Re: Follow-up on the Botnet incident.

[Pierre Vandevenne <pierre () datarescue com>]

On Mon, 14 Aug 2000 14:11:52 -0500, PARKIN, MICHAEL M (PBI) wrote:

> How to defend against them?  Like any other DDoS, I'm sure defense
> is difficult, but if these bots are anything like Sub7 (in fact, I realize
> they may be a new variant of Sub7) it may be possible to disinfect the
> hosts.
>
> Comments?

I imagine you ran a good up-to-date anti virus and it came up clean ?

When you are infected by a possible new trojan, you must absolutely get
a sample. One way to achieve this is to use a program such as zonealarm
or the recently released tdimon from http://www.sysinternals.com. These
programs will allow you to discover the process that is generating the
trafic.

9       62.50008320     Pmmailw 00040003        TDI_SEND_DATA
GRAM    UDP:0.0.0.0:1025        195.0.122.232:53        SUCCESS 
Length:37       

(Here, my mail program querying our dns for example)

Once you have the name of the process, it is fairly easy to identify
the file(s) involved and monitor their activity through regmon and
filemon (same url).

Disinfection is simply a matter of undoing the changes the trojan made
(to autostart itself, orther files modifications etc).

Detection involves finding a signature in the files that is specific to
the trojan. (ie doesn't have false positives) and sensitive (ie doesn't
have false negative)

Discovering what the trojan does is a matter of observation, source
study or reverse engineering if the source is not available.

anti-virus labs will be most interested in receiving the files, doing
an analysis and providing you with a solution - you could also send the
bot our way and we'll be glad to have a look.




---
Pierre Vandevenne - DataRescue sa/nv
Home of the IDA Pro Disassembler
http://www.datarescue.com/idabase/ida.htm