|
460
Index
Brock University, 408
Brown, Chris, 5
Burnett, Mark, 188
C
Cain and Abel tool, 43–44
Cain collection files, 44–46
CAN-SPAM Act
Ancheta prosecution, 49
Operation Cyberslam, 18, 20
Canavan, John, 7
channel names, hackers and, 297
channels
control.
See
control channels
and IRC, 295
rating evil, 224
CIFS (Microsoft File Share), 150
Cisco
netflow tools, 147–148
router vulnerabilities, 10, 33
switch RSPAN feature, 213
switches, port security, 154
Claburn,Thomas, 423
Clark, Anthony Scott, 20
click scams, 50–51
Clicks4Hire scam, 49, 63–69
client bot mesh, 225
clients, botnet.
See
botnet clients
code
analysis, 346
malicious, and botnets, 31–32
Command and Control (C&C)
servers
alternative, 78–79
alternative control channels, 82–92
and botnet clients, 37, 41
botnet, report on, 436–437
determining how and which are
contacted, 375–376
and DNS, 81–82, 93–94
historic rise of, 79–81
removing, 2–3
reporting results, 61–62
command-based bots, 84–85
computer forensics, 179
Computer Fraud Abuse Act (CAN-
SPAM Act), 18, 20, 49
computers
checking open ports of, 103
detecting virtual machines, 351–352
determining if part of botnet,
73–75
effective security practices, 430–434
confidentiality agreements, 404–407,
413
connect & forget bots, 84
control channels, 82–92
controls for operational environment,
160–165
converting XML to HTML
documents, 359, 368
CPU (central processing unit)
dual-core, 335, 342
router utilization, 144
Cricket, network monitoring with,
141, 144–145
crontab, 230, 237
cwmonitorl.dll, 356–359
CWSandbox
analysis report examination,
359–368
analysis report interpretation,
368–369
application described, 198,
348–352, 385–389
case studies of, 383–385
components of, 352–359
determining how and which C&C
servers are contacted, 375–376
discovering how new hosts are
infected, 371–375
obtaining copy, source code of, 390
cwsandbox.exe, 354–356
Cymru Darknet project, 177
D
darknets for bot, netbot detection,
176–179, 237, 444–445
data capture with Spybot, 122–123
data mining described, 61
DDoS (distributed denial of service)
attacks
Ancheta’s zombies, 18
on Blue Security, 441
botnets and, 19, 46–49
described, 5–6, 20
ourmon detection, 221–222,
267–269
packet loss during, 343
DDoSing, 17
decompilers, 396
DeepFreeze, 350–351
denial-of-service attacks.
See
DoS
attacks
detecting
e-mail anomalies with ourmon,
275–278
IRC botnet servers, 304–308, 311
IRC clilent botnets, 298–303, 310
virtual machines, 351–352
detection
anomaly.
See
anomaly detection
botnet.
See
botnet detection
integrity, 166
intrusion.
See
intrusion detection
DHCP attacks, 153
digital forensics, 179, 180–181
DirectRevenue, 64–69
discussion groups, security
information, 402–403
dissemblers, 395–398
distributed denial of service attacks.
See
DDoS attacks
distribution of illegal intellectual
property, 55–60
DJ Java Decompiler, 396
DLL (dynamic link library), 352
DNS (domain name service)
-based botnets, 89–92
and C&C technology, 81–82, 93–94
documents, converting XML to
HTML, 359
Dollar-Revenue, 63–64
domain names and DNS, 81–82
DoS (denial of service) attacks
and NIDS, 156
and packet size, 323–324
and SNMP tools, 146
Dr. Watson analytics, 204
drop zones and FTP-based C&Cs,
87–89
drwtsn32.log, 204
dual-core CPUs, 335, 342
Dumador bot, 87
dynamic ARP inspection, 154
dynamic DNS, 90
dynamic link library (DLL), 352
E
e-mail
abuse, 134–139, 208
anomalies detected with ourmon,
275–278, 282
attachments, and botnets, 31
Mytob naming, 126–127
spam and, 139–140
eBay, botnet attacks on, 20
echo-based botnets, 83–84
Echouafni, Jay, 18
economics of botnets, 71–73, 93
Edelman, Ben, 69
education about botnets, 420
EDUCAUSE organization, 400–401
effective security practices, 430–434
Elton, Norman, 2
email syn port reports (ourmon),
275–278
enterprise
antivirus solutions, 161–165
effective security practices, 432–434
Essebar, Farid, 21
event logs
ourmon, 324–329, 340
using for botnet detection, 184–192
Evron, Gadi, 23
exploitation, botnet function, 31
F
Fantibag Trojan, 51
fastflux DNS, 90–92
File Share (Microsoft) system
vulnerability, 213
firewalls
See also specific product
and logging, 148–150
recommended usage, 431
using logs for botnet detection,
192–198
flow-dscan, 147
427_Botnet_Index.qxd 1/9/07 3:00 PM Page 460
Do'stlaringiz bilan baham: |
