Re: Botnet Detection

["Wayne J. Hauber" <wjhauber () IASTATE EDU>]

At 06:10 PM 8/22/2007, Stephen Gill wrote:
> Hi Jim,
>
> Plenty!  I _highly_ recommend you get involved here:
>
> http://www.ren-isac.net/
>
> I know of few better places to be for dealing with these sorts of issues in
> the .edu environment than involved in that group.  There are a lot of people
> who can help get you up and running there very quickly with tested, proven
> methods for doing exactly what you are looking for.
>
> Some items for you to consider along the way, if you haven't already
> include:
>
>     - deploying netflow/sflow collection capabilities
>     - deploying sniffer capture capability
>     - deploying localized darknets and/or automated malware collectors
>     - tracking DNS query logs
>     - etc.
>
> I've yet to see a silver bullet commercial appliance for battling botnets,
> and you won't win the war without a good mixture of tools and techniques.
> Unfortunately botnets are only the tip of the iceberg compared to other
> malware threats - they're just generally the most obvious :/.
>
> Again, please do consider applying for membership to REN-ISAC if you meet
> the membership criteria.  You can't beat the price of admission.
>
> Cheers,
> -- steve

I would like to second Steve's advice.

Each Botnet is a creation of a team of authors. Expect the detection
of the botnet to vary depending on the authors' design and whims.

Because of this, a Botnet appliance can be only a small part of your
anti-botnet strategy. Some botnet's use the old-fashioned IRC command
and control channels, some use P2P technology and many use encrypted
channels. To be effective, an appliance must be continually updated
with fresh signatures. That is why some of the appliances are
marketed in conjunction with honeynet and darknet efforts. An
appliance is only as good as the team that is feeding it new
signatures and patterns.

Each botnet is a moving target. The advice to join a vetted security
group is helpful in this regard. If a particular botnet is changing,
the members of the group will notice. I am also a member of REN-ISAC
and highly recommend it.

You may find that there is no way to implement all of the techniques
suggested in this group. You should choose some techniques that fit
into your budget and which give the best value. At my school we are
using netflow analysis and are trying to make use of a Cisco CS-Mars
appliance (a complex network analysis appliance). I use sniffers when
I make a housecall on a suspect system and can capture traffic to and
from the command and control systems.

I would like to experiment with honeynet/darknets but haven't had
time. Besides, the CS-Mars appliance promises to be a huge time sink
for me. It is finding enough problems that 10 of me could be kept
busy. With that in mind, remember that if you detect lots of
problems, you will be expected to *do something* about them. So, when
considering an appliance, be sure that you have enough resources to support it.

Don't forget the value of careful forensics. If you are using
forensic tools such as Encase or Autopsy to analyze a system, you may
find logs and traces of commands on the disk or in RAM. Those tools
are also great ways to detect a botnet. Infested clients are full of leads...

Wayne Hauber (515) 294-9890
GCWN GCFA
Information Technology Services
IT Security and Policies
297 Durham Center, ISU, Ames, Iowa 50011
wjhauber () iastate edu

> From: Jones, Jim R [mailto:jonesj () ITS GONZAGA EDU]
> Sent: Wednesday, August 22, 2007 2:36 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: [SECURITY] Botnet Detection
>
> Does anyone have a utility or method of detecting botnet infections?
>
> This is becoming a serious problem that we have no way of tracking down at
> this point in time. Any suggestions are appreciated!
>
> Jim Jones
> IT Security Manager
> Gonzaga University
> 509.323.5926