Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Zombies and Botnets - Detecting "Crowd Surges" in Logs and Network Traffic

Tenable released a TASL script for the Log Correlation Engine that can use netflow, sniffed network sessions, firewall logs and even network IDS logs to help identify botnets, maleware and zombie networks.

The basic premiss is that for certain protocols like SSH, Telnet, IRC and custom high-port control mechanisms, if we have a "large" user population suddenly all decide to visit an IP address on the other side of the world, this could indicate a "phone home" or some sort of control mechanism.

In our testing we've seen 100s of IP addresses all start to connect on a variety of ports. In some cases, we've seen user populations all descend upon Google and MySpace at the same time, but most of the time, we've been looking at a botnet of some sort. Seeing several 100 computers all connect to IRC at the same is an example most people are familiar with, but with this sort of correlation script, we're seeing odd ports targeted throughout the 0-65535 port range.

Consider the following example (sanitized) log:


This shows that host 210.51.x.x was visited at least once by 20 unique IP addresses from our "local" network. In each case the destination port was 62105. We've shared these logs with some experts for comment and many people have suggested that port 62105 is used in cases by the Skype application. These hosts involved in the session were not running Skype as determined by our Passive Vulnerability Scanner and Nessus scans.

Let's look at a different example:


The TASL script creates an event named "Crowd_Surge". In this example, one of the destination IP addresses for one of these events also was listed as a being tracked by the Internet Storm Center. The screen shot is an event summary of the last five days of all logs for the IP in question. The screen shot below is a port summary of all ports (destination and source) for the IP in question. Notice the large amount of port 9001.


The Internet Storm Center portal lists 9001 as Tor. If you are familiar with how Tor works, this pattern may make sense to you. However, the number of IP addresses involved with this log was several thousand.

As Tenable gets feedback from its customers about various observed traffic, we will post some results in this blog.

Subscribe to the Tenable Blog

Try for Free Buy Now

Try Tenable.io Vulnerability Management


Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now and run your first scan within 60 seconds.

Buy Tenable.io Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Try Nessus Professional Free


Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.