July 26, 2005
BOTS
The Creation of a
Botnet Tracking Web Application
Micah Hoffman
US
-
CERT
July 26, 2005
What is it?
•
Apache/PHP/PostgreSQL Web application
•
It slices. It dices! It tracks:
•
Bots (both servers and clients)
•
Bot protocols (e.g., HTTP, IRC, …)
•
Net info lookups: IP, IP Block, DNS registrar, DNS registrant
and their parent’s information
•
Suspects/Perpetrators
•
Stake
-
holders of infected machines
July 26, 2005
But why do we need it?
•
Standardize input of data
•
Same person; 2 emails; 30 minutes apart
•
“Another botnet c&c dns rr… please terminate it.”
•
“Anoter botnet c&c dns rr… please shut down it.”
•
Responses from people terminating a botnet C&C
•
“Closed”
•
“This one is being taken care of.”
•
“This host has been nuked.”
•
Tracking of “reports” through all stages
•
Similar to a help
-
desk ticketing system (open, assigned, closed)
July 26, 2005
Are there other reasons?
•
More secure transmission of data
•
HTTPS vs. unencrypted email
•
Maintains history of past events for analysis
•
Has IP 1.2.3.4 been infected more than once?
•
Find patterns in infections
•
Find patterns in suspects (like Zone
-
H)
•
Trends
•
Pretty graphs and charts!
July 26, 2005
How will it make us
work more efficiently?
•
All talking the same language
•
Targeted notifications (info comes to you)
•
Trending
•
Pretty graphs and charts!
July 26, 2005
How far along are you?
•
As of today:
•
DB Schema is complete
•
Working on web application logic
•
Working on coding PHP front
-
end
July 26, 2005
What are the future
capabilities of BOTS?
•
Automated submission of entries through XML/RPC
(security issues)
•
RSS Feed to data (security issues)
•
Automated notification of new entries to interested
parties (how?)
•
Automated penetration of botnet (interesting…)
•
Malware archive?
•
Daily/Weekly DB Dumps available for download (like
http://osvdb.org/database
-
info.php)
July 26, 2005
So, can I have the URL
to the live site?
•
Uh…no.
•
Still coding it.
•
For more information, access to the site
(when it goes live), or to offer assistance with
PHP coding, DB maintenance, or other issues
contact
micah.hoffman@us
-
cert.gov
Enter the password to open this PDF file:
File name:
-
File size:
-
Title:
-
Author:
-
Subject:
-
Keywords:
-
Creation Date:
-
Modification Date:
-
Creator:
-
PDF Producer:
-
PDF Version:
-
Page Count:
-
Preparing document for printing…
0%
Σχόλια 0
Συνδεθείτε για να κοινοποιήσετε σχόλιο