BOTS - The Creation of a Botnet Tracking Web - Caida

obtainablerabbiΔιαχείριση Δεδομένων

31 Ιαν 2013 (πριν από 4 χρόνια και 8 μήνες)

112 εμφανίσεις

July 26, 2005

BOTS

The Creation of a

Botnet Tracking Web Application

Micah Hoffman

US
-
CERT

July 26, 2005

What is it?


Apache/PHP/PostgreSQL Web application


It slices. It dices! It tracks:


Bots (both servers and clients)


Bot protocols (e.g., HTTP, IRC, …)


Net info lookups: IP, IP Block, DNS registrar, DNS registrant
and their parent’s information


Suspects/Perpetrators


Stake
-
holders of infected machines

July 26, 2005

But why do we need it?


Standardize input of data


Same person; 2 emails; 30 minutes apart


“Another botnet c&c dns rr… please terminate it.”


“Anoter botnet c&c dns rr… please shut down it.”



Responses from people terminating a botnet C&C


“Closed”


“This one is being taken care of.”


“This host has been nuked.”


Tracking of “reports” through all stages


Similar to a help
-
desk ticketing system (open, assigned, closed)

July 26, 2005

Are there other reasons?


More secure transmission of data


HTTPS vs. unencrypted email


Maintains history of past events for analysis


Has IP 1.2.3.4 been infected more than once?


Find patterns in infections


Find patterns in suspects (like Zone
-
H)


Trends


Pretty graphs and charts!

July 26, 2005

How will it make us
work more efficiently?


All talking the same language


Targeted notifications (info comes to you)


Trending


Pretty graphs and charts!

July 26, 2005

How far along are you?


As of today:


DB Schema is complete


Working on web application logic


Working on coding PHP front
-
end

July 26, 2005

What are the future
capabilities of BOTS?


Automated submission of entries through XML/RPC
(security issues)


RSS Feed to data (security issues)


Automated notification of new entries to interested
parties (how?)


Automated penetration of botnet (interesting…)


Malware archive?


Daily/Weekly DB Dumps available for download (like
http://osvdb.org/database
-
info.php)

July 26, 2005

So, can I have the URL
to the live site?


Uh…no.


Still coding it.


For more information, access to the site
(when it goes live), or to offer assistance with
PHP coding, DB maintenance, or other issues
contact
micah.hoffman@us
-
cert.gov