Dissecting Malicious Network Traffic To Identify Botnet Communication

Forensic Focus - Articles

by Swasti Bhushan Deb

Botnets are well-known in the domains of information security, digital forensics and incident response for hosting illegal data, launching DDOS attacks, stealing information, spamming, bitcoin mining, spreading ransomware, launching brute force attacks, managing remote access to connected devices, and even propagating infection to other devices, among other things. Internet Relay Chat (IRC) networks are a popular medium for controlling bot networks. IRC-based bots with unpredictable degrees of sophistication and customized commands have something in common. An IRC bot, when executed in a client machine, connects to IRC server on random higher ports, logs into a definite predefined channel and listens for commands issued by the bot master.

The botnet lifecycle starts with the infection phase where a system is compromised by a customized and preconfigured piece of malware. The connection phase is when the infected system initiates contact on a predefined remote IRC TCP service port for…

View original post 1,095 more words