AW: mitigating botnet C&Cs has become useless

Gadi Evron ge at linuxbox.org
Mon Jul 31 17:30:48 UTC 2006


On Mon, 31 Jul 2006, Dean Anderson wrote:
> You are approaching the problem the wrong way. Many failover systems
> work very well when the primary fails entirely--when the salesman pulls
> the plug.  Few work well when the primary doesn't entirely fail, but
> just doesn't work correctly, as is usually the case in the real world.

Such as? How does it apply to the network world?

> Try that approach on the C&Cs: infiltrate and use the C&C to the
> botnets' disadvantage.  Probably, you can cause an "upgrade" to be
> distributed to the infected hosts that doesn't have a secondary control
> channel, but that doesn't overly alert the human bot operators until its
> too late.

Infiltration is intelligence, not network.. uploading a file is illegal
and unethical...

Good solid ideas, but unfortunately failed in the past.

> 
> Of course, Nanog seems not to appreciate my contributions, so I won't be 
> sharing anything else I know about the problem. Good luck.
> 
> 		--Dean
> 
> On Mon, 31 Jul 2006, Gadi Evron wrote:
> 
> > 
> > On Sun, 30 Jul 2006, Gunther Stammwitz wrote:
> > > The really interesting question is when botnets are going to use
> > > p2p-technologies since one wouldn't know how to stop them then.
> > > Please let that never happen....
> > > 
> > 
> > I am not sayin gyou are wrong, or that dynamic channels won't happen far
> > more widely. Currently they are not widely used as they are not
> > needed. Web, IRC, etc. are quite efficient.
> > 
> > That said, there is one problem to solve with every evolved C&C, the more
> > complex it is the easier it is to follow.
> > 
> > 	Gadi.
> > 
> > 
> > 
> 
> -- 
> Av8 Internet   Prepared to pay a premium for better service?
> www.av8.net         faster, more reliable, better service
> 617 344 9000   
> 
> 




More information about the NANOG mailing list