427 Botnet fm qxd

means of electronic submission and approval of these kinds of requests is
needed.
Law regarding botnets is literally all over the map.
Darknets, Honeynets, and Botnet Subversion
Darknets, honeynets, and the like, including tools like sandboxes (Chapter 11),
are an important and valuable resource for fighting botnets. Many researchers
and white-hat crime fighters are using them to learn more about botnets and
eliminate them when possible. Darknets and honeynets run by various entities
provide valuable information about how botnets work both from the host and
network point of view. For instance, Shadowserver (www.shadowserver.org/) is
an all-volunteer group that tracks and reports on botnets and other malware.
Much of their information comes from such tools, and their Web site explicitly
promotes a tool called Nepenthes for collection of malware (see
http://nepenthes.mwcollect.org). Shadowserver’s Web site also has some great
statistics on botnets. Another Web site and group of interest is the Cymru group
(www.cymru.com), which has information about how to set up a darknet.
Setting up a darknet or honeynet isn’t for everyone, as you might not have
the time or resources required. However, if you do, you should consider
joining one or more crime-fighting groups and then report on information
learned about local attacks.
One can note that some consider more “interesting” techniques that
might include trying to actively subvert the botnet itself in some way. Perhaps
you might log in to an IRC botnet server and issue commands to release the
botnet clients, or perhaps actively try to take over the C&C and somehow
shut the botnet system down. We aren’t going to recommend such practices,
as they may be harmful to your network’s health.
Even though we do not recommend such practices (at least for novices),
one highly intriguing idea comes from Kapil Kumar Singh of Georgia
Institute of Technology. Kapil recommends using a Karstnet (Figure 12.2).The
Karstnet approach leverages the fact that most bot clients can find the bot
server (step 1 in Figure 12.2), because the server is set up using Dynamic
DNS. In step 2, with the cooperation of a dynamic DNS provider, you can
have the provider redirect the DNS entries to somewhere other than the bot
server. In effect, this is a man-in-the-middle attack on the botnet herder.This
entry will cause (step 3) botnet clients to send all bot client communication

Download 6,98 Mb.

Do'stlaringiz bilan baham: