Zombies and Botnets - Detecting "Crowd Surges" in Logs and Network Traffic
Tenable released a TASL script for the Log Correlation Engine that can use netflow, sniffed network sessions, firewall logs and even network IDS logs to help identify botnets, maleware and zombie networks.
The basic premiss is that for certain protocols like SSH, Telnet, IRC and custom high-port control mechanisms, if we have a "large" user population suddenly all decide to visit an IP address on the other side of the world, this could indicate a "phone home" or some sort of control mechanism.
In our testing we've seen 100s of IP addresses all start to connect on a variety of ports. In some cases, we've seen user populations all descend upon Google and MySpace at the same time, but most of the time, we've been looking at a botnet of some sort. Seeing several 100 computers all connect to IRC at the same is an example most people are familiar with, but with this sort of correlation script, we're seeing odd ports targeted throughout the 0-65535 port range.
Consider the following example (sanitized) log:
This shows that host 210.51.x.x was visited at least once by 20 unique IP addresses from our "local" network. In each case the destination port was 62105. We've shared these logs with some experts for comment and many people have suggested that port 62105 is used in cases by the Skype application. These hosts involved in the session were not running Skype as determined by our Passive Vulnerability Scanner and Nessus scans.
Let's look at a different example:
The TASL script creates an event named "Crowd_Surge". In this example, one of the destination IP addresses for one of these events also was listed as a being tracked by the Internet Storm Center. The screen shot is an event summary of the last five days of all logs for the IP in question. The screen shot below is a port summary of all ports (destination and source) for the IP in question. Notice the large amount of port 9001.
The Internet Storm Center portal lists 9001 as Tor. If you are familiar with how Tor works, this pattern may make sense to you. However, the number of IP addresses involved with this log was several thousand.
As Tenable gets feedback from its customers about various observed traffic, we will post some results in this blog.