Malware or Botnet Infection

Wiki > Malware or Botnet Infection
Description Kill Chain Stage
Malware – short for malicious software – is any software that is used to automate malicious activity, whether through disrupting computer operation, aiding the collection and transmission of sensitive information or infiltrating a computer without the users consent.

A Bot is a type of malware that allows an attacker to take remote control of an affected computer. A computer infected by a bot will do the bidding of its master, hence the term zombie is used to describe victim machines.

4
Threat type to monitor
■    Viruses

■    Worms

■    Trojan Horses

■    Rootkits

■    Spyware

■    Keyware

Monitoring setup
■    Firewall

■    Outbound connections to known command and control centres

■    Outbound connections through well-known ports but not used for the services that these ports are attached to

■    Inbound connections from suspicious domain/ and or suspicious service port

Events Indicators
■    Sudden increase in traffic towards suspicious external IP addresses from single or multiple sources

■    Internal or external port scans

■    Unusual file extension observed in the outbound traffic as an attachment

■    Suspicious inbound traffic to specific destinations from external IP addresses

Rules
■    HTTP outbound traffic to multiple destinations from a single source

■    Outbound connections to known command and control centres

■    File transfer using non-standard port

■    Non SMTP traffic on TCP Port 25 containing executable

■    Non DNS traffic on TCP or UDP Port 53 containing executable

■    Internal port scans messages from logs

■    Suspicious inbound traffic to specific destinations

■    Non HTTP traffic on TCP Port 80 containing executable

Category: