We are using a ticket tracking system called Eventum to manage botnet tracking for our organization. This tool has proved to be very reliable and robust for our purposes. To gain access to the system, you will first need to create an account on our Eventum system. The first screen you should see is this one:
You will need to select the 'Sign up for an Account link to start the process.
Make sure that you put in your real information, and an email address that that is valid. We will manually validate every request to the system.
And once you type it all in you will see:
At this point you can either hit us up in IRC or wait for one of us to contact you about your access request. If we cannot validate who the real you is, you will not gain access.
First, you'll need to login.
The first screen that will greet you is the statistics page. This page will show you the overall status of all of the tickets we have.
While it might be tempting to select one of the many detail areas of the statistics, you will not get anything back unless one of your tickets is under that category.
The are four areas that should be of most interest to you:
- Stats - the starting page when you login. While not really useful for details, it does give you some idea of what we are dealing with and how ell the process is working.
- Internal FAQ - This is where we'll have certain specific information about the system, or to help answer questions about the ticket system itself.
- List Issues - This is where you will be able to see all of the tickets you have access to, which in most cases, will only be the tickets you created.
- Create Issue - And this is the most important section, which is where you will be creating tickets for us to pursue.
There are three different access levels available to each of the users that get an account on the ticket tracking system:
- Reporter - This is the default access level give as an account. This level only allows the user to see what tickets that he created and only the basic information on those tickets are available to the user. This minimum access is important to proect the users and ourselves.
- User - The second level allows the user to see the complete list of tickets, but they are only allowed to see the ticket details on any ticket that has not been marked private by a reporter or any other ticket creation process. There is also limited access to the details fields for each ticket.
- Developer - At the third level, almost complete access is given. A complete ticket list can be seen, but details on a ticket are still limited to those that have not been marked private by a reporter. All the detail fields are availble for viewing by this user.
To be elevated to access greater than a Reporter, you will need to enter into more than just a casual relationship with this organization. To request an elevated access send email to botnet<at>shadowserver.org.
Well, hopefully now you are ready to start reporting those little nasties to us. Select Create Issue and you see something that looks like this:
Yes, that picture was a bit small, but to break it down, here are the fields in greater detail:
- Category - You have four possible selections here: HTTP, IRC, P2P, and Unknown. Most of the time you will be submitting irc botnets that you have caught one way or another.
- Priority - You can choose how urgent this problem is for you. Of course we reserve the right to change the status based on our own work schedules. You have a choice of Not Prioritized, Low, Medium, High, Critical. We normally keep most of our tickets set to Medium and only rarely have a High level ticket.
- Summary - This is a short sentence to describe the botnet. We would prefer to see this in the format of server:port:channel, which is our current standard.
- Initial Description - This is your place to add any specific verbage that you think will help us this specific issue. The more information that you can give, the more lifely we can take a positive action on the issue you submitted.
- Private - Yes, or No. By setting this to Yes you will prevent any User or Developer access level user from seeing the details of your issue. If you leave it set to No, all the other Reporter level users still will not be able to see your ticket, nor any details about it.
- MD5 Hash(es) - If you have the binary and can get a MD5 hash of that binary, you can put that information here. Please do not add anything except the specific data.
- Bot # - Your estimate on how many bots there might be in this botnet. If you do not know, just leave it blank.
- DNS Name(s) - A list of all the related hostnames seperated by whitespace or commas. Not the DNS details, just the list please.
- IP Address(es) - ALl the IP addresses for this botnet, also seperated by either whitespace or commas.
- Server Port - The port that the server is using for the Command and Control (C&C) service.
- ASN - This will be auto-filled later from the system, you can leave it blank.
- GeoLoc - This field will also be filled in later based of the current IP.
- IRC Server Password - Server password. Please do not add anything except the specific data.
- Nickname - The style and format of the nicknames used by the bots.
- Channel Topic - The current topic of the C&C channel.
- Channel Name - The current channel where the botnet resides.
- Channel Password - The key for the channel. Please do not add anything except the specific data.
- User - The user string from the bots.
- User Modes - Any user modes that might be set for the bots.
- CTCP Version Result - Any versioning results from the bots.
- Add Files - If you have the binary, please submit it to us which will help us analyize what the botnet might be doing.
Then hit Submit and you have created your first ticket:
And now if you wait, you'll be brought to your ticket automatically:
And if you select List Issues you can now see your ticket listed.