How should ISPs notify customers about Bots (Was Re: DNS Hijacking
Stephen Wilcox
steve.wilcox at packetrade.com
Tue Jul 24 18:13:08 UTC 2007
On Tue, Jul 24, 2007 at 12:00:40PM -0500, Joe Greco wrote:
>
> > Yes there are a few bots around still using IRC but a lot of them have
> > moved to other, better things (and there's fun "headless" bots too,
> > hardcoded with instructions and let loose so there's no C&C, no
> > centralized domain or dynamic dns for takedown.. you want to make a
> > change? just release another bot into the wild).
>
> Hardly unexpected. The continuing evolution is likely to be pretty
> scary. Disposables are nice, but the trouble and slowness in seeding
> makes them less valuable. I'm expecting that we'll see
> compartmentalized bots, where each bot has a small number of neighbors,
> a pseudo-scripting command language, extensible communication ABI to
> facilitate the latest in detection avoidance, and some basic logic to
> seed/pick neighbors that aren't local. Build in some strong
> encryption, have them each repeat the encrypted orders to their
> neighbors, and you have a structure that would be exceedingly
> difficult to deal with.
>
> Considering how long ago that sort of model was proposed, it is actually
> remarkable that it doesn't seem to have been perfected by now, and that
> we're still blocking IRC.
Thats because there is a huge world out there of badly protected hosts just waiting to become bots and a fairly basic set of tactics being deployed to prevent them.
ie until globally it is somewhat more difficult to build a botnet there is no need to develop complicated solutions. the simpler ones are proven, easy to roll out, easy to modify.
its just supply and demand...
Steve
More information about the NANOG
mailing list