Botnet Infection Findings Ingrid ⇤ Compromised Systems Findings The Botnet Infections risk vector is an indication of a host participating in a botnet, including active bots and Command and Control servers (C&C servers). Navigation Options SPM App: Findings ➔ Findings Table CM App: Select a company from your Companies List. Go to Vendor Risk ➔ Findings Insurance App: Select a company from your Companies List. Go to Client Risk ➔ Findings Bitsight API: GET /v1/companies/entity_guid/findings?risk_vector=botnet_infections Botnet Infections are categorized and given names (e.g., Zeus, Gamarue, AndroidBauts). Filter by the various names to quickly identify systems and devices that have been compromised by a particular botnet. ❖ Availability varies based on the detection mechanism. Details Status History Forensics Assets IP Attributions Comments Details Field Description Details Details of the event. Duration The duration when the system was compromised. Infection The name of the infection. Packet Evidence Download a packet capture (PCAP or libpcap) containing the raw forensic evidence. Remediation Instructions Resources for remediation. Risks Potential risk to the organization. Targeted Platform The targeted operating system. User Agent The user’s browser details. Malware can use the HTTP header to transmit information about itself or the compromised system to C&C servers. Status History Issue Tracking history. Issue Tracking establishes a remediation process framework so you can monitor, track, and report your progress on remediating your findings. Forensics The following details are also included with the Forensics add-on package: Field Description ❖ C&C Domain A device acting as part of a botnet was seen communicating with this server. It's likely to be the command and control server or a sinkhole. For HTTP-based bots, this is taken from the HTTP Host header and is sometimes an IP address instead of a domain. To evade firewall filtering, this field occasionally lists a non-malicious domain. ❖ C&C IP The IP address of the command and control server for this botnet, which sends instructions to all connected bots. Detection Mechanism The method used to detect the infection. Destination IP The destination IP address that observed the event. It is not malicious; Blocking access to it from your organization's network does not provide any security benefit. Learn more… Destination Port The port that’s identified as the destination of traffic from a compromised device. GeoIP Location Country code where the IP address involved in the event resides. Observation Count Number of times the event was observed in a 24-hour period, between midnight UTC one day and midnight UTC the next day. Observations Number of times the botnet was observed in a 24-hour period, between midnight UTC one day and midnight UTC the next day. Occurrence First Seen The first time the event was seen. Occurrence Last Seen The last time the event was seen. Representative Event Timestamp The date and time when the event was observed. Request Method The HTTP request method (GET, POST, etc) used by the compromised system to communicate with its command and control center. ❖ Server Name The domain name of the server, which is a known C&C server, sinkhole, or adware host. A device was observed connecting to this server. Source Port The port that’s identified as the source of traffic to a compromised device. Assets Field Description Asset The asset attributed to the event. Calculated Importance The Bitsight-calculated asset importance. View findings View all findings in the asset. IP Attributions The reason for attributing the IP address to the organization. Comments Finding comments for having discussions about findings. October 29, 2024: Findings Table navigation instructions moved from Risks to a new Findings section in the menu. January 19, 2024: Navigation by application. February 22, 2022: Added fields and detail sections – Details, Duration, Infection, Packet Evidence, Remediation Instructions, Risks, Targeted Platform, GeoIP Location, Observation Count, Occurrence First Seen, Occurrence Last Seen, Representative Event Timestamp, Status History, Assets, IP Attributions, & Comments. Related articles Botnet Infections Risk Vector Compromised System Findings Data Collection Methods Overview CM App: Companies List TLS/SSL Finding Remediation & Remediation Verification Feedback 0 comments Please sign in to leave a comment.