Apache-Talk @lexa.ru 

Inet-Admins @info.east.ru 

Filmscanners @halftone.co.uk 

Security-alerts @yandex-team.ru 

nginx-ru @sysoev.ru 





     АРХИВ :: Security-alerts
Security-Alerts mailing list archive (security-alerts@yandex-team.ru)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[security-alerts] FYI: Learning about Bots

Зайдите на ежедневные отчеты о ботах и обратите внимание на DNS lookup. Там 
много русских сайтов (.ru)...


 Learning about Bots
Published: 2007-09-16,
Last Updated: 2007-09-16 16:00:15 UTC
by Marcus Sachs (Version: 1)

Pedro's diary entry yesterday on malicious file names reminded me that I wanted 
to point everybody again at the BotHunter honeynet web site.  There's a lot of 
new information there, beyond just the lists of evil IP addresses and DNS 
look-ups.  Check out Behavorial Clusters, where you'll see that with over 6000 
infections caught in the honeynet there are only about a dozen bot profiles.  
If you look at the daily catch (for example, September 15 vs September 14) 
you'll see that the behavorial cluster doesn't show up immediately but 
eventually gets updated.  On September 14 the majority of the infections are 
"Aug-Sept-A" clusters and all are easily detected by various Snort rules and 
AntiVirus signatures.

Another interesting tool is the geographic distribution of infection sources 
for a particular malware binary.  For example, the first infection for 
September 15 has a malware hash of a12cab51ef.  In the column labeled "Packed 
Malware Binary" you'll see a link to [Firefox:203 hits: 05-01 to 09-02].  If 
you follow that link you'll see a Google map that shows the infection sources 
for this particular piece of malware over the past few months.  Of course, the 
accuracy of the dots on the Google map depends on the accuracy of the ARIN, 
RIPE, APNIC, AFNIC, and LACNIC databases which as we know are all highly 
accurate and dependable.   :)

If you enjoy looking at the automated output of the honeynet, be sure to 
download a copy of the BotHunter program itself and run it inside your own 
environment.  This is a government funded research project so there is no 
charge for the public distribution.

Marc Sachs
Director, SANS Internet Storm Center


Copyright © Lexa Software, 1996-2009.