The Confiker Virus.

David W. Hankins David_Hankins at isc.org
Wed Apr 1 12:02:35 CDT 2009


On Wed, Apr 01, 2009 at 10:01:29AM -0600, Jason Iannone wrote:
> What's the virus doing with all of those domain names?

Paul Vixie gave a presentation at the IEPG meeting before IETF 74.  I
don't think the IEPG meeting notes are up yet (they would be very
informative if they were)...I don't pretend to be an expert, but my
understanding based on that presentation is that the DNS is used for
C&C of the botnet.

Its owner only needs one of those domain names to be registered to
give out orders.  If they only used one, it would be relatively easy
to shut them down.  They use so many so that, when the good guys
bust in the door and shut down the C&C domain/hosting, they can just
open up shop somewhere else like nothing happened.

Not entirely unlike terrorist cells.

-- 
David W. Hankins	"If you don't do it right the first time,
Software Engineer		     you'll just have to do it again."
Internet Systems Consortium, Inc.		-- Jack T. Hankins
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 194 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20090401/62391c39/attachment.bin>


More information about the NANOG mailing list