where the zombies come from, hide, and finding them [was: How many backbones here ...]
Gadi Evron
ge at linuxbox.org
Thu Dec 2 22:33:47 UTC 2004
> Well, it was a while ago that some Polish guys were openly advertising
> their 465K zombie network - I'd be most surprised if it isn't over 1M by
> now. And remember that hierarchical design is understood in the black
> hat world too. If somebody has 1M bots, it won't be 1M bots in one network,
> it will be several hundred subnets of several thousand bots, and some
> automated way to signal several hundred control nodes to each fire up
> their several thousand bots. So you may already have whacked off a 1%
> chunk of that 1M net several times already and not even realized it....
These guys are used to be on the run, looking for places to stash their
botnets.
IRC networks (which are not scared, and then usually just a few renegade
opers and volunteers) are the ones who fight these networks. Hunting
them down in different channels.
Girlbots a year ago used an interesting algorithm to generate random
channel names according to the date and time.. these guys are not that
easy to find.
Then there are the virus reversers and network analysts who reverse the
sample or sniff the traffic to see where bots go, and shut that place down.
Controllers/runners just move their bots quickly to a new location, and
even if they lost one army.. there are others.
Ever heard of don't put all your eggs in one basket?
Regardless, they can always get new ones... and the people fighting them
are in the shadows.. not even supported by their own people in many cases.
IRC servers for example, are very afraid of pissing these kiddies off,
so that they won't DDoS them.
How many times have we seen an IRC DDoS taking down the entire ISP?
There are other ways of controlling armies.. but so far IRC has proven
to be the easiest in utilization and in moving quickly.
Any other control mechanism would have to answer two main opposing factors.
The easier it is to control them, the easier it is to take them away
from you. How do you balance the two, if you are a kiddie?
It's a never ending race.
Think of that in P2P terms, and you will see what I mean.
Exposure vs. ease of control.
Who would go against them when they'd know their ISP would be down the
very next day, though?
There is no easy solution... and as long as AV companies treat Trojan
horses as "garbage" and/or "not worth detecting", this is definitely not
going to change.
Then there is the issue of "open source malware" (not to be confused
with the open source community).
Today, any kid can find many code samples of writing their own Trojan
horses, not to mention support forums online.
Take for example the huge increase in malware per month, these past few
years.
One of the strains started with sdbot.. then ircbot.. then agobot.. then
phatbot, rbot, whatever bot, korgobots (argh!) etc.
Thousands of different samples, all related - and for most you can find
quite a few versions of their sources online.
It never ends.. I am just glad this is getting some attention now.
Gadi Evron.
More information about the NANOG
mailing list