Botnet Identification

TL;DR

This guide shows you how to identify bots in a network by looking at their behaviour and communication patterns. We’ll cover tools like Wireshark, basic network analysis, and checking for common botnet command-and-control (C&C) servers.

1. Understanding Botnets

Botnets are networks of compromised computers controlled remotely. Identifying them is crucial for cyber security. Bots often exhibit similar behaviours:

• Regular Communication: Frequent connections to the same IP addresses or domains.
• Synchronised Activity: Multiple machines performing the same action at roughly the same time.
• Unusual Traffic Patterns: Connections outside of normal working hours, or to unexpected locations.

2. Capturing Network Traffic with Wireshark

Wireshark is a free network protocol analyser. It lets you see the data flowing in and out of your network.

1. Download & Install: Get Wireshark from https://www.wireshark.org/
2. Select Interface: Choose the correct network interface to capture traffic on (e.g., Ethernet, Wi-Fi).
3. Start Capture: Click the shark fin icon to begin capturing packets.

3. Filtering Traffic in Wireshark

Filtering helps you focus on specific types of communication.

1. IP Address Filter: To see traffic from a particular IP address, use ip.addr == x.x.x.x (replace x.x.x.x with the IP).
2. Port Filter: To view traffic on a specific port, use tcp.port == yyyy or udp.port == yyyy (replace yyyy with the port number).
3. HTTP Filter: For web traffic, use http.

Example:

ip.addr == 192.168.1.100 and tcp.port == 80

4. Analysing Traffic for Botnet Indicators

1. Look for Common Ports: Bots often use ports like 80, 443 (HTTP/HTTPS), 25 (SMTP), 1194 (OpenVPN).
2. Check DNS Requests: Unusual domain names or frequent requests to the same domain can be suspicious.
3. Examine Payload Data: Look for patterns in the data being sent and received. This might reveal command-and-control communication.

5. Identifying Command & Control (C&C) Servers

Botnets need servers to send instructions. Here’s how to spot them:

• IP Reputation Services: Use websites like AbuseIPDB or Talos Intelligence to check if an IP address is known for malicious activity.
• Threat Intelligence Feeds: Subscribe to threat feeds that provide lists of known C&C servers and botnet domains.

6. Using Network Tools (Command Line)

For more advanced analysis, use command-line tools.

1. netstat: Shows network connections.

   netstat -an | grep ESTABLISHED

2. tcpdump: Captures packets from the command line (similar to Wireshark).

   tcpdump -i eth0 host x.x.x.x

   (replace eth0 with your interface and x.x.x.x with the IP address)

3. nslookup: Queries DNS servers.

   nslookup suspiciousdomain.com

7. Further Investigation

If you suspect a botnet infection:

• Isolate Infected Machines: Disconnect them from the network to prevent further spread.
• Scan for Malware: Run a full system scan with an up-to-date antivirus program.
• Review System Logs: Look for unusual processes or scheduled tasks.