attack (or sometimes
only of the foolishness of the malware’s developer).The relevant entries could
look like the following and would have to occur in a large number:
remoteport="80" protocol="Unknown" connectionestablished="1" socket="122"/>
remoteport="80" protocol="Unknown" connectionestablished="1" socket="124"/>
remoteport="80" protocol="Unknown" connectionestablished="1" socket="123"/>
remoteport="123" connectionestablished="0" socket="3496"/>
remoteport="123" connectionestablished="0" socket="3488"/>
remoteport="123" connectionestablished="0" socket="3444"/>
An analysis report normally contains only one output line for each type of
received notification, no matter how often this one was received. Usually a
DOS attack is performed using a lot of parallel threads that use a lot of dif-
ferent sockets, so one notification will be reported for each different socket.
If, due to bad implementation, the same socket is always used, only one 

Download 6,98 Mb.

Do'stlaringiz bilan baham:
1   ...   306   307   308   309   310   311   312   313   ...   387



Ma'lumotlar bazasi mualliflik huquqi bilan himoyalangan ©hozir.org 2024
ma'muriyatiga murojaat qiling
kiriting | ro'yxatdan o'tish
    Bosh sahifa
юртда тантана
Боғда битган
Бугун юртда
Эшитганлар жилманглар
Эшитмадим деманглар
битган бодомлар
Yangiariq tumani
qitish marakazi
Raqamli texnologiyalar
ilishida muhokamadan
tasdiqqa tavsiya
tavsiya etilgan
iqtisodiyot kafedrasi
steiermarkischen landesregierung
asarlaringizni yuboring
o'zingizning asarlaringizni
Iltimos faqat
faqat o'zingizning
steierm rkischen
landesregierung fachabteilung
rkischen landesregierung
hamshira loyihasi
loyihasi mavsum
faolyatining oqibatlari
asosiy adabiyotlar
fakulteti ahborot
ahborot havfsizligi
havfsizligi kafedrasi
fanidan bo’yicha
fakulteti iqtisodiyot
boshqaruv fakulteti
chiqarishda boshqaruv
ishlab chiqarishda
iqtisodiyot fakultet
multiservis tarmoqlari
fanidan asosiy
Uzbek fanidan
mavzulari potok
asosidagi multiservis
'aliyyil a'ziym
billahil 'aliyyil
illaa billahil
quvvata illaa
falah' deganida
Kompyuter savodxonligi
bo’yicha mustaqil
'alal falah'
Hayya 'alal
'alas soloh
Hayya 'alas
mavsum boyicha

yuklab olish