BOTS Hoffman

Document Sample
BOTS Hoffman Powered By Docstoc

                       The Creation of a
                Botnet Tracking Web Application

                                                  Micah Hoffman
July 26, 2005                                     US-CERT
                    What is it?
• Apache/PHP/PostgreSQL Web application
• It slices. It dices! It tracks:
     • Bots (both servers and clients)
     • Bot protocols (e.g., HTTP, IRC, …)
     • Net info lookups: IP, IP Block, DNS registrar, DNS registrant
         and their parent’s information
     • Suspects/Perpetrators
     • Stake-holders of infected machines

July 26, 2005
                     But why do we need it?
• Standardize input of data
     • Same person; 2 emails; 30 minutes apart
           • “Another botnet c&c dns rr… please terminate it.”
           • “Anoter botnet c&c dns rr… please shut down it.”
     • Responses from people terminating a botnet C&C
           • “Closed”
           • “This one is being taken care of.”
           • “This host has been nuked.”
• Tracking of “reports” through all stages
           • Similar to a help-desk ticketing system (open, assigned, closed)

July 26, 2005
                   Are there other reasons?
• More secure transmission of data
     • HTTPS vs. unencrypted email
• Maintains history of past events for analysis
     •   Has IP been infected more than once?
     •   Find patterns in infections
     •   Find patterns in suspects (like Zone-H)
     •   Trends
     •   Pretty graphs and charts!

July 26, 2005
                How will it make us
                work more efficiently?
•   All talking the same language
•   Targeted notifications (info comes to you)
•   Trending
•   Pretty graphs and charts!

July 26, 2005
                How far along are you?
• As of today:
     • DB Schema is complete
     • Working on web application logic
     • Working on coding PHP front-end

July 26, 2005
                What are the future
                capabilities of BOTS?
• Automated submission of entries through XML/RPC
  (security issues)
• RSS Feed to data (security issues)
• Automated notification of new entries to interested
  parties (how?)
• Automated penetration of botnet (interesting…)
• Malware archive?
• Daily/Weekly DB Dumps available for download (like
July 26, 2005
                So, can I have the URL
                to the live site?
• Uh…no.
• Still coding it.
• For more information, access to the site
  (when it goes live), or to offer assistance with
  PHP coding, DB maintenance, or other issues

July 26, 2005

Shared By: