short Botnet list and Cashing in on DoS

Thu Oct 7 06:41:45 UTC 2004

Here's a link to a bugtraq post I made a couple of months ago, about 
what Trojan horses are used in drone armies today, it is not really 
up-to-date, but should give you a general idea:
http://seclists.org/lists/bugtraq/2004/Jul/0106.html

And now to your post...

> I've been slowly compiling a list of known botnets should
> anyone care to filter, or check them in your netblocks if someone in your
> range is passing off garbage, etc. Information has been passed from others
> admins having to deal with these pest. Care to pass on a host that you're
> seeing I'll post it for others to see as well. Perhaps when I have
> spare time, I may or may not throw up something where admins can check,
> add, hosts they're seeing. Don't know if I want my connection getting
> toasted for doing so, but it could be something informative, a-la
> spamhaus. Bothaus anyone?
> 
> http://www.infiltrated.net/sdbot-irc-servers.txt

Very interesting. However, in my opinion, half-useless for firewall 
blocking.

These botnets show up daily, with two main factors that never change (I 
don't know if it will really be two, I just learned to say two/three in 
the military about everything):
1. The botnets change daily.
2. The drones composing the botnets change daily.

First, there are quite a few of these out there, and changing where they 
report to or simply getting new ones is extremely easy for people with 
such big botnets.
Second, the drones change their software (i.e. the Trojan horse) quite 
often.
Third, blocking servers won't block the DDoS, it will block your users 
from being able to connect to these servers.
Fourth, most botnets would simply hop a server when they see one is not 
there. Once they changed servers, the runners would switch their 
permanent servers list.
Fifth, they never run out of servers.
Sixth, they are used to running and hiding because there are a few of us 
who hunt them down constantly.

I believe this idea is as good as blocking port 25 on ISP's for 
customers not paying/asking for static addresses and/or mail server 
capabilities, but it is not as efficient nor do I predict it a long life.
The reasoning for it being a good idea, despite what I said above is; 
not all drones would hop. Runners count on the fact that they can hop 
their botnets to other servers (even though they usually bother with 
contingency plans).

Doing this can cause many problems from users who want to use IRC, and 
considering the users themselves are not yet protected, their machines 
would simply get re-infected and join three other botnets that same day.

Not to mention the fact that the runner would have their IP's saved and 
ready for re-claiming/uploading new data/malware.

That said, it's a good idea because it would mean making the lives of 
the runners a lot more difficult, making sure that in many cases your 
users won't DDoS (just check these IP's to see how many are connected 
from your places), and finally, perhaps, maybe, make runners have to use 
different medias to control their botnets - non as efficient or easy as 
IRC to date.

Maintaining the list you suggest is difficult, but I am more than 
interested in how you planned on doing it?

	Gadi Evron.