Penetration Testing mailing list archives
Re: Botnets
From: Aarón Mizrachi <unmanarc () gmail com>
Date: Wed, 1 Apr 2009 13:00:29 -0430
On Miércoles 01 Abril 2009 11:26:48 usted escribió:
On Thu, 26 Mar 2009, Aarón Mizrachi wrote:On Miércoles 25 Marzo 2009 01:22:14 M.D.Mufambisi escribió:Hi Guys. Can someone please explain to me how botnets use IRC? I want to make a presentation to my group demonstrating this in my lab which comprises of 4 winxp boxes. Unpatched. How are commands issued via IRC?Hi, i recopiled some info of botnets on my forensics... botnets are a new name to a old technique: TROJANS More specific: wide spredeable trojans that can act as zombies or use your computer on non-legitim pourporses... A popular method (SINCE SUB7 INCLUSIVE), is make a reverse connection to an a public IRC server who believe that you are a legitim user of chatrooms. Why botnets? 1th motivation: Useful way to bypass firewalls, when a bot/trojan make a connection to an IRC server, it connects like a normal user do it, in the past, firewalling only protected you against incomming connections, but, outcomming connections is allowed by default.Not nessecarily, firewalls can and often do control outgoing connections. Allowing all outbound tends to be more a desktop thing often employed by less technical folks often on home PC's.
Heh, you are right, but i think you miss the point of my comment. We are talking about IRC botnets... The owner of the botnet commonly use the bots for DDoS attacks, distributed password cracking, or something like. Since... i was talking about home desktop's pc's used for this pourporse, using a common setup. The goal of bot-owner can be reached with home-pc's.
Most companies tend to block at least some outgoing traffic.
Indeed. Companies can block some outgoing traffic. It depends on the policy, but, there are two _common_ important holes of the outgoing traffic: - Port TCP 443 (IRC SSL server can safetly run on this port) - DNS (TCP/UDP 53) There are also DNS botnets, that can use dns resolve information to receive commands... or send a reply... (with methods like iodine and others). I seen before a network with 443 blocked or Mitm'd, and DNS limited, but: - 443 mitm represent a securit risk. - block 443 will help you with security, but it'll decrease the usability of the internet. - DNS limited also will decrease the usability of the internet. Also i seen before a botnet patern detector, but, i also seen before botnet's using random patterns and... "the delegate model".. But is not the case of study... because the goal of an attacker is to infect easy computers. not a bunker network.
I note alot of FUD about firewalls and their abilities in this list in recent times...
What is the real risk that you have to measure if you are talking about of the company point of view? I already assume that you are bot-net free... but, at this point, we are not safe from botnets... DDoS against the company can be possible, application resource starvation, bandwidth starvation, distributed computing against you , whatever.
Thanks, Ron DuFresne
------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute No time or budget for traveling to a training course in this fiscal year? Check out the online penetration testing courses available at InfoSec Institute. More than a boring "talking head", train in our virtual labs for a total hands-on training experience. Get the certs you need as well: CEH, CPT, CEPT, ECSA, LPT. http://www.infosecinstitute.com/request_online_training.html ------------------------------------------------------------------------
Current thread:
- RE: Botnets Wong Yu Liang (Apr 03)
- RE: Botnets R. DuFresne (Apr 14)
- <Possible follow-ups>
- Re: Botnets M.D.Mufambisi (Apr 03)
- Re: Botnets Renaud Bidou (Apr 03)
- Re: Botnets R. DuFresne (Apr 03)
- Re: Botnets Aarón Mizrachi (Apr 03)
- Message not available
- Re: Botnets Aarón Mizrachi (Apr 14)
- --++[Preventing the spread of USB malware]++-- Marcus Vinicius (Apr 14)
- Re: --++[Preventing the spread of USB malware]++-- Shreyas Zare (Apr 14)
- Re: --++[Preventing the spread of USB malware]++-- Nathan Sportsman (Apr 15)
- Message not available
- Re: --++[Preventing the spread of USB malware]++-- Marcus Vinicius (Apr 15)
- Message not available
- Re: --++[Preventing the spread of USB malware]++-- Marcus Vinicius (Apr 15)
- Re: Botnets Aarón Mizrachi (Apr 03)
- Message not available
- Re: --++[Preventing the spread of USB malware]++-- Shreyas Zare (Apr 15)
- Message not available
- Re: --++[Preventing the spread of USB malware]++-- Shreyas Zare (Apr 16)
- Re: --++[Preventing the spread of USB malware]++-- Razi Shaban (Apr 14)
- Re: Botnets R. DuFresne (Apr 14)