How is the Botnet Infections Risk Vector Observed?

Botnet Infection events are identified through evidence that one or more devices in a company’s network are observed to be participating in a botnet.

• The IP information from the data sources are matched with those of a company.
• For botnets using domain generation algorithms, we register a set of randomly generated domains and wait for devices to connect to them.
• Only outbound traffic is checked. We do not monitor attacks against a company’s network.

Data Collection Methods

There are multiple methods of detecting and intercepting traffic from a botnet and attributing it to a specific company’s network. Through these methods, we can get specific infection information and details on where it originated from.

• Crawlers
• Honeypots
• Peer-to-Peer (P2P) Network Participation
• Sinkholes
• Spam Traps

The following illustration demonstrates our infection detection method:

• By monitoring known botnets and attributing the IP address of the connecting infected device back to a company (left).
• By intercepting communications between an infected device and a command and control server (C&C or C2 server), through sinkholing (right).

Finding Considerations

IP Address:Malware Family

Examples

• Zeus: Steals specific types of data, such as banking information and other login credentials. It can also be used to install other malware, such as CryptoLocker ransomware.
• Kelihos: Used for bitcoin theft and to send spam messages.
• Torpig: Designed to steal sensitive user data such as usernames, passwords, login locations, and personal and corporate credit card information. It is typically spread by the Mebroot rootkit.