Webinar: Detecting and Stopping Modern Botnets with Damballa and ArcSight

If you missed the ArcSight seminar today, you missed a pretty good one. Some of the ideas from the seminar where, when looking at the advanced threats:

  • Having perimeter security doesn’t really help you.
  • Botnets gain privileged Access levels, and once entranced has been gained,
  • They conduct crime for an extended period of time.

The seminar took a pretty good look at the Russian Business Network’s Sinowal advanced malware and the Zeus Bot. Here are some of the most interesting points:

Both pieces of malware were made to avoid detection. Once a system is infected with Sinowal, it slowly injects itself into the master boot record. It does this slowly over time to avoid detection. It can update itself up to every hour and can chose from up to 500 different IP addresses to connect to through DNS for command and control.

Zeus can modify its binary based on the time stamp on your system, down to the millisecond so its signature is unique each and every time. The botnet code captures your transactions with financial institutes including login names, and even challenge response answers. The botnet comes with tools so that once infected, the botmaster can view accounts and see which ones have money in them and can siphon funds out a little at a time to avoid detection. This bot is sold in kit forms in the underground and can even come with 24/7 support!

According to the seminar, the solution to fighting these threats is to minimize the risk by identifying them as early as possible. Sinowal is identifiable by its pattern of DNS lookups, Zeus by its command and control traffic. What is needed is the software to identify these threats, record forensics information and report the trespass to an incident response team as soon as possible.

ArcSight teamed with Damballa does just this. Check out their sites for more information.

Also, ArcSight is sponsoring the “Protect 10” Security conference in DC on September 19-22, which looks very interesting, click here for more info.

~ by D. Dieterle on July 21, 2010.

2 Responses to “Webinar: Detecting and Stopping Modern Botnets with Damballa and ArcSight”

  1. […] This post was mentioned on Twitter by Logzilla (@zhenjl), ArcSight. ArcSight said: Blogger #D.Dieterle shares feedback on recent webinar "Detecting & Stopping Modern Botnets w/Damballa & ArcSight" | http://bit.ly/b60kTt […]

  2. Hi daniel,

    Love your blog.

    I work at a research firm in San Francisco called Blueshift Research. We’re doing a project on trends in cybersecurity and are also looking at ArcSight.

    I’m wondering if you might have a few minutes to chat?

    Adam Lesser
    al@blueshiftideas.com
    415-817-9365

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: