Penetration Testing mailing list archives

Re: Botnets

From: "R. DuFresne" <dufresne () sysinfo com>
Date: Wed, 1 Apr 2009 11:56:48 -0400 (EDT)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, 26 Mar 2009, Aarón Mizrachi wrote:

On Miércoles 25 Marzo 2009 01:22:14 M.D.Mufambisi escribió:

Hi Guys.

Can someone please explain to me how botnets use IRC? I want to make a
presentation to my group demonstrating this in my lab which comprises
of 4 winxp boxes. Unpatched. How are commands issued via IRC?

Hi, i recopiled some info of botnets on my forensics... botnets are a new name
to a old technique: TROJANS

More specific: wide spredeable trojans that can act as zombies or use your
computer on non-legitim pourporses...

A popular method (SINCE SUB7 INCLUSIVE), is make a reverse connection to an a
public IRC server who believe that you are a legitim user of chatrooms.

Why botnets?

1th motivation: Useful way to bypass firewalls, when a bot/trojan make a
connection to an IRC server, it connects like a normal user do it, in the
past, firewalling only protected you against incomming connections, but,
outcomming connections is allowed by default.



Not nessecarily, firewalls can and often do control outgoing connections.

Allowing all outbound tends to be more a desktop thing often employed byless technical folks often on home PC's. Most companies tend to block atleast some outgoing traffic.

I note alot of FUD about firewalls and their abilities in this list inrecent times...




Thanks,


Ron DuFresne

- --~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

        admin & senior security consultant:  sysinfo.com
                        http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A  E838 B2DF AFCC 94B0 6629

These things happened. They were glorious and they changed the world...,
and then we fucked up the endgame.    --Charlie Wilson
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFJ047Cst+vzJSwZikRAiT+AJ9egke/0I9WkydMAxfWo+Dyi+W9DgCfZ5a/
3vdu2X48RZfR9H6VKg6NFCk=
=Q/B0
-----END PGP SIGNATURE-----

------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

No time or budget for traveling to a training course in this fiscal year? Check out the online penetration testing 
courses available at InfoSec Institute. More than a boring "talking head", train in our virtual labs for a total 
hands-on training experience. Get the certs you need as well: CEH, CPT, CEPT, ECSA, LPT. 

http://www.infosecinstitute.com/request_online_training.html
------------------------------------------------------------------------

Current thread:

RE: Botnets Wong Yu Liang (Apr 03)
- RE: Botnets R. DuFresne (Apr 14)
- <Possible follow-ups>
- Re: Botnets M.D.Mufambisi (Apr 03)
- Re: Botnets Renaud Bidou (Apr 03)
- Re: Botnets R. DuFresne (Apr 03)
  - Re: Botnets Aarón Mizrachi (Apr 03)
    - Message not available
    - Re: Botnets Aarón Mizrachi (Apr 14)
    - --++[Preventing the spread of USB malware]++-- Marcus Vinicius (Apr 14)
    - Re: --++[Preventing the spread of USB malware]++-- Shreyas Zare (Apr 14)
    - Re: --++[Preventing the spread of USB malware]++-- Nathan Sportsman (Apr 15)
    - Message not available
    - Re: --++[Preventing the spread of USB malware]++-- Marcus Vinicius (Apr 15)
    - Message not available
    - Re: --++[Preventing the spread of USB malware]++-- Marcus Vinicius (Apr 15)
    - Message not available
    - Re: --++[Preventing the spread of USB malware]++-- Shreyas Zare (Apr 15)
    - Message not available
    - Re: --++[Preventing the spread of USB malware]++-- Shreyas Zare (Apr 16)
    - Re: --++[Preventing the spread of USB malware]++-- Razi Shaban (Apr 14)

(Thread continues...)