cisco安全情报中心发 的一个文章，原文标题是“Infiltrating a Botnet”，为了照顾各位的用户体验，我翻译成“渗透一个肉鸡网络”：）大致看了下，应该是伪装成肉鸡进入server，然后窃听肉鸡老板相关交易信 息的一个过程，挺有意思，相信玩bot的朋友在很久以前就中过这种道。

Overview

Many teams at Cisco are dedicated to security research. One team recently investigated botnets with the goal of improving existing detection methods and discovering the techniques botmasters use to compromise machines. The team’s efforts were rewarded through their protection of an important customer’s network. Their discovery efforts also yielded extraordinary insights into the mind and motives of a botmaster. This paper discusses exploit protection and reports on the interviews the team held with the botmaster they encountered.

Defending a Customer from a Botmaster

Typically, administrators patch vulnerable machines or deploy some sort of intrusion prevention system (IPS) to protect against exploits.  Both approaches are effective the majority of the time, but neither approach protects systems against the uneducated user.  These approaches may not even protect people who take their machines home if the IPS is network-based. The user who will click and run anything is the greatest threat to any network.

Internet relay chat (IRC) traffic on non-standard ports is a good indicator of malicious activity. Simple botnets often use IRC as a command-and-control framework because the source code is readily available. Joining a chat network is not botnet activity, but it is usually not work-appropriate activity. Cisco offers a service that monitors and manages network-based IPS. By monitoring certain alerts from this data feed, suspicious IRC traffic was easily found.

An Unsuspecting Customer

A Cisco customer was unaware of dozens of compromised machines. A tremendous number of alerts including IRC activity, far larger than anything that could be benign, were occurring on the customer’s network. The traffic from several machines stood out from other systems on the network. There are occasionally oddities in a network, but when a small subset of machines is observed sharing the same odd behavior, researchers should take note.
阅读全文...