Wednesday, February 24, 2010

Advanced Persistent Threat IV

SRI's Malware Threat Center has issued version 1.5 of Bot Hunter. Bot Hunter uses a proprietary algorithm with data collection facilities of a customized Snort to determine the botnet communication on Windows hosts and at Unix bastion at the egress of your network.  You can review the data it collects from its honey net.  Here's a picture of it running on Vista:

Update: 02/27/10  And so I had a 1.10 Score. (Below)  Bot Net Hunter reported that a Microsoft IP conducted an outbound scan of 18 IPs. Something to think about...

OUTBOUND SCAN (spp) (2) (20:05:49.902 PST)   
   event=777:7777005 (2) {udp} E5[bh] Detected moderate malware port scanning of 18 IPs (11 /24s) (# pkts S/M/O/I=0/52/4/0): 137u:52, [] MAC_Src: 00:16:EA:4C:F3:AE

Funny, I had Netmon 3.3  running, but it didn't catch that IP at that time This turned out to be a Microsoft DNS IP:

9:41:51.287 80 (0x50) 00-09-5B-00-F3-DA 5599 (0x15DF)

No comments:

Post a Comment