Vous êtes sur la page 1sur 11

How to find BOTs in a LAN

Special Note on Sinkhole Malware


Detections
If you have been directed to this page for a "sinkhole malware" detection, such as Zeus,
Spyeye, TDSS, or Torpig, be aware that these are NT detected by port !" traffic# The
$%& lookup for these detections will generally tell you which port the detection was on,
and the I's where the infected machine connected to# (ith these detections, we)re
detecting traffic on ports other than port !"# Therefore, when reading this page for
those listings, keep in mind these are not port !" *usually port ++,, --.., -. etc/, and
you should be looking for 0N1 traffic to the I's mentioned in the lookup page#
Table of Contents
Introduction
(hat will 023 software do for me4
(hat am I looking for4
(hat am I not looking for4
'er5machine methods
tcpview2tcpvcon *(indows/
Netstat *6NI7 and (indows/
"New files" in System Directories *(indows/
ther Tools *(indows, per machine/
$entrali8ed Detection
9irewall logging
9irewalls and :'N'
'ort !" sniffing
$ommand and $ontrol Detection
dd DNS ;7 <uery sources
&ots of DNS N7D;0INs
'ort Scanners
=nd Notes
T>IS D$:;=NT IS :ND=? D=3=&';=NT# $omments are welcome#
Introduction
;any times people have a $%& listing that corresponds to the N0T or '0T for a &0N, and
it can be =7T?=;=&1 difficult identifying the infected machine# This page mentions a
number of simple5to5advanced methods for identifying infected machines on a &0N#
;any are methods that non5technical people may well not understand nor be able to
conveniently implement#
1our first line of defence if you use a N0T or '0T firewall is to make sure that your N0T
does not allow inbound or outbound port !" connections @eAcept@ to your mail server *if
you have one/#
%ut whether or not your N0T is secured, you will still need to be able to find the infected
Advanced Techniques for finding BOTs on a LAN http://cbl.abuseat.org/advanced.html
1 di 11 15/03/2013 15:46
machine#
This page is intended for a broad range of levels of eAperience# %oth network neophytes
and eAperts should be able to find useful tidbits of information in it#
Some of these methods are relatively easy for anyone to use, so we)ll mention them
with brief discussions on how to use them#
ther methods really aren)t suitable for network neophytes# (e mention them in
passing so that if you are capable of doing them, or can hire a consultant who can,
you2they will know what to look for#
These methods are mostly independent of what kinds of computers or operating systems
you)re using# The tool names may change between, say, &inuA and (indows, but you)re
looking for the same things# In the discussions below, we)ll refer to :NI72&inuA2;acS
29ree%SD2Solaris20I72Net%SD2etc as "6NI7"#
The author has taken a stab at identifying which methods are easy, moderately difficult
or hard by something like thisB "C>0?DD"#
(ithin each of the two sections *per5machine and centrali8ed/ we present them in an
"easy to harder" order# ?eview them in order to find out which will be the most
appropriate for you to use#
%ut before you try to find out what machine it is, SC!" #O!" NAT#
$hat will Anti%&irus 'A(&) software do for *e+
%asically, not much#
These days most bot infections cannot be found by anti5virus "cleaners", or at least not
without having to try a do8en or more of them# This means you can eApend a
considerable amount of time and effort running your 023 tools on every machine on
your &0N and find absolutely nothing# r find something that has nothing whatsoever to
do with the $%& listing#
9or another voice on current 023 effectiveness see Eary (arner)s blog# ne of the
additional things that Eary omitted mentioning is that of "polymorphic viruses"#
Signature5based 023 works by taking a ;D" hash *a checksum/ of the malicious
program, and saving the hash as the "signature"# Then, whenever anyone else sees a
file with the same ;D" hash, they know its the same file, and hence the same malware#
'roblem is that there are an infinite number of ways that an eAecutable program can be
"packed" on disk# In the old days, the virus would be packed once, and distributed that
way# These days, the virus downloaders have the capability of changing the packing
every time the file is downloaded# ;eaning you)d need an infinite number of ;D"
hashes to catch it# 0nd if you)ve not seen that particular packing before *you may be the
only person who)ll ever get that packing/, then, you won)t have an ;D" hash for it#
There)s another breed of virus scanners which "decode" the program and try to figure
out what it)s going to do 5 "behavioral detection"# These aren)t very good yet, and
they)re very very slow# %ut we)re hoping they)ll get there#
0s a conse<uence of all this, even if you did know which machine was infected, the 023
tools wouldn)t fiA them#
The result basically being that 023 tools can)t be used to find which machine is infected,
and even if you did know which machine was infected, you can)t successfully clean it,
you have to reinstall your software#
:gly4 1es# 9rustrating4 1es# %ut that)s how things are now#
This document focusses on how to find the infected machine# nce you have found it,
you generally will have to reinstall it#
Advanced Techniques for finding BOTs on a LAN http://cbl.abuseat.org/advanced.html
2 di 11 15/03/2013 15:46
$hat a* I lookin, for+
The essential goal of this eAercise is to figure out which computer is infected and
sending email#
The methods we describe here are how to find out which machine is sending lots of
email# 1ou will be looking for direct evidence that a particular computer is sending email
it shouldn)t be, ?, indirect evidence that it is doing it#
'articularly in a large network *with F..s or F...s of computers/ you will want a
"central detection" method# In other words, you look in one place, and it tells you which
computer is sending lots of email#
(e discuss a number of methods under the "$entrali8ed Detection" section below,
however, many of these re<uire significant network monitoring2admin eApertise and2or
testing hardware# =nvironments run by professional network engineers are fre<uently
able to do these as a normal course of events, but this is seldom the case in a small
business or home network# Though, a small business should be able to hire a consultant
who could use some of these methods#
The simplest methods under $entrali8ed Detection are using a network sniffer or firewall
logging#
Depending on how your network is set up, a network sniffer won)t work without
considerable eAtra effort# This is because modern higher performance networking gear
makes network sniffing <uite difficult#
If your &0N uses an ethernet hub *not a network switch or router/, ?, your firewall IS
a generali8ed computer *egB &inuA or (indows server acting as a firewall/ go directly to
the port !" sniffing section below# If you)re not using a hub, sniffing is still possible, but
it)s harder, and using one of the per5machine methods may be simpler#
If you have a decent firewall that has logging capabilities, go to the section on 9irewall
logging#
$hat a* I NOT lookin, for+
$%& listing criteria is -er. narrowB
The $%& does not test nor list open relays# DO NOT waste your time with open
relay testers# (e keep telling people this, and they keep doing it anyway 5 drives
us cra8y#
O/N "LA# HAS NOTHIN0 TO DO $ITH TH CBL, so do not waste your or
our time with telling us about open relay testing you passed# It)s good that you)re
not an open relay# %ut we don)t list open relays#
The $%& doesn)t care what your DNS is# ?eally# The $%& won)t list you if you don)t
have DNS or don)t have rDNS *'T? value/ or have "odd" DNS or rDNS values# In
some cases, the rDNS is used as the >=& by your mail server, The $%& often
cares about >=&# in which case you can fiA it by either eAplicitly configuring your
mail server to override the rDNS value, or have the rDNS value changed to
something more "normal"#
!nder nor*al circu*stances1 the rDNS doesn2t *atter1 so don2t chan,e it
until .ou2re sure .ou understand wh. it will *atter3
%ut I can)t find strange2spam emails in my mail server logsG Don)t bother looking
in your mail server logs# The things that the $%& catch do NT go through normal
mail servers# They have their own S;T' client, and connect directly to the
recipient)s mail server# 1our mail server logs will show nothin,# ?eally, truly,
your server logs will NT show %T traffic##
Don2t waste .our or our ti*e b. lookin, in .our *ail ser-er lo,s3
Advanced Techniques for finding BOTs on a LAN http://cbl.abuseat.org/advanced.html
3 di 11 15/03/2013 15:46
0s mentioned above, sometimes the $%& cares about >=& value# %ut you cannot
tell what the >=& value is by telnetting on port !" to your mail server# (hat you
see when you telnet to the mail server is the "banner"# (hat your machine uses
as the >=&2=>& parameter when it makes an outbound connection is the
">=&"# 1ou can test the >=& by sending an email to helocheckHcbl#abuseat#org
and eAamining the reIect message you get in reply# %ut that only tests your real
mail server# If that confirms that the >=& is strange, you)re lucky, and you Iust
have to fiA it in the mail server configuration# %ut often it won)t 5 meaning that
there is some other program on your computer making email connections with its
own >=&# 9inding that "other program" is the hard part 5 it)s probably a %T
trying to hide#
So1 don2t waste .our ti*e b. telnettin, to .our *ail ser-er and tellin, us
that the banner was alread. oka.1 or that b. sendin, a test *ail to
helocheck4cbl3abuseat3or, was ,i-in, the ri,ht helo3 If it is oka.1 it2s NOT
wh. the CBL listed it3
0s we describe in (hat will 023 software do for me4 running an 023 tool or two on
your machines doesn)t mean anything# The success rate of 023 tools in finding
modern spambot infections is very low# In factB horrible, bad, frightening and
al*ost co*pletel. and totall. useless#
Therefore, an 023 tool saying your computer is "clean" doesn)t mean anything
anymore# Sorry, but that)s Iust how it is these days# 1ou may get lucky and a new
or updated 023 tool might Iust find it# %ut don)t count on it#
/er%*achine *ethods
The methods in this section re<uire that you check out each computer in your &0N
individually#
If you have a number of machines to check, particularly windows machines, we
recommend downloading some of the tools we mention *or others you may find/ and put
them on a :S% key# Then you can go from machine to machine, plugging in the :S%
key, and running each of the tools without too much difficulty# (e recommend trying
the tools mentioned here before spending lots of time with 023 scanners#
tcp-iew(tcp-con '$indows) 5AS#6
tcpview and tcpvcon are free and can be obtained from ;icrosoft#
If you don)t want to download anything, you can use (indows netstat *see the neAt
section/ instead# tcpview)s display makes it a bit easier to find viruses, but, basically
netstat is the same thing# This seems to be standard on (indows#
tcpview and tcpvcon are windows and and command5line based versions of something
similar to 6NI7 netstat# These are good tools to have on a :S% key "toolkit"#
Navigate to where you)ve placed tcpview *perhaps on a :S% key/, and run it# It will
display all of the programs that have network connections open 5 naming the program,
protocol, local address and port, remote address and port and state#
1ou)re looking for lines that have the remote address say "Bsmtp" or "B!"", representing
a remote email connection# 0 machine should not have any of these eAcept when it)s
actively sending email# n an end5user desktop, there shouldn)t be any at all unless the
user is sending an email at the time#
It)s often a good idea to shut down the user)s mail reader and other unnecessary
programs *like browsers etc/ when you)re doing this so you don)t get confused with a
flood of irrelevant information# >owever, some %Ts actually run inside mail readers
*especially utlook/, so you should try first with the mail reader shut down, and if you
don)t find anything, start it up again and watch some more#
Advanced Techniques for finding BOTs on a LAN http://cbl.abuseat.org/advanced.html
4 di 11 15/03/2013 15:46
(hen a connection is freshly established, the corresponding line is green# (hen the
connection ends, it)s shown in red briefly before disppearing#
If you have found the machine with a high volume bot, which could be sending do8ens
or hundreds of emails per minute, the display will light up like a christmas tree with
large numbers of green "Bsmtp" lines appearing and red "Bsmtp" lines disappearing very
rapidly# The bot may be deliberately slow, and only send emails sporadically# So watch
the display for a few minutes to see if any "Bsmtp" lines show up and disappear#
If you find the machine with the bot showing up on tcpview, the temptation is strong to
simply delete the corresponding program# Don)t# $hances are high that it)s an infection
inside a legitimate windows program 5 deleting it will cripple the machine, or, that there
is software in place to replace it after you have removed it#
Instead, obtain and run as many anti5virus programs as you can, and see if any detect
or remove it# 0fter this, reboot the machine, and run tcpview again# (atch it for a while#
If the problem recurs, you will have to reinstall the computer from scratch#
NoteB There are a few bots this won)t work with 5 Sri8bi and 7arvester have their own
T$' stacks, and it)s believed that tcpview won)t see their activity#
Netstat '7NI8 and $indows) 5AS#%MDI!M6
Netstat is similar in intent to the tcpvcon version of tcpview, and is standard on most
versions of 6NI7 5 it)s been around for decades# Secondly, most versions of (indows
have it# The main difference with tcpview is that netstat is a command line function that
takes a single snapshot of current connections#
In many versions of netstat, the most effective command line to use isB
netstat -nap
(hich could, in the case of Darkmailer, show an active infection like thisB
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 1 192.168.2.2:58246 212.69.102.240:25 SYN_SENT 12614/b.pl
tcp 0 0 192.168.2.2:35843 209.85.201.27:25 ESTABLISHED 7996/ciwhcnsb.pl
tcp 0 0 192.168.2.2:53051 81.13.48.2:25 TIME_WAIT -
tcp 0 0 192.168.2.2:53623 77.243.121.126:25 TIME_WAIT -
tcp 0 0 192.168.2.2:57816 217.13.210.81:25 TIME_WAIT -
tcp 0 1 192.168.2.2:50531 217.16.16.81:25 SYN_SENT 12270/nxhbo.pl
tcp 0 0 192.168.2.2:52437 217.198.11.26:25 TIME_WAIT -
tcp 0 1 192.168.2.2:50140 195.64.222.2:25 SYN_SENT 9273/yzezihd.pl
The "B!"" under "9oreign 0ddress" indicates an outbound S;T' connection#
"NNNN2name" under "'ID2'rogran name" is the process id and process name of the
offending program# The large variety of "states" show that it)s starting up2shutting down
connections very <uickly#
;ost if not all versions of (indows have a "netstat" DS command# ne corporate
security person once said "I haven)t yet had netstat fail to find an infected machine"#
n (indows, use this in a dos command windowB
netstat 5
This will give you a list of all network connections your machine has open, much like
6NI7 netstat above every " seconds until you stop it# 1ou)re looking for very much the
same sort of things as 6NI7 netstat above# 1ou)ll probably see ;icrosoft, 1ahoo and
other familiar names 5 they)re normal *from your browser, I; etc/# "0kamai" perhaps
won)t be familiar, but it)s normal too# &ots of port !" connections is the usual sign of
infection#
In 6NI7 etc, it)s often enough to find the listed programs and remove it, tho, that will
not necessarily prevent you from being infected again# =specially with Darkmailer# 0lso
with Darkmailer, you often won)t be able to find the programs, because they start up,
delete themselves from the file system, and continue running in memory#
Advanced Techniques for finding BOTs on a LAN http://cbl.abuseat.org/advanced.html
5 di 11 15/03/2013 15:46
NoteB you will usually see a lot more lines than the above that do not have "B!"", those
are other non5email connections# 1ou might want to repeatedly pipe the output of
"netstat 5nap" through "grep B!"" to only see the S;T' connections# "B!"" on the local
address means an inbound connection#
9New files9 in S.ste* Directories '$indows) 5AS#6
;ost infections "drop" their malicious programs in (indows "system" directories# 9or
eAample, the interesting directories on (indows27' are $BJwindowsJsystem and
$BJwindowsJsystem,!#
It)s often possible to see these programs by navigating to the system directories,
switching to the "detailed view" and then sorting by date# There is a good chance that
the malicious software on your machine was created within the past ,. days# If you find
programs in these directories that are that young, and aren)t eAplainable by a new
software install or patchB
Eoogle for the file name# 1ou may find a web page from a reputable 023 vendor
telling you what it is, whether it really is an infection or a legitimate program, and
how to remove it if it doesn)t belong#
?un a series of 023 tools to try to remove them#
If none of the above fiAes the problem, you may have to reinstall the machine#
Other Tools '$indows1 per%*achine)
There are a variety of other tools you can use on a per5machine basis, but these are
generally considerably more effort if you have a lot of computers to check#
The ;yNetwatchman Seccheck tool C;D=?0T=5>0?DD is one of the most
advanced tools for identifying what shouldn)t be running on a '$# This is
something you will want to put on your :S% key toolkit# There are two versions of
seccheck# ne is the "limited analysis" version which runs a scan, shows you the
result which you have to analyse yourself# The "binary upload" version is prefered
5 it will upload suspicious binary programs to ;yNetwatchman which will result in
the most recent analysis# If you run the "binary upload" version, you can contact
the mN( support mailboA, who will, time available, provide free assistance in
interpreting the result#
The Trend ;icro >iIackthis free tool C;D=?0T=5>0?DD *another candidate for
your :S% key/ is <uite popular# :nlike seccheck, it doesn)t perform any analysis at
all# It Iust produces a report of what)s running and has network connections# The
report has to be analysed to find out what it means# 0s the Trend page says,
there)s a variety of online forums that speciali8e in helping people analy8e their
hiIackthis output#
The >iIackThis#de Security page has a place where you can upload your hiIackthis
output, and it will produce automated analysis of the report# It)s not speciali8ed for
detecting spambots, it may find other things instead#
The ;icrosoft ;alicious Software ?emoval Tool *;S?T/ C=0S1D is a free tool that
runs on most versions of (indows and is a suitable addition to your :S% key
toolkit# Theoretically, this tool is highly speciali8ed for finding and removing
current and common spambots# %ut it)s success rate is only partially better than
general 023 tools and it takes a long time to run# ?un tcpview first#
Important noteB "full and most effective" use of seccheck and hiIackthis means that
you)re asking other people to provide you with free support# 0 good analysis could take
<uite a while 5 that)s a lot to ask of someone# %y all means use these tools on any2all of
your machines, but please only ask for analysis assistance on the one or few
machineCsD that appear suspicious# In other words, don)t send do8ens or hundreds of
reports for eApert analysis# It isn)t fair to them#
Centrali:ed Detection
Advanced Techniques for finding BOTs on a LAN http://cbl.abuseat.org/advanced.html
6 di 11 15/03/2013 15:46
;irewall lo,,in, 5AS#%HA"D6
;any firewalls can be configured to log outbound port !" connections# If your firewall is
logging such connections, you can usually identify very <uickly the offending machine by
lots of "mysterious" outbound port !" connections# =gB non5mail servers making do8ens
or hundreds of outbound port !" connections per minute#
bviously, if your firewall doesn)t support this kind of logging *many ineApensive
consumers5grade firewalls can)t/, this becomes pretty hard to do#
;irewalls and !/N/
:niversal 'lug and 'lay *:'N'/ is a feature of many routers and gateways *particularly
consumer e<uipment/ that permits computers on the local &0N to reconfigure the
router# These are usually used by online games, certain 3I' hardware and other
things#
$ertain spambots *?ustock in particular/ use :'N' commands to subvert port !"
blocking#
If your router2N0T supports :'N', check to ensure that :'N' logging is turned on# 1ou
should be able to see log records showing internal computers making :'N' changes#
:nless they)re legitimate applications, it)s probably a spambot, likely ?ustock# >opefully
the log may show you the I' address of the infected machine#
;ake sure that :'N' is disabled unless you absolutely need it#
/ort <= sniffin, 5AS#%HA"D6
This is listed as "=0S1" if you have a hub5based network# It gets harder if you don)t#
'ort !" sniffing is a powerful network diagnostic tool that when used correctly can find
Iust about any malicious machine or program# They work by running a program on one
of your machines with network set to "promiscuous mode", which allows it to see and
analy8e all network traffic on your &0N# Kust look for lots of port !" connections coming
from machines that shouldn)t be sending any or much email#
There are hardware and software sniffers available# >ardware sniffers are fairly
speciali8ed e<uipment, and are often too eApensive for purposes like this# Software
sniffers are usually more practical# The most popular and powerful software sniffer freely
available is (ireshark, which runs on 6NI7, (indows and other systems#
9or a howto guide of how to use (ireshark, see ;yNetwatchman
'lease read the discussion on how to set up a sniffer# Note in particular, item + 5
"switched =thernet" 5 most networks are set up with switches these days, and it makes
it difficult to get sniffers to listen to the whole network# In section +, think of "host 0" as
the infected computer *you don)t know what it is/, and ">ost %" is the N0T#
The problem is that most relatively modern &0N networks are based upon "proper"
routers or network switches# (hat this means is that each wire from the switch to a
given computer only carries the traffic for the I' corresponding to that computer# Not
the rest of the &0N# >ence, the sniffer sitting on a switched port only sees traffic to the
sniffer machine 5 useless#
(ith a hub, it doesn)t know which wire is which, and sends a copy of all packets down
each port, so a sniffer on one of the ports can see all traffic traversing the hub#
If your computers are connected together with hubs, it)s easy, install wireshark on one
of the computers "near" the N0T and Iust start sniffing#
If you)re unsure as to whether the sniffer is going to work for you in your network,
install wireshark, and from another computer, do "something" to the Internet# If you
can)t see the network traffic in the sniffer, you probably have a switched network# CIf
Advanced Techniques for finding BOTs on a LAN http://cbl.abuseat.org/advanced.html
7 di 11 15/03/2013 15:46
you)re unsure of what to look for, install tcpview on a machine and see what Internet
connections it has open# The sniffer should be able to "see" those connections on the
wire#D
In a switched network, you somehow have to get a non5switched drop *for the sniffer
machine/ connected to the &0N segment that talks to your eAternal Internet connection#
=gB on the wire between the N0T device *perhaps a discrete firewall or your 0DS&
modem/ and the rest of your &0N# It *ust be on the &0N side of the N0T#
If you)re lucky, you have a "monitoring" or "mirror port" on your switch, or some other
way of making one of the switch ports open# Kust attach the sniffer machine there#
(ithout a monitor port, another way of solving this is to find a "ethernet hub"# (hich is
a simple device with several ?K+" network connectors, and often doesn)t even have a
power supply# 1ou can often find these in computer stores used parts bins, and even
brand new one should cost less than L!.# Kust be sure it)s an "ethernet hub", not an
"ethernet switch"# If in doubt, ask the salesperson# If the salesperson doesn)t know,
check the Internet# $onnect the hub between your N0T and the rest of the network,
then connect your sniffer machine to one of the other hub ports# This is the "hubbing
out" diagram#
Note that if your N0T gateway is an integrated firewall2router this can be problemmatic#
In such cases, you)ll have to rely on firewall rules and logs instead of a sniffer, or add a
cheap switch *FEb switches are M L+./ for all of your computers# 9rom the switch, you
run a line to the hub, and from the hub to your firewall2router, with the sniffer hanging
off one of the hub ports#
CThis author has a Dlink wireless + port router *F..;b/ implementing the N0T
connection to the Internet modem and wireless connections# nly one of the Dlink)s &0N
ports is used 5 it connects to a F...;b switch, where all the wired computers connect
to# This was cheaper than upgrading the wireless router to allow the higher speed wired
machines to talk at F...;b# If a sniffer was necessary, it would be connected via an old
F.;b passive hub between the switch and the router 5 no particular performance
penalty, because essentially the only traffic going through this link is to the Internet,
and the author)s Internet connection isn)t that fast# This doesn)t necessarily help sniff
the wireless connections, however, machines could be moved to wired connections for
testing#D
There are network sniffers that can trick switches into behaving like hubs# =gB the
"dsniff" sniffer 5 see the $apture using a ;IT; *;an5In5The5;iddle/ software for more
detail# Take special note of the warnings 5 use with caution#
Co**and and Control Detection 5MOD"AT%HA"D6
Spambots are controlled by criminals *botmasters/ in a variety of different ways, which
can be differentiated in the following ways based on who connects to what, and how
they can be detectedB
The methods we describe below won)t always be terribly useful, but if you have a sniffer
working properly, they won)t take much time to try, and you may get lucky#
Inbound control is where there is a botmaster who knows that a particular I' is
infected, establishes a connection to that I' address and uses a speciali8ed bot
control protocol to "tell" the infected computer what to do# This includes some
%Ts and other things like "open proAies"#
%ehind a N0T firewall, these are generally not a big problem because a computer
on the Internet can)t connect to an arbitrary computer behind a N0T# The N0T has
to be eAplicitly configured to allow specific inbound connections to internal
machines *egB mail and web servers/# So, normal "infected end5user machines"
generally can)t be controlled this way# This is the province of speciali8ed infections
like Darkmailer which hacks into web servers and uses them as spam cannons#
Advanced Techniques for finding BOTs on a LAN http://cbl.abuseat.org/advanced.html
8 di 11 15/03/2013 15:46
;ore info T%D#
utbound control The maIority of infestations the $%& detects are where the
infected computer makes long5lived or multiple short5lived connections to a
"command and control" *$N$/ server somewhere in the Internet# The $N$ server
replies to these connections with sets of instructions of what to do *egB contents of
email, message templates, and lists of email addresses to spam/#
;any older %Ts *and a few current ones/ use I?$ 5 the infected computer makes
a connection to an I?$ server, and the I?$ server responds with commands# ne
%T that does is called ";I?$bot"# If you have a sniffer, simply looking for I?$
connections that you)re not eApecting *port OOOO/ will find both the $N$ and the
infected computer# 0s a best practise, it)s usually best to block outbound I?$
connections at your firewall unless you have users that really need to use I?$#
The Instant ;essaging protocols *egB ;SN, 0&20I;, 1ahoo and Kabber based
protocols/ are generally not a problem in this way#
Newer %Ts use more sophisticated command and control protocols# 1ou have to
know eAactly which bot you)re looking for, and be deeply involved in the anti5virus
research community to know eAactly what to look for# In many cases, %Ts use
random port numbers, or "common" ones, so either you don)t know "where" it is,
or, it)s miAed in with lots of legitimate traffic, so you can)t tell which connections
are good and which ones are bad#
0ll is not lost however# (ith a sniffer, you can try looking for outbound
connections to unusually high numbered ports *egB PF.,.../# In small
environments, you could get everyone to shut down their web browsers, and
watch for port -., -.-., and ++, *all web based/ connections when they shouldn)t
be made# If you find web connections when the source of the connection doesn)t
have a browser or mail reader running, there)s a good chance you)ve found the
infected machine 5 the machines to first run a toolkit tool like tcpview on#
In a relatively small environment, you may get a "feeling" for the I' addresses the
sniffer is showing you as the destination# =gB if you)re in North 0merica, seeing
connections to I' addreses beginning with !.., !.F, !.!, !.,, "Q, --, -Q etc, will
mean that the computer is making connections to 0sia or =urope# =specially if the
local computer is idle, why is it making connections there4 0gain, a Iob for
tcpview#
Odd DNS M8 >uer. sources 5MOD"AT%HA"D6
To send email, virtually all %Ts have to issue DNS ;7 <ueries to find how to deliver
their spam2viruses# :nder normal circumstances, N&1 your mail serverCsD, your DNS
serverCsD *if any/ should be issuing ;7 <ueries# (eb servers that do direct5to5recipient
emailing will do ;7 <ueries too, but this is generally unwise, and you should force your
web server)s email through your main mail server#
=nd user computers generally do NT have to issue ;7 <ueries 5 they Iust hand the
email off to your mail server *by eAplicit "smarthost", "relay", "smtp server" or
"outbound mail server" settings/, which will re<uire an 0 record but not ;7 record
lookup/#
This means that a %T sending lots of spam will do lots of ;7 <ueries# If you find a
end5user computer or some other computer that shouldn)t be doing email at all doing
;7 <ueries *especially lots of them/, you)ve found the infected computerCsD#
If you have your own DNS server *egB a DNS cache/, you should be able to get the DNS
server to give you basic statistics of who is issuing ;7 <ueries to them# If you don)t have
your own DNS server, you could look for unusual sources of DNS ;7 <ueries via a
sniffer# It may be easier to sniff all DNS traffic going to your DNS server than your
firewall#
Note some %Ts undoubtably use their own DNS servers, and ignore your local settings#
Advanced Techniques for finding BOTs on a LAN http://cbl.abuseat.org/advanced.html
9 di 11 15/03/2013 15:46
In which case, you)d have to be able to sniff all Internet5bound traffic looking for DNS
traffic not coming from your DNS cache#
NoteB it)s probably a good idea to configure your firewall to only allow your DNS cache
to send2receive DNS packets *:D' port ",/ to2from the Internet# This has a number of
benefits, including disabling some bots, and completely disrupting DNS hiIacking attacks,
which are becoming a maIor ha8ard on the Internet *phishing, man5in5the5middle bank
account attacks etc/# This is fairly easy to do if you allocate most I's via D>$', but you
will have to remember to check the DNS server settings on your static I' computers#
>owever, in large ad5hoc networks this may be impractical to implement 5 too much
work fiAing computer DNS settings#
$onfiguring DNS servers to yield detailed per5I' metrics is beyond the scope of this
page# See the documentation for your DNS server# >owever, a team member provided
this configuration snippet on how to make %IND log <ueriesB
logging {
channel "logger" {
file "/var/log/named.log" versions 3 size 5m;
severity debug 5;
print-time yes;
print-category yes;
};
category queries {
"logger";
};
};
This will log all *not Iust ;7/ <ueries in 2var2log2named#log, eAampleB
28-Jul-2009 15:07:09.206 queries: client 192.168.13.100#59889: query: somebody.com IN MX +
1ou could then issue "grep ;7 2var2log2named#log" and see if some uneApected I'
address is doing a lot of ;7 <ueries# See %IND for more information on logging options#
Lots of DNS N8DOMAINs 5MOD"AT%HA"D6
Some %Ts *egB $onficker/ use DNS to periodically find their command5and5control
*$N$/ servers# In some cases, some of the $N$s have been taken down, or, the %T
uses time5based algorithms to compute the names before the domain name is
registered#
0s a conse<uence such %TS will do DNS 0 record <ueries in bursts, and often get a lot
of "no such name" *N7D;0IN/ responses# &ots of "N7D;0IN" isn)t normal behaviour,
particularly for end5user computers# This can most often be found if you have your own
DNS server 5 see previous section about setting up logging#
/ort Scanners 5AS#%MOD"AT6
%ack in the days before "outbound controlled %Ts", port scanners were fre<uently used
to scan your own computers to see what ports are open# In this way you could often find
the port on which the %T was listening, or determine that the computer was offering
services it didn)t need to, and turn them off#
'ort scanners are of relatively little use with more modern spambots 5 the infection is
not listening for inbound $N$ connections, it makes the connections itself outbound#
Secondly, with N0Ts, the $N$ server couldn)t reach the infected computer anyway#
>owever, sometimes you get lucky# Some bots have provisions for multiple $N$
methods, or install open proAies or###, these a port scanner can find#
The most common2popular port scanner is the venerable Nmap tool# It)s free, and runs
on Iust about anything#
%ut first, two warningsB
ONL# SCAN #O!" O$N MACHINS? Scanning other people)s
Advanced Techniques for finding BOTs on a LAN http://cbl.abuseat.org/advanced.html
10 di 11 15/03/2013 15:46
computers is considered a hostile act, and can result in complaints to your IS' or
worse# So don)t even think about it#
1ou really only should use port scanners if you)re the boss, or part of your
company)s security or IT department# It)s a good idea to warn management or
security first# Sometimes issuing port scans will set off alarms and in some
unusual situations can cause processing disruptions# %etter that your colleague)s
response is "h that)s Iust the port scan" than "we)re hacked, call the policeG"
Detailed description of how to use nmap is well beyond the scope of this paper# 9or our
purposes, the following command will do most of what you want and be non5destructive
5 won)t do any damageB
nmap -A [machine or network specification]
9or machine specification, you can Iust give the machine)s name# To scan an entire
network, say, all of FQ!#FO-#.#.5FQ!#FO-#.#!"", use "FQ!#FO-#.#.2!+"#
The above command will show what ports are open *and thus listening/, and usually
what they)re used for# ;ost machines should only be listening on a few# &istening on
ports PF.!+ and2or that don)t have a "name" under S=?3I$= are suspicious and re<uire
closer looking at# ;achines that shouldn)t have a web server listening on ports -., -.-.
are worth looking at# ;achines that shouldn)t be running services at all should be looked
at# tcpview or "netstat 5nap" can be used on the machine to find out what)s listening on
that port#
nd Notes
0?' packets are special low5level packets that devices use to tell switches and
other computers "where" they are# =ssentially, it says ">ere I am, my ;0$
*hardware address of =thernet device/ is 7 and my I' is 1"# 0 Network switch sees
these packets coming in on one of its ports, and assigns the ;0$ and I' to a
specific port2wire2computer# Then, when it sees a re<uest to send a packet to that
I', it knows which port2wire2computer to send it to# These assignments are kept in
the switch)s "0?' cache"# 0?' caches are of limited si8e# So, if a device
deliberately floods it with lots of 0?' packets with random faked ;0$ addresses,
the 0?' cache overflows, and the switch can only continue operation by sending
every packet down every interface#
Advanced Techniques for finding BOTs on a LAN http://cbl.abuseat.org/advanced.html
11 di 11 15/03/2013 15:46

Vous aimerez peut-être aussi