Educause Security Discussion mailing list archives
Re: Botnet Detection
From: "Wayne J. Hauber" <wjhauber () IASTATE EDU>
Date: Thu, 23 Aug 2007 11:12:19 -0500
At 06:10 PM 8/22/2007, Stephen Gill wrote:
Hi Jim, Plenty! I _highly_ recommend you get involved here: http://www.ren-isac.net/ I know of few better places to be for dealing with these sorts of issues in the .edu environment than involved in that group. There are a lot of people who can help get you up and running there very quickly with tested, proven methods for doing exactly what you are looking for. Some items for you to consider along the way, if you haven't already include: - deploying netflow/sflow collection capabilities - deploying sniffer capture capability - deploying localized darknets and/or automated malware collectors - tracking DNS query logs - etc. I've yet to see a silver bullet commercial appliance for battling botnets, and you won't win the war without a good mixture of tools and techniques. Unfortunately botnets are only the tip of the iceberg compared to other malware threats - they're just generally the most obvious :/. Again, please do consider applying for membership to REN-ISAC if you meet the membership criteria. You can't beat the price of admission. Cheers, -- steve
I would like to second Steve's advice. Each Botnet is a creation of a team of authors. Expect the detection of the botnet to vary depending on the authors' design and whims. Because of this, a Botnet appliance can be only a small part of your anti-botnet strategy. Some botnet's use the old-fashioned IRC command and control channels, some use P2P technology and many use encrypted channels. To be effective, an appliance must be continually updated with fresh signatures. That is why some of the appliances are marketed in conjunction with honeynet and darknet efforts. An appliance is only as good as the team that is feeding it new signatures and patterns. Each botnet is a moving target. The advice to join a vetted security group is helpful in this regard. If a particular botnet is changing, the members of the group will notice. I am also a member of REN-ISAC and highly recommend it. You may find that there is no way to implement all of the techniques suggested in this group. You should choose some techniques that fit into your budget and which give the best value. At my school we are using netflow analysis and are trying to make use of a Cisco CS-Mars appliance (a complex network analysis appliance). I use sniffers when I make a housecall on a suspect system and can capture traffic to and from the command and control systems. I would like to experiment with honeynet/darknets but haven't had time. Besides, the CS-Mars appliance promises to be a huge time sink for me. It is finding enough problems that 10 of me could be kept busy. With that in mind, remember that if you detect lots of problems, you will be expected to *do something* about them. So, when considering an appliance, be sure that you have enough resources to support it. Don't forget the value of careful forensics. If you are using forensic tools such as Encase or Autopsy to analyze a system, you may find logs and traces of commands on the disk or in RAM. Those tools are also great ways to detect a botnet. Infested clients are full of leads... Wayne Hauber (515) 294-9890 GCWN GCFA Information Technology Services IT Security and Policies 297 Durham Center, ISU, Ames, Iowa 50011 wjhauber () iastate edu
From: Jones, Jim R [mailto:jonesj () ITS GONZAGA EDU] Sent: Wednesday, August 22, 2007 2:36 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Botnet Detection Does anyone have a utility or method of detecting botnet infections? This is becoming a serious problem that we have no way of tracking down at this point in time. Any suggestions are appreciated! Jim Jones IT Security Manager Gonzaga University 509.323.5926
Current thread:
- Botnet Detection Jones, Jim R (Aug 22)
- <Possible follow-ups>
- Re: Botnet Detection Donna michaels (Aug 22)
- Re: Botnet Detection Jones, Jim R (Aug 22)
- Re: Botnet Detection Clark, Joseph K (Aug 22)
- Re: Botnet Detection Jones, Jim R (Aug 22)
- Re: Botnet Detection Stephen Gill (Aug 22)
- Re: Botnet Detection Jay Tumas (Aug 22)
- Re: Botnet Detection John C. A. Bambenek, CISSP (Aug 22)
- Re: Botnet Detection David Taylor (Aug 23)
- Re: Botnet Detection Wayne J. Hauber (Aug 23)
- Re: Botnet Detection Joseph Karam (Aug 23)
- Re: Botnet Detection Curt Wilson (Aug 24)
- Re: Botnet Detection Joe St Sauver (Aug 24)