To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ---------- On 3/11/06, Jose Nazario <[EMAIL PROTECTED]> wrote: > > On Fri, 10 Mar 2006, dan wrote: > > > Hah.. thats a pretty good idea. Put some BS DNS entries in your DNS > > server and setup a fake irc server, almost like a reverse honeypot. Have > > the bot connect in, and watch the packets to see what irc parameters are > > sent (channel, key, etc.. assuming they're not encrypted). If it plays > > out, you should have a decent profile for the bot. > > iDefense has some tools that should help you out (i'm not affiliated with > 'em, btw): > > http://labs.idefense.com/labs-software.php?show=9 > http://labs.idefense.com/labs-software.php?show=8 > > you should be able to redirect the host via DNS and connect it to a fake > IRC server and log information it's sending. >
the fakedns tool is quite handy in doing quick blackbox analysis of bots. my basic setup is usually 1-3 virtual machines, with a host-only connection, run ethereal on the host OS, with fakedns pointing to the irc server i setup (in the host OS or in one of the VMs). after a few seconds of running the bot in the vm, you could already get the necessary c&c info. you could create your own personal (research) botnet using this setup :) _______________________________________________ botnets mailing list To report a botnet PRIVATELY please email: [EMAIL PROTECTED] http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
