Learning about Bots
Pedro's diary entry yesterday on malicious file names reminded me that I wanted to point everybody again at the BotHunter honeynet web site. There's a lot of new information there, beyond just the lists of evil IP addresses and DNS look-ups. Check out Behavorial Clusters, where you'll see that with over 6000 infections caught in the honeynet there are only about a dozen bot profiles. If you look at the daily catch (for example, September 15 vs September 14) you'll see that the behavorial cluster doesn't show up immediately but eventually gets updated. On September 14 the majority of the infections are "Aug-Sept-A" clusters and all are easily detected by various Snort rules and AntiVirus signatures.
Another interesting tool is the geographic distribution of infection sources for a particular malware binary. For example, the first infection for September 15 has a malware hash of a12cab51ef. In the column labeled "Packed Malware Binary" you'll see a link to [Firefox:203 hits: 05-01 to 09-02]. If you follow that link you'll see a Google map that shows the infection sources for this particular piece of malware over the past few months. Of course, the accuracy of the dots on the Google map depends on the accuracy of the ARIN, RIPE, APNIC, AFNIC, and LACNIC databases which as we know are all highly accurate and dependable. :)
If you enjoy looking at the automated output of the honeynet, be sure to download a copy of the BotHunter program itself and run it inside your own environment. This is a government funded research project so there is no charge for the public distribution.
Marc Sachs
Director, SANS Internet Storm Center
Comments