How should ISPs notify customers about Bots (Was Re: DNS Hijacking
Valdis.Kletnieks at vt.edu
Valdis.Kletnieks at vt.edu
Tue Jul 24 17:52:04 UTC 2007
On Tue, 24 Jul 2007 12:00:40 CDT, Joe Greco said:
> Hardly unexpected. The continuing evolution is likely to be pretty
> scary. Disposables are nice, but the trouble and slowness in seeding
> makes them less valuable. I'm expecting that we'll see
> compartmentalized bots, where each bot has a small number of neighbors,
> a pseudo-scripting command language, extensible communication ABI to
> facilitate the latest in detection avoidance, and some basic logic to
> seed/pick neighbors that aren't local. Build in some strong
> encryption, have them each repeat the encrypted orders to their
> neighbors, and you have a structure that would be exceedingly
> difficult to deal with.
>
> Considering how long ago that sort of model was proposed, it is actually
> remarkable that it doesn't seem to have been perfected by now, and that
> we're still blocking IRC.
Obviously, botnet authors are lazy, and not motivated to do all that work to do
all that extra stuff, when we're still focusing on the *last* generation of
"use a well-known IRC net for C&C" bots, and haven't really address the
*current* "use a hijacked host running a private IRC net" bots yet.
Equally likely - somebody's already written the code, but is waiting for when
it is actually *needed* before deploying. If you're the leading side of an
arms race, tipping your hand regarding the next escalation is usually a bad
idea....
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20070724/2d27023a/attachment.sig>
More information about the NANOG
mailing list