where the zombies come from, hide, and finding them [was: How many backbones here ...]

Gadi Evron ge at linuxbox.org
Thu Dec 2 22:33:47 UTC 2004


> Well, it was a while ago that some Polish guys were openly advertising
> their 465K zombie network - I'd be most surprised if it isn't over 1M by
> now.  And remember that hierarchical design is understood in the black
> hat world too.  If somebody has 1M bots, it won't be 1M bots in one network,
> it will be several hundred subnets of several thousand bots, and some
> automated way to signal several hundred control nodes to each fire up
> their several thousand bots.  So you may already have whacked off a 1%
> chunk of that 1M net several times already and not even realized it....

These guys are used to be on the run, looking for places to stash their 
botnets.

IRC networks (which are not scared, and then usually just a few renegade 
opers and volunteers) are the ones who fight these networks. Hunting 
them down in different channels.

Girlbots a year ago used an interesting algorithm to generate random 
channel names according to the date and time.. these guys are not that 
easy to find.

Then there are the virus reversers and network analysts who reverse the 
sample or sniff the traffic to see where bots go, and shut that place down.

Controllers/runners just move their bots quickly to a new location, and 
even if they lost one army.. there are others.

Ever heard of don't put all your eggs in one basket?

Regardless, they can always get new ones... and the people fighting them 
are in the shadows.. not even supported by their own people in many cases.

IRC servers for example, are very afraid of pissing these kiddies off, 
so that they won't DDoS them.
How many times have we seen an IRC DDoS taking down the entire ISP?

There are other ways of controlling armies.. but so far IRC has proven 
to be the easiest in utilization and in moving quickly.

Any other control mechanism would have to answer two main opposing factors.
The easier it is to control them, the easier it is to take them away 
from you. How do you balance the two, if you are a kiddie?

It's a never ending race.

Think of that in P2P terms, and you will see what I mean.

Exposure vs. ease of control.

Who would go against them when they'd know their ISP would be down the 
very next day, though?

There is no easy solution... and as long as AV companies treat Trojan 
horses as "garbage" and/or "not worth detecting", this is definitely not 
going to change.

Then there is the issue of "open source malware" (not to be confused 
with the open source community).
Today, any kid can find many code samples of writing their own Trojan 
horses, not to mention support forums online.

Take for example the huge increase in malware per month, these past few 
years.

One of the strains started with sdbot.. then ircbot.. then agobot.. then 
phatbot, rbot,  whatever bot, korgobots (argh!) etc.

Thousands of different samples, all related - and for most you can find 
quite a few versions of their sources online.

It never ends.. I am just glad this is getting some attention now.

	Gadi Evron.



More information about the NANOG mailing list