Re: Botnets

[Aarón Mizrachi <unmanarc () gmail com>]

On Miércoles 01 Abril 2009 11:26:48 usted escribió:
> On Thu, 26 Mar 2009, Aarón Mizrachi wrote:
> > On Miércoles 25 Marzo 2009 01:22:14 M.D.Mufambisi escribió:
> > > Hi Guys.
> > >
> > > Can someone please explain to me how botnets use IRC? I want to make a
> > > presentation to my group demonstrating this in my lab which comprises
> > > of 4 winxp boxes. Unpatched. How are commands issued via IRC?
> >
> > Hi, i recopiled some info of botnets on my forensics... botnets are a new
> > name to a old technique: TROJANS
> >
> > More specific: wide spredeable trojans that can act as zombies or use
> > your computer on non-legitim pourporses...
> >
> > A popular method (SINCE SUB7 INCLUSIVE), is make a reverse connection to
> > an a public IRC server who believe that you are a legitim user of
> > chatrooms.
> >
> > Why botnets?
> >
> > 1th motivation: Useful way to bypass firewalls, when a bot/trojan make a
> > connection to an IRC server, it connects like a normal user do it, in the
> > past, firewalling only protected you against incomming connections, but,
> > outcomming connections is allowed by default.
>
> Not nessecarily, firewalls can and often do control outgoing connections.
> Allowing all outbound tends to be more a desktop thing often employed by
> less technical folks often on home PC's.  
Heh, you are right, but i think you miss the point of my comment.

We are talking about IRC botnets... The owner of the botnet commonly use the 
bots for DDoS attacks, distributed password cracking, or something like. 

Since... i was talking about home desktop's pc's used for this pourporse, 
using a common setup. 

The goal of bot-owner can be reached with home-pc's.

> Most companies tend to block at
> least some outgoing traffic.

Indeed. Companies can block some outgoing traffic. It depends on the policy, 
but, there are two _common_ important holes of the outgoing traffic:

- Port TCP 443 (IRC SSL server can safetly run on this port)
- DNS (TCP/UDP 53)

There are also DNS botnets, that can use dns resolve information to receive 
commands... or send a reply... (with methods like iodine and others).

I seen before a network with 443 blocked or Mitm'd, and DNS limited, but:

- 443 mitm represent a securit risk.
- block 443 will help you with security, but it'll decrease the usability of 
the internet.
- DNS limited also will decrease the usability of the internet.

Also i seen before a botnet patern detector, but, i also seen before botnet's 
using random patterns and... "the delegate model"..

But is not the case of study... because the goal of an attacker is to infect 
easy computers. not a bunker network.

> I note alot of FUD about firewalls and their abilities in this list in
> recent times...

What is the real risk that you have to measure if you are talking about of the 
company point of view? 

I already assume that you are bot-net free... 
but, at this point, we are not safe from botnets...

DDoS against the company can be possible, application resource starvation, 
bandwidth starvation, distributed computing against you , whatever.

> Thanks,
>
>
> Ron DuFresne




------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

No time or budget for traveling to a training course in this fiscal year? Check out the online penetration testing 
courses available at InfoSec Institute. More than a boring "talking head", train in our virtual labs for a total 
hands-on training experience. Get the certs you need as well: CEH, CPT, CEPT, ECSA, LPT.

http://www.infosecinstitute.com/request_online_training.html
------------------------------------------------------------------------