Re: [botnets] Detecting zombies

dr cronk Tue, 30 Jan 2007 14:24:27 -0800

To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
----------

I'm trying to detect zombies, but not in a corporate environment, rather in a 
home/small office environment.  I'm trying find out if I can detect zombies 
without having to spend a long time observing router activity.  Do zombies that 
communicate over http maintain a constant communication, or do they only have 
brief communications? 
   
  Thanks


[EMAIL PROTECTED] wrote:
  Send botnets mailing list submissions to
[email protected]

To subscribe or unsubscribe via the World Wide Web, visit
http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
or, via email, send a message with subject or body 'help' to
[EMAIL PROTECTED]

You can reach the person managing the list at
[EMAIL PROTECTED]

When replying, please edit your Subject line so it is more specific
than "Re: Contents of botnets digest..."


Today's Topics:

1. Re: Detecting zombies (David Glosser)
2. IRC C&C with a zombie doing a SYN scan on port 443 (Mason Schmitt)
3. Re: IRC C&C with a zombie doing a SYN scan on port 443
(Mason Schmitt)
4. [da] ISOI: Dinner and Drinking TONIGHT (Matt Jonkman)


----------------------------------------------------------------------

Message: 1
Date: Fri, 26 Jan 2007 09:47:42 -0800 (PST)
From: David Glosser 
Subject: Re: [botnets] Detecting zombies
To: Thomas Raef ,
[email protected]
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset="iso-8859-1"

If you are in a corporate environment, check for user traffic on your firewall 
during off hours, like weekends or between 2-5am.....




----- Original Message ----
From: Thomas Raef 
To: [email protected]
Sent: Friday, January 26, 2007 12:26:30 PM
Subject: Re: [botnets] Detecting zombies


To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
----------
I haven't seen any personally, but I've read that some bots won't appear in 
netstat because if they're a rootkit, they won't use the NT IP stack and 
therefore won't show-up in netstat. I've also personally seen infections where 
they replaced the netstat.exe file with one that won't show their connections. 
I was creating a webcast to show others how to use netstat when I came across 
this information.

Anyone with more expertise care to confirm or deny?

So to answer your question, I believe the only way is to watch the traffic at 
the router/gateway. Close all programs and sit and watch for any connections 
from that PC to the outside. With all programs closed, you shouldn't see any 
traffic, unless it's set to autoupdate.

That's my two cents worth.



From: dr cronk [mailto:[EMAIL PROTECTED]
Sent: Fri 1/26/2007 8:43 AM
To: [email protected]
Subject: [botnets] Detecting zombies


To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
---------- 
_______________________________________________
To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
All list and server information are public and available to law enforcement 
upon request.
http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
-------------- next part --------------
An HTML attachment was scrubbed...
URL: 
http://www.whitestar.linuxbox.org/mailman/private/botnets/attachments/20070126/f49b5732/attachment.html
 

------------------------------

Message: 2
Date: Fri, 26 Jan 2007 14:38:10 -0800
From: Mason Schmitt 
Subject: [botnets] IRC C&C with a zombie doing a SYN scan on port 443
To: [email protected]
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=ISO-8859-1

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I haven't seen a bot doing this before. Is there a new SSL
vulnerability that I haven't heard about yet? Or is it likely this bot
is scanning for the OpenSSL vulnerability that came out a long time ago?

Anyway, the C&C is 64.18.128.86

I'm going to kill the zombie now. I just thought someone might be able
to shed some light on this.

- --
Mason Schmitt
Systems Administrator
Sunwave Cable Internet / Shuswap Internet Junction
ph: (250) 832-9711
www.sunwave.net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFuoLSbip6upg8pq8RAtjvAJ48eIOjD9dHaZ8l9kBS1MaFC+4vhQCfVJ5h
BvKUq1Thc8l1RDFjNtecO34=
=eTup
-----END PGP SIGNATURE-----


------------------------------

Message: 3
Date: Fri, 26 Jan 2007 15:02:42 -0800
From: Mason Schmitt 
Subject: Re: [botnets] IRC C&C with a zombie doing a SYN scan on port
443
To: William Atchison 
Cc: [email protected]
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=ISO-8859-1

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

William Atchison wrote:
> 
> The reverse DNS on that IP is interesting:
> undernet.irc.justedge.net
> 

Yeah, that is interesting. Here is the little bit of IRC traffic that I
grabbed when I did a capture to see what this was.

:[EMAIL PROTECTED] PRIVMSG #kiss-kiss
:.3Hop Tzop La Tine In Barlog;),. .04.satenutza...3! ..04+5.
.03(.04B.07o.03N.02u.06S .06B.02r.03E.07a.04K.13 +3!..03).
.14[..0512.0..14 sec. .050.66..14 cps..14]. .14[..14total..05 15772..14
locul..05 8..14].


:[EMAIL PROTECTED] PRIVMSG #kiss-kiss
:.2Raspunsul corect era: .04.National..2.. .2Sa vedem daca o stiti

Is there anyone from undernet on this list that might want to check out
this channel?

- --
Mason Schmitt
Systems Administrator
Sunwave Cable Internet / Shuswap Internet Junction
ph: (250) 832-9711
www.sunwave.net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFuoiSbip6upg8pq8RAkG4AKCNy2jMlnQhq6T5nuBrhPZHlu10ggCeLChV
rSAnB/FXdpzpDaoKXfjnauE=
=4i+B
-----END PGP SIGNATURE-----


------------------------------

Message: 4
Date: Fri, 26 Jan 2007 17:04:24 -0800
From: Matt Jonkman 
Subject: [botnets] [da] ISOI: Dinner and Drinking TONIGHT
To: [email protected]
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=ISO-8859-1

For the folks in Seattle, as mentioned we'll have drinks for anyone
interested tonight at the Rock Bottom Bar, it's next door to the
TapHouse Grill we had dinner at on Wednesday.


550 106th Avenue, Suite 103
Bellevue, WA 98004

www.rockbottom.com
Phone: (425) 462-9300


http://www.rockbottom.com/RockBottomWeb/RBR/Index.aspx?PageName=/RockBottomWeb/Controls/Location/DisplayLocationRBR.ascx&SectionName=Root.LocationFinder.LocationResults.LocationDetails.OurPlace&LocationID=10056

It'll be informal, I've not called them to reserve a room. It's BYOFB. :)

Expect to see folks there within an hour after we end the conference
this evening, likely by 730 at the latest. If you're the first one there
please see if you can get a contiguous area under control.

Matt


-- 
--------------------------------------------
Matthew Jonkman
Bleeding Edge Threats
765-429-0398
765-807-3060 fax
http://www.bleedingthreats.net
--------------------------------------------

PGP: http://www.bleedingthreats.com/mattjonkman.asc


_______________________________________________
da mailing list
[EMAIL PROTECTED]
https://linuxbox.org/cgi-bin/mailman/listinfo/da


------------------------------

_______________________________________________
botnets mailing list
[email protected]
http://www.whitestar.linuxbox.org/mailman/listinfo/botnets


End of botnets Digest, Vol 11, Issue 19
***************************************


 
---------------------------------
Sucker-punch spam with award-winning protection.
 Try the free Yahoo! Mail Beta.

_______________________________________________
To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
All list and server information are public and available to law enforcement 
upon request.
http://www.whitestar.linuxbox.org/mailman/listinfo/botnets

Re: [botnets] Detecting zombies

Reply via email to