Zombies and Botnets - Detecting "Crowd Surges" in Logs and Network Traffic
Tenable released a TASL script for the Log Correlation Engine that can use netflow, sniffed network sessions, firewall logs and even network IDS logs to help identify botnets, maleware and zombie networks.
The basic premiss is that for certain protocols like SSH, Telnet, IRC and custom high-port control mechanisms, if we have a "large" user population suddenly all decide to visit an IP address on the other side of the world, this could indicate a "phone home" or some sort of control mechanism.
In our testing we've seen 100s of IP addresses all start to connect on a variety of ports. In some cases, we've seen user populations all descend upon Google and MySpace at the same time, but most of the time, we've been looking at a botnet of some sort. Seeing several 100 computers all connect to IRC at the same is an example most people are familiar with, but with this sort of correlation script, we're seeing odd ports targeted throughout the 0-65535 port range.
Consider the following example (sanitized) log:
This shows that host 210.51.x.x was visited at least once by 20 unique IP addresses from our "local" network. In each case the destination port was 62105. We've shared these logs with some experts for comment and many people have suggested that port 62105 is used in cases by the Skype application. These hosts involved in the session were not running Skype as determined by our Passive Vulnerability Scanner and Nessus scans.
Let's look at a different example:
The TASL script creates an event named "Crowd_Surge". In this example, one of the destination IP addresses for one of these events also was listed as a being tracked by the Internet Storm Center. The screen shot is an event summary of the last five days of all logs for the IP in question. The screen shot below is a port summary of all ports (destination and source) for the IP in question. Notice the large amount of port 9001.
The Internet Storm Center portal lists 9001 as Tor. If you are familiar with how Tor works, this pattern may make sense to you. However, the number of IP addresses involved with this log was several thousand.
As Tenable gets feedback from its customers about various observed traffic, we will post some results in this blog.
Related Articles
Cybersecurity Snapshot: Many Employees Overshare Work Info with AI Tools, Report Finds, as ‘Cybersecurity Awareness Month’ Kicks Off
October 4, 2024Check out the best practices cyber agencies are promoting during Cybersecurity Awareness Month, as a report warns that staffers are feeding confidential info to AI tools. Meanwhile, a study highlights how business decisions can derail OT security. Plus, get the latest on Active Directory security, CISO salary trends and ransomware attacks!
How to Unlock Advanced IoT Visibility for Cyber-Physical Systems
October 1, 2024As the number of IoT devices deployed globally continues to rise, cyber-physical systems and business operations are exposed to greater risk. Improving asset visibility, monitoring and risk management are critical steps to preventing breaches.
Cybersecurity Snapshot: NIST Program Probes AI Cyber and Privacy Risks, as U.S. Gov’t Tackles Automotive IoT Threat from Russia, China
September 27, 2024A new NIST program will revise security frameworks like NIST’s CSF as AI risks intensify. Plus, the U.S. may ban cars with Russian and Chinese IoT components. Meanwhile, the CSA adds AI insights to its zero trust guide. And get the latest on cybersecurity budgets, SBOMs and the Ghost cybercrime platform!