Posts Tagges "Botnet"

Analyzing DNS Logs Using Splunk

 

Back in December of 2011 I wrote a post on the ThreatSim blog called “Fighting The Advanced Attacker: 9 Security Controls You Should Add To Your Network Right Now“. One of the controls we recommended that folks implement was to log all DNS queries and the client that requested it:

Log DNS queries and the client that requested it: It’s been said that DNS is the linchpin of the Internet. It’s arguably the most basic and under appreciated human-to-technology interface. It’s no different for malware. When you suspect that a device has been compromised on your network, it’s important to be able to see what the suspected device has been up to. The DNS logs of a compromised machine will quickly allow responders to identify other machines that may also be infected.

Telling people to log DNS requests is super easy. Logging DNS queries is pretty easy too. Understanding how to ingest, analyze, process the data is where you need to bring in some tools. We love Splunk (as do many of our customers).  Splunk is the perfect tool for the job of figuring out what your clients are up to and who they are talking to. You can also set up real-time alerts if Splunk sees a DNS lookup for a known bad domain name.

Let’s implement our recommendation in real life. Here is what we did:

Read More

22 Interesting Confessions of A Botmaster

 

A few weeks ago there was an IAMA on Reddit from a malware author and botnet operator. An IAMA is an Q&A session on Reddit.com that allows Reddit users to ask the poster questions. We’ve distilled down the large thread to the most interesting questions and answers here.

It was a very interesting read into the mind, methods, and tools within the botnet community. The person spent a long time answering questions and providing insight into malware, botnets, attacker motivations, and the underground economy. We scoured the threads for the salient points and have distilled them here.

He provided the following screen capture as proof (opens in a new window since it’s rather large):

Botnet Proof

 
Read more