To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ---------- Craig - Great info - Can you explain in more detail how the CR/LF hex equivalents (0d 0a) were used in the C&C process or started the C&C? On Thursday, August 31, 2006, at 04:33AM, Gadi Evron <[EMAIL PROTECTED]> wrote:
>To report a botnet PRIVATELY please email: [EMAIL PROTECTED] >---------- >On Thu, 31 Aug 2006, Gadi Evron wrote: >> To report a botnet PRIVATELY please email: [EMAIL PROTECTED] >> ---------- >> >> >> ---------- Forwarded message ---------- >> Date: Tue, 29 Aug 2006 17:40:56 -0300 >> From: Craig Chamberlain <[EMAIL PROTECTED]> >> To: [email protected] >> Subject: RE: detecting network crowd surges >> >> >> I've seen use of HTTP by bots on the rise a bit and have seen two >> implementations in some detail. Much of it is fairly trivial to detect, >> like IRC protocol running on port 80. I've seen a couple examples I've >> seen were harder to spot. >> >> One was a request for a page that looked like most any normal auth form >> for webmail services. It was hosted on a compromised box belonging to a >> major website so it the traffic we had looked mostly harmless. I showed >> it to some engineers at an IDS vendor and the consensus was that it was >> pretty tough to write a signature against; the traffic it produced was >> pretty small and what we had looked pretty normal. We ended up detecting >> it by the user agent which was a bit different owing to the use of some >> HTTP library for Delphi used by the bot developer. We used a simple >> snort rule (only useful in this specific case, but the approach was >> somewhat interesting): >> >> alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"Trojan control get??? >> command"; content:"User-Agent: UtilMind HTTPGet|0D 0A|"; ) >> >> Another clever example was a bot which issued a GET for a normal looking >> page and parsed for base64 encoded commands contained in HTML comments. >> There were three commands: sleep, download & execute file, and reverse >> shell. This isn't hard to spot once you know the pattern but there's >> bound to be better stuff out there. >> >> Looking for misshapen traffic symmetry, like HTTP sessions with large >> outbound data streams, is one technique I've heard people have some >> success with. Regular expressions can spot data outbound if you're >> looking for structured data like account numbers. Some products also >> look for high outbound HTTP connection rates that are too fast to be >> human or HTTP sessions that cross a time threshold. Simple data volume >> thresholds are too easily triggered by streaming apps, in my experience, >> unless you consider the direction and traffic shape as in the misshapen >> symmetry example above. > >Not to steal your thunder, as you speak words of wisdom, I will mention >only one thing: > >Bots are very noisy and non-friendly entities online. Easy to detect. The >same goes for C&C's. > >The difference you notice is the mass "popular" attacks becoming less >distinguishable as attacks and more hidden, transmuted to appear like >ordinary users, which is what every attacker's goal is once he is past his >kiddie days. > > Gadi. > >> >> Craig Chamberlain >> [EMAIL PROTECTED] >> >> > -----Original Message----- >> > From: Jose Nazario [mailto:[EMAIL PROTECTED] >> > Sent: Tuesday, August 08, 2006 1:11 PM >> > To: mikeiscool >> > Cc: Ron Gula; [email protected] >> > Subject: Re: detecting network crowd surges >> > >> > On Tue, 8 Aug 2006, mikeiscool wrote: >> > >> > > I wonder, though, is this how real botnets are controlled? >> > >> > based on our measurements and observations, IRC is the >> > dominant method for botnet control at this time. but HTTP >> > methods, similar to the ones you described, are coming on in >> > popularity. poll frequencies range from 5 seconds to 1 hour or more. >> > >> > ________ >> > jose nazario, ph.d. [EMAIL PROTECTED] >> > http://monkey.org/~jose/ http://monkey.org/~jose/secnews.html >> > http://www.wormblog.com/ >> > >> > -------------------------------------------------------------- >> > ---------- >> > Test Your IDS >> > >> > Is your IDS deployed correctly? >> > Find out quickly and easily by testing it with real-world >> > attacks from CORE IMPACT. >> > Go to >> > http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 >> > to learn more. >> > -------------------------------------------------------------- >> > ---------- >> > >> > >> >> ------------------------------------------------------------------------ >> Test Your IDS >> >> Is your IDS deployed correctly? >> Find out quickly and easily by testing it >> with real-world attacks from CORE IMPACT. >> Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 >> to learn more. >> ------------------------------------------------------------------------ >> >> >> _______________________________________________ >> To report a botnet PRIVATELY please email: [EMAIL PROTECTED] >> All list and server information are public and available to law enforcement >> upon request. >> http://www.whitestar.linuxbox.org/mailman/listinfo/botnets >> > > >_______________________________________________ >To report a botnet PRIVATELY please email: [EMAIL PROTECTED] >All list and server information are public and available to law enforcement >upon request. >http://www.whitestar.linuxbox.org/mailman/listinfo/botnets > > _______________________________________________ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
