80 likes | 93 Views
This web application tracks botnets, bot protocols, net info lookups, suspects/perpetrators, and stakeholders of infected machines. It standardizes data input and enables secure transmission. It maintains a history of events for analysis and enhances efficiency with targeted notifications and trends.
E N D
BOTS The Creation of a Botnet Tracking Web Application Micah Hoffman US-CERT
What is it? • Apache/PHP/PostgreSQL Web application • It slices. It dices! It tracks: • Bots (both servers and clients) • Bot protocols (e.g., HTTP, IRC, …) • Net info lookups: IP, IP Block, DNS registrar, DNS registrant and their parent’s information • Suspects/Perpetrators • Stake-holders of infected machines
But why do we need it? • Standardize input of data • Same person; 2 emails; 30 minutes apart • “Another botnet c&c dns rr… please terminate it.” • “Anoter botnet c&c dns rr… please shut down it.” • Responses from people terminating a botnet C&C • “Closed” • “This one is being taken care of.” • “This host has been nuked.” • Tracking of “reports” through all stages • Similar to a help-desk ticketing system (open, assigned, closed)
Are there other reasons? • More secure transmission of data • HTTPS vs. unencrypted email • Maintains history of past events for analysis • Has IP 1.2.3.4 been infected more than once? • Find patterns in infections • Find patterns in suspects (like Zone-H) • Trends • Pretty graphs and charts!
How will it make us work more efficiently? • All talking the same language • Targeted notifications (info comes to you) • Trending • Pretty graphs and charts!
How far along are you? • As of today: • DB Schema is complete • Working on web application logic • Working on coding PHP front-end
What are the future capabilities of BOTS? • Automated submission of entries through XML/RPC (security issues) • RSS Feed to data (security issues) • Automated notification of new entries to interested parties (how?) • Automated penetration of botnet (interesting…) • Malware archive? • Daily/Weekly DB Dumps available for download (like http://osvdb.org/database-info.php)
So, can I have the URL to the live site? • Uh…no. • Still coding it. • For more information, access to the site (when it goes live), or to offer assistance with PHP coding, DB maintenance, or other issues contact micah.hoffman@us-cert.gov