Many people in IT will agree that budgets are getting smaller, if you are lucky enough to have some money at this time of the year ;) This post talks about finding infected computers in our networks, without spending lots of money in expensive systems.

There is more and more research that provides lists of C&C servers, for the most common botnets.

As a quick resume:

Signatures for Snort, from Emerging Threats.

Lists of C&C severs for the SpyEye botnet.

Lists of C&C servers for the Zeus botnet.

Making use of this information, we can setup an environment that permits us to quickly detect compromised computers in our network that try to reach the C&C server, making the process of detection and clean-up faster.

A possible setup could be a DNS sinkhole plus some signatures in our IDS (all the traffic redirected by the DNS sinkhole must be worth of attention).  This can be completed with a dedicated web server that permits us to know the URLs that are being used to fetch the malware.

This point of view is interesting because it permits us to gather intelligence instead of just blocking the malware.  This way, we have the opportunity to perform a  malware analysis that will help us to understand how it behaves and, thus, provide a quick way to find/remove it from our computers.