1 / 8

BOTS

BOTS. The Creation of a Botnet Tracking Web Application. Micah Hoffman US-CERT. What is it?. Apache/PHP/PostgreSQL Web application It slices. It dices! It tracks: Bots (both servers and clients) Bot protocols (e.g., HTTP, IRC, …)

lynton
Télécharger la présentation

BOTS

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. BOTS The Creation of a Botnet Tracking Web Application Micah Hoffman US-CERT

  2. What is it? • Apache/PHP/PostgreSQL Web application • It slices. It dices! It tracks: • Bots (both servers and clients) • Bot protocols (e.g., HTTP, IRC, …) • Net info lookups: IP, IP Block, DNS registrar, DNS registrant and their parent’s information • Suspects/Perpetrators • Stake-holders of infected machines

  3. But why do we need it? • Standardize input of data • Same person; 2 emails; 30 minutes apart • “Another botnet c&c dns rr… please terminate it.” • “Anoter botnet c&c dns rr… please shut down it.” • Responses from people terminating a botnet C&C • “Closed” • “This one is being taken care of.” • “This host has been nuked.” • Tracking of “reports” through all stages • Similar to a help-desk ticketing system (open, assigned, closed)

  4. Are there other reasons? • More secure transmission of data • HTTPS vs. unencrypted email • Maintains history of past events for analysis • Has IP 1.2.3.4 been infected more than once? • Find patterns in infections • Find patterns in suspects (like Zone-H) • Trends • Pretty graphs and charts!

  5. How will it make us work more efficiently? • All talking the same language • Targeted notifications (info comes to you) • Trending • Pretty graphs and charts!

  6. How far along are you? • As of today: • DB Schema is complete • Working on web application logic • Working on coding PHP front-end

  7. What are the future capabilities of BOTS? • Automated submission of entries through XML/RPC (security issues) • RSS Feed to data (security issues) • Automated notification of new entries to interested parties (how?) • Automated penetration of botnet (interesting…) • Malware archive? • Daily/Weekly DB Dumps available for download (like http://osvdb.org/database-info.php)

  8. So, can I have the URL to the live site? • Uh…no. • Still coding it. • For more information, access to the site (when it goes live), or to offer assistance with PHP coding, DB maintenance, or other issues contact micah.hoffman@us-cert.gov

More Related