Webinar: Detecting and Stopping Modern Botnets with Damballa and ArcSight
If you missed the ArcSight seminar today, you missed a pretty good one. Some of the ideas from the seminar where, when looking at the advanced threats:
- Having perimeter security doesn’t really help you.
- Botnets gain privileged Access levels, and once entranced has been gained,
- They conduct crime for an extended period of time.
The seminar took a pretty good look at the Russian Business Network’s Sinowal advanced malware and the Zeus Bot. Here are some of the most interesting points:
Both pieces of malware were made to avoid detection. Once a system is infected with Sinowal, it slowly injects itself into the master boot record. It does this slowly over time to avoid detection. It can update itself up to every hour and can chose from up to 500 different IP addresses to connect to through DNS for command and control.
Zeus can modify its binary based on the time stamp on your system, down to the millisecond so its signature is unique each and every time. The botnet code captures your transactions with financial institutes including login names, and even challenge response answers. The botnet comes with tools so that once infected, the botmaster can view accounts and see which ones have money in them and can siphon funds out a little at a time to avoid detection. This bot is sold in kit forms in the underground and can even come with 24/7 support!
According to the seminar, the solution to fighting these threats is to minimize the risk by identifying them as early as possible. Sinowal is identifiable by its pattern of DNS lookups, Zeus by its command and control traffic. What is needed is the software to identify these threats, record forensics information and report the trespass to an incident response team as soon as possible.
Also, ArcSight is sponsoring the “Protect 10” Security conference in DC on September 19-22, which looks very interesting, click here for more info.