BOTS
Download
1 / 8

BOTS - PowerPoint PPT Presentation


  • 185 Views
  • Uploaded on

BOTS. The Creation of a Botnet Tracking Web Application. Micah Hoffman US-CERT. What is it?. Apache/PHP/PostgreSQL Web application It slices. It dices! It tracks: Bots (both servers and clients) Bot protocols (e.g., HTTP, IRC, …)

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'BOTS' - lynton


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

BOTS

The Creation of a

Botnet Tracking Web Application

Micah Hoffman

US-CERT


What is it
What is it?

  • Apache/PHP/PostgreSQL Web application

  • It slices. It dices! It tracks:

    • Bots (both servers and clients)

    • Bot protocols (e.g., HTTP, IRC, …)

    • Net info lookups: IP, IP Block, DNS registrar, DNS registrant and their parent’s information

    • Suspects/Perpetrators

    • Stake-holders of infected machines


But why do we need it
But why do we need it?

  • Standardize input of data

    • Same person; 2 emails; 30 minutes apart

      • “Another botnet c&c dns rr… please terminate it.”

      • “Anoter botnet c&c dns rr… please shut down it.”

    • Responses from people terminating a botnet C&C

      • “Closed”

      • “This one is being taken care of.”

      • “This host has been nuked.”

  • Tracking of “reports” through all stages

    • Similar to a help-desk ticketing system (open, assigned, closed)


Are there other reasons
Are there other reasons?

  • More secure transmission of data

    • HTTPS vs. unencrypted email

  • Maintains history of past events for analysis

    • Has IP 1.2.3.4 been infected more than once?

    • Find patterns in infections

    • Find patterns in suspects (like Zone-H)

    • Trends

    • Pretty graphs and charts!


How will it make us work more efficiently
How will it make us work more efficiently?

  • All talking the same language

  • Targeted notifications (info comes to you)

  • Trending

  • Pretty graphs and charts!


How far along are you
How far along are you?

  • As of today:

    • DB Schema is complete

    • Working on web application logic

    • Working on coding PHP front-end


What are the future capabilities of bots
What are the future capabilities of BOTS?

  • Automated submission of entries through XML/RPC (security issues)

  • RSS Feed to data (security issues)

  • Automated notification of new entries to interested parties (how?)

  • Automated penetration of botnet (interesting…)

  • Malware archive?

  • Daily/Weekly DB Dumps available for download (like http://osvdb.org/database-info.php)


So can i have the url to the live site
So, can I have the URL to the live site?

  • Uh…no.

  • Still coding it.

  • For more information, access to the site (when it goes live), or to offer assistance with PHP coding, DB maintenance, or other issues contact [email protected]


ad