EFFECTS / Results can be devastating including:
- DDoS – bombardment of requests/packets/traffic rendering systems/network inoperable
- email spam that can be annoying but quickly lead to malicious / exploitation software and remote control of systems
- keylogger (identity theft)
- spyware and the likes that can lead to data exfiltration
- adware that can alter webpages or click fraud for traffic redirect
- DNS for misguided requests leading back to phishing and malware
- IRC chat networks, and of course worms that pilferate the networks/systems
PREVENTION can be knowing your environment, network and application baselining for traffic and network behavior analysis; usual software/patching updates being current; cyber awareness and training;
IDENTIFICATION typically includes
- anomalies in traffic patterns
- IRC traffic (port 6667)
- port 25 for spamming and outbound SMTP traffic
- port 1080 for proxy servers
- DNS requests
- C&C Command and Control triggers which next-gen firewalls and AV should have
- increased popups
- spike in CPU or network usage
ERADICATION via botnet removal software including freeware BotHunter, Kaspersky, BotRevolt and others including rootkit detection/clean up packages. IP address block, reputation blocking and HoneyPots can be a source for helping in the scenario. That said, a plethora of vendor packages some under the term of Next-Gen Endpoint Protection address the detection / isolation / eradication of botnets...
Known Botnet list: Agobot, SDbot, mIRC-based; DSNX, q8, kaiten, Perl-based; Grum, Zeus, Conficker, Torpig, Sality, Cutwail, Tinba, Uptre, Ramnit, Windigo, Beehonem, Cutwail, Glupteba, ZeroAccess,
Also, useful sites for reference resource SANS
No comments:
Post a Comment