Abstract
Administrators must have faith in the security products installed today at the desktop and gateway levels of their networks. They have faith that these technologies provide a reasonable protection against most worms from infecting and spreading within the internal network. However an overdependence on the very security products installed leaves many standing potentially exposed when the network is hit with an undetected piece of malware. For any organization, internal bot infections cause serious repercussions, including loss of man hours and downtime. The average cost1 of such disasters runs into the tens of thousands of dollars. The most recent cases are the W32/Mocbot,2 W32/Mytob,3 and W32/Zotob4 outbreaks, which caused widespread havoc within several large corporate networks. Having an early warning system in place that proactively alerts and captures bot-like activity on an internal network goes a long way in the containment and isolation of the source of infection or attack. Furthermore, no organization should rely solely on a security vendor's information or solution. Organizations must also have in place their own information gathering methods, techniques, and defences. This paper describes setting up an IRC honeypot on a network, using minimal resources and requiring little maintenance. The honeypot serves, as an early warning system to proactively alert on bot-like activity. We also discuss using the internal IRC honeypot to disrupt the flow between bots and their command and control (C&C) server. This can allow the network administrator to gain control over infected machines and assist in removing bots from infected machines.
Original language | English |
---|---|
Pages (from-to) | 103-111 |
Number of pages | 9 |
Journal | Journal in Computer Virology |
Volume | 3 |
Issue number | 2 |
DOIs | |
State | Published - Jun 2007 |
Externally published | Yes |