Зайдите на ежедневные отчеты о ботах и обратите внимание на DNS lookup. Там
много русских сайтов (.ru)...
http://isc.sans.org/diary.html?n&storyid=3390
Learning about Bots
Published: 2007-09-16,
Last Updated: 2007-09-16 16:00:15 UTC
by Marcus Sachs (Version: 1)
Pedro's diary entry yesterday on malicious file names reminded me that I wanted
to point everybody again at the BotHunter honeynet web site. There's a lot of
new information there, beyond just the lists of evil IP addresses and DNS
look-ups. Check out Behavorial Clusters, where you'll see that with over 6000
infections caught in the honeynet there are only about a dozen bot profiles.
If you look at the daily catch (for example, September 15 vs September 14)
you'll see that the behavorial cluster doesn't show up immediately but
eventually gets updated. On September 14 the majority of the infections are
"Aug-Sept-A" clusters and all are easily detected by various Snort rules and
AntiVirus signatures.
Another interesting tool is the geographic distribution of infection sources
for a particular malware binary. For example, the first infection for
September 15 has a malware hash of a12cab51ef. In the column labeled "Packed
Malware Binary" you'll see a link to [Firefox:203 hits: 05-01 to 09-02]. If
you follow that link you'll see a Google map that shows the infection sources
for this particular piece of malware over the past few months. Of course, the
accuracy of the dots on the Google map depends on the accuracy of the ARIN,
RIPE, APNIC, AFNIC, and LACNIC databases which as we know are all highly
accurate and dependable. :)
If you enjoy looking at the automated output of the honeynet, be sure to
download a copy of the BotHunter program itself and run it inside your own
environment. This is a government funded research project so there is no
charge for the public distribution.
Marc Sachs
Director, SANS Internet Storm Center