How is the Botnet Infections Risk Vector Observed? Ingrid Botnet Infection events are identified through evidence that one or more devices in a company’s network are observed to be participating in a botnet. The IP information from the data sources are matched with those of a company. For botnets using domain generation algorithms, we register a set of randomly generated domains and wait for devices to connect to them. Only outbound traffic is checked. We do not monitor attacks against a company’s network. Data Collection Methods There are multiple methods of detecting and intercepting traffic from a botnet and attributing it to a specific company’s network. Through these methods, we can get specific infection information and details on where it originated from. Crawlers Honeypots Peer-to-Peer (P2P) Network Participation Sinkholes Spam Traps The following illustration demonstrates our infection detection method: By monitoring known botnets and attributing the IP address of the connecting infected device back to a company (left). By intercepting communications between an infected device and a command and control server (C&C or C2 server), through sinkholing (right). Finding Considerations IP Address:Malware Family Examples Zeus: Steals specific types of data, such as banking information and other login credentials. It can also be used to install other malware, such as CryptoLocker ransomware. Kelihos: Used for bitcoin theft and to send spam messages. Torpig: Designed to steal sensitive user data such as usernames, passwords, login locations, and personal and corporate credit card information. It is typically spread by the Mebroot rootkit. March 28, 2022: Added crawler data collection method. September 30, 2020: Added data collection methods, considerations, and finding examples. Related articles Botnet Infections Risk Vector Botnet Infections Finding Considerations Crawlers Finding Behavior Honeypot Feedback 0 comments Please sign in to leave a comment.