Re: Botnet Detection

[Curt Wilson <curtw () SIU EDU>]

Custom snort signatures, or sigs from the Bleeding Edge Threats
(bleedingedgethreats.com I believe) resource can help find botnets. The
traditional, clear-text IRC based botnet command and control (C&C) are
easily found with IDS/IPS signatures.  There are some signatures
floating about for the Storm worm, I think there may be a few
bleedingedge sigs available. To detect storm I know that several
bleedingedge threat signatures related to edonkey traffic will trigger
in massive numbers, which detects the bot agents communication with the
P2P network that it's part of. (unless the attackers have mutated their
use of the edonkey protocol to evade detection).

Monitoring firewall logs is helpful too as many bots, at least in the
past, would scan for typical windows vulns on TCP ports 139 and 445 and
would be very noisy.

There is a botnet book "Botnets" by Syngress, written by Craig A.
Schiller (from U of Oregon, I believe) and a host of others that has a
variety of information and resources. They have a tool called ourmon.

Hope this helps some.


Jones, Jim R wrote:
> Does anyone have a utility or method of detecting botnet infections?
>
> This is becoming a serious problem that we have no way of tracking down
> at this point in time. Any suggestions are appreciated!
>
> Jim Jones
> IT Security Manager
> Gonzaga University
> 509.323.5926


--
Curt Wilson
IT Network Security Officer
Southern Illinois University Carbondale
618-453-6237

GnuPG key: http://www.infotech.siu.edu/security/curtw.pub.asc