- March 28, 2022: Added crawler data collection method.
- September 30, 2020: Added data collection methods, considerations, and finding examples.
Botnet Infection events are identified through evidence that one or more devices in a company’s network are observed to be participating in a botnet.
- The IP information from the data sources are matched with those of a company.
- For botnets using domain generation algorithms, we register a set of randomly generated domains and wait for devices to connect to them.
- Only outbound traffic is checked. We do not monitor attacks against a company’s network.
Data Collection Methods
There are multiple methods of detecting and intercepting traffic from a botnet and attributing it to a specific company’s network. Through these methods, we can get specific infection information and details on where it originated from.
- Crawlers
- Honeypots
- Peer-to-Peer (P2P) Network Participation
- Sinkholes
- Spam Traps
The following illustration demonstrates our infection detection method:
- By monitoring known botnets and attributing the IP address of the connecting infected device back to a company (left).
- By intercepting communications between an infected device and a command and control server (C&C or C2 server), through sinkholing (right).
Finding Considerations
IP Address:Malware Family
Examples
- Zeus: Steals specific types of data, such as banking information and other login credentials. It can also be used to install other malware, such as CryptoLocker ransomware.
- Kelihos: Used for bitcoin theft and to send spam messages.
- Torpig: Designed to steal sensitive user data such as usernames, passwords, login locations, and personal and corporate credit card information. It is typically spread by the Mebroot rootkit.