Free Trial

Safari Books Online is a digital library providing on-demand subscription access to thousands of learning resources.

Share this Page URL

5. Botnet Defense > Locating and Identifying the Botmaster - Pg. 205

The Botnet Problem Plaintext 1) Bot SSL DG Rogue C&C Server 205 DG: DeleGate 2) Log Plaintext Bot SSL DG1 DG2 SSL Real C&C Server Man-in-the-Middle Figure 8.2: Setups for man-in-the-middle attacks on encrypted C&C channels. The first attack is valuable to determine the authentication information required to join the live botnet: the address of the C&C server, the IRC channel name (if applicable), plus any required passwords. However, it does not allow the observer to see the interaction with the larger botnet, specifically the botmaster. The second attack reveals the full interaction with the botnet, including all botmaster commands, the botmaster password used to control the bots, and possibly the IP addresses of other bot members (depending on the configuration of the C&C server). Figures 8.3­8.5 show the screenshots of the full MITM attack on a