BOTS

1
BOTS

• The Creation of a
• Botnet Tracking Web Application

Micah Hoffman US-CERT
2
What is it?

• Apache/PHP/PostgreSQL Web application
• It slices. It dices! It tracks
• Bots (both servers and clients)
• Bot protocols (e.g., HTTP, IRC, )
• Net info lookups IP, IP Block, DNS registrar,
  DNS registrant and their parents information
• Suspects/Perpetrators
• Stake-holders of infected machines

3
But why do we need it?

• Standardize input of data
• Same person 2 emails 30 minutes apart
• Another botnet cc dns rr please terminate it.
• Anoter botnet cc dns rr please shut down it.
• Responses from people terminating a botnet CC
• Closed
• This one is being taken care of.
• This host has been nuked.
• Tracking of reports through all stages
• Similar to a help-desk ticketing system (open,
  assigned, closed)

4
Are there other reasons?

• More secure transmission of data
• HTTPS vs. unencrypted email
• Maintains history of past events for analysis
• Has IP 1.2.3.4 been infected more than once?
• Find patterns in infections
• Find patterns in suspects (like Zone-H)
• Trends
• Pretty graphs and charts!

5
How will it make us work more efficiently?

• All talking the same language
• Targeted notifications (info comes to you)
• Trending
• Pretty graphs and charts!

6
How far along are you?

• As of today
• DB Schema is complete
• Working on web application logic
• Working on coding PHP front-end

7
What are the future capabilities of BOTS?

• Automated submission of entries through XML/RPC
  (security issues)
• RSS Feed to data (security issues)
• Automated notification of new entries to
  interested parties (how?)
• Automated penetration of botnet (interesting)
• Malware archive?
• Daily/Weekly DB Dumps available for download
  (like http//osvdb.org/database-info.php)

8
So, can I have the URL to the live site?

• Uhno.
• Still coding it.
• For more information, access to the site (when it
  goes live), or to offer assistance with PHP
  coding, DB maintenance, or other issues contact
  micah.hoffman_at_us-cert.gov