Johannes B. Ullrich from SANS wrote about a user that made an interesting find in their network (you can read Johannes note here). In short, the user wrote an IDS signature to look for the NICK and USER commands that signify the start of an IRC session, and lo and behold found IRC traffic on non-standard ports. This is probably not too surprising given the affinity that bots have both for IRC and traveling over non-standard ports (although it was certainly a good catch by the user).
However the important thing to keep in mind is that this is the tip of the iceberg. …Continue reading
In this blog, I talk about how our next-generation firewalls protect against botnets such as Torpig. There are 3 parts to a botnet attack:
1. User visits a website which starts a chain reaction for torpig-infection
There are 2 ways in which this can happen: