close

Se connecter

Se connecter avec OpenID

BOTS

IntégréTéléchargement
BOTS
The Creation of a
Botnet Tracking Web Application
July 26, 2005
Micah Hoffman
US-CERT
What is it?
• Apache/PHP/PostgreSQL Web application
• It slices. It dices! It tracks:
• Bots (both servers and clients)
• Bot protocols (e.g., HTTP, IRC, …)
• Net info lookups: IP, IP Block, DNS registrar, DNS registrant
and their parent’s information
• Suspects/Perpetrators
• Stake-holders of infected machines
July 26, 2005
But why do we need it?
• Standardize input of data
• Same person; 2 emails; 30 minutes apart
• “Another botnet c&c dns rr… please terminate it.”
• “Anoter botnet c&c dns rr… please shut down it.”
• Responses from people terminating a botnet C&C
• “Closed”
• “This one is being taken care of.”
• “This host has been nuked.”
• Tracking of “reports” through all stages
• Similar to a help-desk ticketing system (open, assigned, closed)
July 26, 2005
Are there other reasons?
• More secure transmission of data
• HTTPS vs. unencrypted email
• Maintains history of past events for analysis
•
•
•
•
•
Has IP 1.2.3.4 been infected more than once?
Find patterns in infections
Find patterns in suspects (like Zone-H)
Trends
Pretty graphs and charts!
July 26, 2005
How will it make us
work more efficiently?
•
•
•
•
All talking the same language
Targeted notifications (info comes to you)
Trending
Pretty graphs and charts!
July 26, 2005
How far along are you?
• As of today:
• DB Schema is complete
• Working on web application logic
• Working on coding PHP front-end
July 26, 2005
What are the future
capabilities of BOTS?
• Automated submission of entries through XML/RPC
(security issues)
• RSS Feed to data (security issues)
• Automated notification of new entries to interested
parties (how?)
• Automated penetration of botnet (interesting…)
• Malware archive?
• Daily/Weekly DB Dumps available for download (like
http://osvdb.org/database-info.php)
July 26, 2005
So, can I have the URL
to the live site?
• Uh…no.
• Still coding it.
• For more information, access to the site
(when it goes live), or to offer assistance with
PHP coding, DB maintenance, or other issues
contact micah.hoffman@us-cert.gov
July 26, 2005
Auteur
Документ
Catégorie
Без категории
Affichages
4
Taille du fichier
282 Кб
Étiquettes
1/--Pages
signaler