Botnets- The Killer Web App

Cover......Page 1
Acknowledgments......Page 7
Lead Authors and Technical Editors......Page 8
Contents......Page 11
Botnets: A Call to Action......Page 19
Introduction......Page 20
The Killer Web App......Page 21
How Big Is the Problem?......Page 22
The Industry Responds......Page 40
Summary......Page 42
Solutions Fast Track......Page 43
Frequently Asked Questions......Page 44
Botnets Overview......Page 47
What Is a Botnet?......Page 48
The Botnet Life Cycle......Page 49
What Does a Botnet Do?......Page 60
Botnet Economics......Page 80
Solutions Fast Track......Page 88
Frequently Asked Questions......Page 91
Alternative Botnet C&Cs......Page 95
Introduction: Why Are There Alternative C&Cs?......Page 96
Historical C&C Technology as a Road Map......Page 97
DNS and C&C Technology......Page 99
Alternative Control Channels......Page 100
Web-Based C&C Servers......Page 101
Summary......Page 111
Solutions Fast Track......Page 112
Frequently Asked Questions......Page 113
Common Botnets......Page 115
SDBot......Page 116
RBot......Page 122
Agobot......Page 129
Spybot......Page 136
Mytob......Page 141
Summary......Page 146
Solutions Fast Track......Page 147
Frequently Asked Questions......Page 149
Botnet Detection: Tools and Techniques......Page 151
Abuse......Page 152
Network Infrastructure: Tools and Techniques......Page 158
Intrusion Detection......Page 173
Darknets, Honeypots, and Other Snares......Page 194
Forensics Techniques and Tools for Botnet Detection......Page 197
Solutions Fast Track......Page 226
Frequently Asked Questions......Page 231
Ourmon: Overview and Installation......Page 235
Introduction......Page 236
Case Studies: Things That Go Bump in the Night......Page 238
How Ourmon Works......Page 245
Installation of Ourmon......Page 250
Summary......Page 257
Solutions Fast Track......Page 258
Frequently Asked Questions......Page 259
Ourmon: Anomaly Detection Tools......Page 263
Introduction......Page 264
The Ourmon Web Interface......Page 265
A Little Theory......Page 270
TCP Anomaly Detection......Page 273
UDP Anomaly Detection......Page 290
Detecting E-mail Anomalies......Page 293
Solutions Fast Track......Page 297
Frequently Asked Questions......Page 301
IRC and Botnets......Page 303
Understanding the IRC Protocol......Page 304
Ourmon’s RRDTOOL Statistics and IRC Reports......Page 308
Detecting an IRC Client Botnet......Page 316
Detecting an IRC Botnet Server......Page 322
Solutions Fast Track......Page 327
Frequently Asked Questions......Page 329
Advanced Ourmon Techniques......Page 331
Automated Packet Capture......Page 332
Ourmon Event Log......Page 342
Tricks for Searching the Ourmon Logs......Page 343
Sniffing IRC Messages......Page 347
Optimizing the System......Page 352
Solutions Fast Track......Page 357
Frequently Asked Questions......Page 361
Using Sandbox Tools for Botnets......Page 363
Introduction......Page 364
Describing CWSandbox......Page 366
Examining a Sample Analysis Report......Page 377
Interpreting an Analysis Report......Page 386
Bot-Related Findings of Our Live Sandbox......Page 401
Summary......Page 403
Solutions Fast Track......Page 405
Frequently Asked Questions......Page 408
Intelligence Resources......Page 409
Identifying the Information an Enterprise/University Should Try to Gather......Page 410
Places/Organizations Where Public Information Can Be Found......Page 416
Membership Organizations and How to Qualify......Page 421
Confidentiality Agreements......Page 422
What to Do with the Information When You Get It......Page 425
The Role of Intelligence Sources in Aggregating Enough Information to Make Law Enforcement Involvement Practical......Page 427
Solutions Fast Track......Page 429
Frequently Asked Questions......Page 432
Responding to Botnets......Page 435
Giving Up Is Not an Option......Page 436
Why Do We Have This Problem?......Page 438
What Is to Be Done?......Page 447
A Call to Arms......Page 463
Summary......Page 465
Solutions Fast Track......Page 466
Frequently Asked Questions......Page 469
FSTC Phishing Solutions Categories......Page 471
Index......Page 477