427 Botnet fm qxd

464
Index
Register of Known Spam
Operations (ROKSO), 441
Spamhous Project, 179, 441
SpamThru Trojan, 52–53
SPIM (Spam for Instant Messaging),
10, 16, 32
Spitzner, Lance, 178
spoofing
ARP, 152, 153
IP address source, 257–258
Spybot, 12–14, 118–124, 130, 131
SQL Slammer attacks, 254, 272–273
SSANs (Social Security Account
Numbers), and data mining,
61
SSH-1, and Cain and Abel tool, 44
Steigerwalt, Raymond, 17
Stewart, Joe, 52, 53, 86, 170, 213, 347
stolen intellectual property, 55–60
stripcharts (ourmon), 220–221
SubSeven Trojan/bot, 8
SVKP.sys, 102
Swatch log analysis tool, 198
switch forwarding table overflow,
152, 153
switch port graphs, 144–145
switches
Layer 2, 151–155
Layer 7, 160
SYN flood attacks, 47–48
system dependencies, ourmon tool,
234–235
System Internals tool Autoruns,
203–204
system, optimizing, 334–338, 342
Szor, Peter, 167
T
taxonomy of phishing operation,
54–55
TCP anomaly detection (ourmon),
255–272, 281
TCP/IP protocols, 321
TCP port reports, 222–223, 237,
246, 255–272, 283, 301
TCP Syn Flood attacks, 46–47
TCP work weight, 229, 251,
265–267, 273, 296, 303, 311
tcpdump sniffer, 296
TCPView, 183, 201
techniques, forensic, for botnet
detection, 179–207
templates for converting XML to
HTML documents, 369
Themida (Oreans Technology), 397
Thompson, Ken, 175
THr34t-Krew hacking group, 16
Time to Live (TTL) setting, 90
Tomlin, Chas, 347
tools
network infrastructure, 140–143
remote administration, 87
used by botnets, 42
Tor (tool), 30
traffic, blocking botnet-related, 418
triggers
anomaly detection, 317–324
automated packet capture,
314–317
real-world examples of using,
319–324
Trojan ports, 213
Trojans
See also specific virus, worm;Trojan
backdoors left by, 33–34
and botnets, 31, 79–81
described, 79
Remote Access Trojan (RAT),
33–34, 100, 443
viewing information on known,
399–403
troubleshooting your computer for
botnets, 73–75
Truman,The Reusable Unknown
Malware Analysis Net
, 347
TTAnalyze, 346–347
TTL (Time to Live) setting, 90
twoworm trigger, 317
U
UDP anomaly detection (ourmon),
272–275, 282
UDP Flood attacks, 48
UDP flows, sampling, 147
UDP port reports, 246, 273–275, 283
UDP weight graphs, 246
UDP work weights, 251, 273, 317
unicast segmentation described, 151
UNIX
ourmon tool.
See 
ourmon tool
whois command, 138–139
URL data bots, 84
V
vetting organization members, 404
viewing information on known bots,
Trojans, 399–403
virtual machines, detecting, 351–352
virus checkers, 432
viruses
See also specific virus
botnets. See botnets
detecting on hosts, 160–165
VirusTotal Web site, 167
VLANs (virtual LANs), isolation
techniques, 155
VMWare, 351
vulnerabilities
commonly exploited by bots,
32–33
Microsoft File Share system
vulnerability, 213
W
W32.Glieder.AK Trojan, 51
W32.spybot.won
weak passwords, 108–110
Web-based C&C servers, 83–86
Web sites
antivirus resources, 167
international, using to delay law
enforcement, 423–424
intelligence resources, 398–403
ourmon tool, 219
security-related information, 402
Sourceforge, 147
spam-related services, 140
Symantic’s, 137
WHOIS information, 139
Web surfing, 430
Weimer, Florian, 91
Western Union, phishing and, 63
wget application, 336
whois command (UNIX), 138–139
WildList Organization International,
164–165
Windows
botnet registry modification, 131
checking open ports on, 103
and Clark’s DDoS attack, 20
Windows 2000, Protected Storage
Service, 382–383
Windows Firewall logs, 74, 192–198,
431
Windows Malicious Software
Removal Tool, 5, 22, 25
Windows XP, firewall log
monitoring, 74, 431
Windows XP Service Pack 2, 132
WinPCap (Windows Packet Capture
Library), 169
worm graphs, 222–223, 246,
267–269
worms
See also specific worm
backdoors left by Trojans, 33–34
over Instant Messaging, 86–87
SDBot family of, 9–10
Z
Zango, 50, 61
zero-day attacks, 253
Zippy ransomware, 69
zombies and botnets, 31, 225
Zone alarm, 431
zones, drop, 87–89
Zotob worm, 21
427_Botnet_Index.qxd 1/9/07 3:00 PM Page 464