A few things that can generally help you figure out
if the users' have been turned into zombies are:
If packet captures show
they've chosen an IRC nickname that is like USA-294102420 or BOT-1042402 or
zjfslazsfl. Generally they'll be either completely random nicknames or
some constant with random numbers after it. You can then see if it joins a
channel right away that has a topic set with a command in it. It might say
.scan with some arguments or !download or .aim, something that looks like a
command. The same thing could be seen in a message (PRIVMSG) to the user
from another user. I think a lot of things will make it obvious if you get
packet captures. There's a bunch of other tell tale signs which I am sure
you cna recognize.
Steven
----- Original Message -----
Sent: Friday, March 10, 2006 3:38
AM
Subject: Re: [botnets] Possible Bot
Controllers
Thanks Steven.
As you guessed, I don't have the
authority to pull the machine. All I can do is report it to the client's IT
dept, which I have done several times.
You're right about the machine being a potential threat to others, of
course, though the lack of a flurry of similar symptoms suggests that if it is
propagating within our network, it is not doing so very successfully.
Without information from the infected PC,
is there any way to tell if the IRC server is definitely a botnet controller -
I'm no IRC expert (in fact, not even a user) so, though I have downloaded a
client just in case, I wouldn't know where to begin.
Thanks
again.
Regards,
Dave
_____________________
David
Long
Network Analyst
Serco Solutions
01223
717582
[EMAIL PROTECTED]
www.serco.com
bringing service to
life
______________________
|
| "Steven"
<[EMAIL PROTECTED]>
10/03/2006 01:45
|
To:
<[email protected]>,
<[EMAIL PROTECTED]>
cc:
Subject: Re: [botnets] Possible Bot
Controllers |
Hi
David,
I have a few different responses for you which I hope can
help. The first part about there being no immediate threat is not
necessarily true. You are blocking the IRC portion, but you might not be
blocking other components of the infection. This can range from file
deletions, spyware installation, keylogging, scanning/exploitation across the
network, and so on. The best thing to do depending on what your policies
are would probably be to get the machine off the network until it can be
cleaned (not sure if you have authorization for this). One of the
biggest threats at this point is to the customers but it could still
potentially affect [infect] your network.
There
are also a number of legitimate reasons to run IRC servers on various ports,
however, this is a good indication that is probably not a friendly server.
That and the repeated connection attempts would definitely indicate
this. Go to the machines or connect to the servers yourself (preferrably
through a proxy or osmething) and verify it is in fact a bot server. You
never know -- it could be something else. No need to report it to the
owner if it turns out to be some tech support IRC command based chat
program.
If you can do packet captures and more analysis
you can be 100% sure about some of the activity as well.
Good
luck!
Steven
----- Original Message -----
From: [EMAIL PROTECTED]
To: [email protected]
Sent: Thursday, March 09, 2006 3:17 AM
Subject: [botnets] Possible Bot
Controllers
To report a
botnet PRIVATELY please email: [EMAIL PROTECTED]
----------
Please forgive the newbie question - I'll
try to make it my only one :^)
A couple of PCs here are trying to
get to IRC servers on TCP port 8080. The traffic is blocked and logged by our
firewalls, so is no immediate threat in itself. The destination addresses are
not associated with any known malware (or weren't last time I looked), so I
can't be absolutely certain that the IRC boxes are controllers (though it's
difficult to think of an innocent reason for putting IRC servers on 8080 or
for a PC trying the same addresses repeatedly 24 hours a day!).
What is the etiquette in such a case? Should I report the IRC
servers to the site administrator(s)? Should I report the addresses here (or
elsewhere) even though I'm not certain that they are bot-related?
Unfortunately my organisation only provides network services to our
client, so I cannot produce any useful evidence from the PCs themselves, and
their IT dept has neither the time nor the skills to extract any such evidence
- if they do anything at all, it'll probably be a re-installation.
Thanks.
Regards,
Dave
***Disclaimer****
This e-mail and any
attachments may contain confidential and/or privileged material; it is for the
intended addressee(s) only. If you are not a named addressee, you must not
use, retain or disclose such information.
Serco cannot guarantee that the
e-mail or any attachments are free from viruses.
The views expressed in
this e-mail are those of the originator and do not necessarily represent the
views of Serco.
Nothing in this e-mail shall bind Serco in any contract or
obligation.
Serco Group plc. Registered in England and Wales. No:
2048608
Registered Office: Serco House, 16 Bartley Wood Business Park,
Bartley Way, Hook, Hampshire, RG27 9UY, United Kingdom.
_______________________________________________
botnets mailing
list
To report a botnet PRIVATELY please email:
[EMAIL PROTECTED]
http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
|
