The spam of the internet these days are totally controlled by botnets. Trojans specically built to hide themselves on unknowing users systems and provide all the resources of that system to the botnet controller.
Generally the drones (botnet single nodes) connect to an IRC server or p2p network such as edonkey.. Using a central hub design. This allows the botnet controller to issue a single command to control all the bots, sometimes in the hundreds of thousands. These drones spread via all methods including social engineering, email and scanning/exploiting of known security holes in the destination operating system.
I have decided in my spare time to build some infrastructure in virtual machines to capture drones, analyze drones and most importantly isolate them from the rest of my private network. Nepenthes is a great honeypot that captures all exploit attempts, this includes drone installation attempts.
I have designed the following virtual network to accomplish the task.
internet > smoothwall 3.0 > debian 4.0 r5 (running nepenthes)
> Windows XP SP3
I have setup firewall rules on the smoothwall to block both interfaces from my private network and only allow specific traffic back to the internet. For example we dont want to be analyzing the drone and get involved in a ddos attack by a command issued to all drones (my test drone included).
So now I sit and wait, my nepenthes box is sitting waiting for incoming exploit attempts. Finally a binary is downloaded and saved. At this stage I transfer the binary to my XP vm, I start my packet sniffers (wireshark) and something to monitor all the system changes its making (procmon). I launch the binary and monitor what happens.
The first binary I found I was able to trace back to an irc server and within a few hours found a botnet controller issuing commands to the botnet. One mass die command later and 500 hosts are virus free. While this was a very primative botnet it has been alot of fun analyzing how these run.. I will leave my nepenthes box running to collect more samples from the wild to analyze.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment