short Botnet list and Cashing in on DoS
Gadi Evron
ge at linuxbox.org
Thu Oct 7 06:41:45 UTC 2004
Here's a link to a bugtraq post I made a couple of months ago, about
what Trojan horses are used in drone armies today, it is not really
up-to-date, but should give you a general idea:
http://seclists.org/lists/bugtraq/2004/Jul/0106.html
And now to your post...
> I've been slowly compiling a list of known botnets should
> anyone care to filter, or check them in your netblocks if someone in your
> range is passing off garbage, etc. Information has been passed from others
> admins having to deal with these pest. Care to pass on a host that you're
> seeing I'll post it for others to see as well. Perhaps when I have
> spare time, I may or may not throw up something where admins can check,
> add, hosts they're seeing. Don't know if I want my connection getting
> toasted for doing so, but it could be something informative, a-la
> spamhaus. Bothaus anyone?
>
> http://www.infiltrated.net/sdbot-irc-servers.txt
Very interesting. However, in my opinion, half-useless for firewall
blocking.
These botnets show up daily, with two main factors that never change (I
don't know if it will really be two, I just learned to say two/three in
the military about everything):
1. The botnets change daily.
2. The drones composing the botnets change daily.
First, there are quite a few of these out there, and changing where they
report to or simply getting new ones is extremely easy for people with
such big botnets.
Second, the drones change their software (i.e. the Trojan horse) quite
often.
Third, blocking servers won't block the DDoS, it will block your users
from being able to connect to these servers.
Fourth, most botnets would simply hop a server when they see one is not
there. Once they changed servers, the runners would switch their
permanent servers list.
Fifth, they never run out of servers.
Sixth, they are used to running and hiding because there are a few of us
who hunt them down constantly.
I believe this idea is as good as blocking port 25 on ISP's for
customers not paying/asking for static addresses and/or mail server
capabilities, but it is not as efficient nor do I predict it a long life.
The reasoning for it being a good idea, despite what I said above is;
not all drones would hop. Runners count on the fact that they can hop
their botnets to other servers (even though they usually bother with
contingency plans).
Doing this can cause many problems from users who want to use IRC, and
considering the users themselves are not yet protected, their machines
would simply get re-infected and join three other botnets that same day.
Not to mention the fact that the runner would have their IP's saved and
ready for re-claiming/uploading new data/malware.
That said, it's a good idea because it would mean making the lives of
the runners a lot more difficult, making sure that in many cases your
users won't DDoS (just check these IP's to see how many are connected
from your places), and finally, perhaps, maybe, make runners have to use
different medias to control their botnets - non as efficient or easy as
IRC to date.
Maintaining the list you suggest is difficult, but I am more than
interested in how you planned on doing it?
Gadi Evron.
More information about the NANOG
mailing list