Observing Botnets with Honeynets

Susan Saradon writes "The Honeynet Project has released a new paper which deals with the observation of botnets. "Know Your Enemy: Tracking Botnets" discusses what Botnets are, who is using them, how, and why. It als introduces the tools "mwcollect" and "drone" which can be used for collecting an tracking Botnet activity. Nice to read and looking forward to the release of these tools."

Coral to the rescue...

[ControlFreal]

Coral link here.

When posting stories that link to small(ish) sites, please append nyud.net:8090 to the hostname: It makes the Coral cache system cache the data. They have some tens of server worldwide to alleviate the load on the original site.

Also please load the site through Coral first before you submit the story. That way, Coral's caches are already filled, and the load on the main server can be even lighter.

detection of botnets

[kc0re]

For those of you that use Snort as an Intrustion Detection System, there are some excellent rules that will detect botnets located at BleedingSnort

Look for IRC rules that are non-standard ports. Very easy to run.

Re:Are bot-nets open source?

[Mr+Ambersand]

The bot-nets themselves? No. But according to TFA at least one of the programs used to create the nets is released under the GPL.

Re:Are these BotNets responsible

SSH is more than secure if you REQUIRE the use of private and public keys as well as a passphrase for the key. It's plain text logins that are the problem. If they don't have a key they can bang their heads against that wall all they want. Make sure to explicitly allow the accounts that are authorized to access via SSH and forbid all the others.

Re:226,585 unique hosts!?

Sounds like you came to our channel. I don't know about you, but when we get questions like "how do I install an irc server on my root?" we get pissed off. We get a half dozen people a day who try to use the l33t sk1llz on us that they picked up from #rohack, then curse at us in gibberish when it doesn't work and we won't help them with it. Not to mention the hourly trolls and so on.

Our channel has a policy. If you want someone to lead you gently by your dick, cry to your momma. If you've read ESR's How to Ask Questions The Smart Way and your question looks like you put a modicum of thought into it, then if someone's available who knows how to deal with it, it will get answered. That means if we get another loser asking us "bash: gcc: command not found, what this mean?????" (actual channel quote) you WILL be abused and removed.

Re:Why not do something useful instead?

[utlemming]

The whole purpouse was to gather evidence and details of the botnets. If you don't understand how the bots work, then it is hard to find how to defend against them. By knowing the targets, the goals and how they communicate you can both detect them on a network, and defend against them (for example, if you administer a corparate network, having the signitures of a bot with Snort can be quite useful in intercepting bot traffic). The other interesting thing was that the bot nets use IRC channels to communicate. If they didn't do this little project, then the communcation methods wouldn't be understood. The value of having this information is far more useful than deleting the bot off a computer. Saying that you should delete them is akin to telling anti-virus firms that they should merely delete the virii and not study them at all.