Table of Contents

Cover image

Title page

VISIT US AT

Copyright

Acknowledgments

Lead Authors and Technical Editors

Contributors

Chapter 1: Botnets: A Call to Action

Introduction

The Killer Web App

How Big Is the Problem?

The Industry Responds

Summary

Solutions Fast Track

Chapter 2: Botnets Overview

What Is a Botnet?

The Botnet Life Cycle

What Does a Botnet Do?

Botnet Economics

Summary

Solutions Fast Track

Chapter 3: Alternative Botnet C&Cs

Introduction: Why Are There Alternative C&Cs?

Historical C&C Technology as a Road Map

DNS and C&C Technology

Alternative Control Channels

Web-Based C&C Servers

Summary

Solutions Fast Track

Chapter 4: Common Botnets

Introduction

SDBot

RBot

Agobot

Spybot

Mytob

Summary

Solutions Fast Track

Chapter 5: Botnet Detection: Tools and Techniques

Introduction

Abuse

Network Infrastructure: Tools and Techniques

Intrusion Detection

Darknets, Honeypots, and Other Snares

Forensics Techniques and Tools for Botnet Detection

Firewall Logs

Antivirus Software Logs

Summary

Solutions Fast Track

Forensics Techniques and Tools for Botnet Detection

Chapter 6: Ourmon: Overview and Installation

Introduction

Case Studies: Things That Go Bump in the Night

How Ourmon Works

Installation of Ourmon

Summary

Solutions Fast Track

Chapter 7: Ourmon: Anomaly Detection Tools

Introduction

The Ourmon Web Interface

A Little Theory

TCP Anomaly Detection

UDP Anomaly Detection

Detecting E-mail Anomalies

Summary

Solutions Fast Track

Chapter 8: IRC and Botnets

Introduction

Understanding the IRC Protocol

Ourmon’s RRDTOOL Statistics and IRC Reports

Detecting an IRC Client Botnet

Detecting an IRC Botnet Server

Summary

Solutions Fast Track

Chapter 9: Advanced Ourmon Techniques

Introduction

Automated Packet Capture

Ourmon Event Log

Tricks for Searching the Ourmon Logs

Sniffing IRC Messages

Optimizing the System

Summary

Solutions Fast Track

Chapter 10: Using Sandbox Tools for Botnets

Introduction

Describing CWSandbox

Examining a Sample Analysis Report

Interpreting an Analysis Report

Bot-Related Findings of Our Live Sandbox

Summary

Solutions Fast Track

Notes

Chapter 11: Intelligence Resources

Introduction

Identifying the Information an Enterprise/University Should Try to Gather

Places/Organizations Where Public Information Can Be Found

Membership Organizations and How to Qualify

Confidentiality Agreements

What to Do with the Information When You Get It

The Role of Intelligence Sources in Aggregating Enough Information to Make Law Enforcement Involvement Practical

Summary

Solutions Fast Track

Chapter 12: Responding to Botnets

Introduction

Giving Up Is Not an Option

Why Do We Have This Problem?

What Is to Be Done?

A Call to Arms

Summary

Solutions Fast Track

FSTC Phishing Solutions Categories

Index