How should ISPs notify customers about Bots (Was Re: DNS Hijacking

Raymond L. Corbin rcorbin at hostmysite.com
Tue Jul 24 19:43:35 UTC 2007


>Obviously, botnet authors are lazy, and not motivated to do all that
work >to do
>all that extra stuff, when we're still focusing on the *last*
generation of
>"use a well-known IRC net for C&C" bots, and haven't really address the
>*current* "use a hijacked host running a private IRC net" bots yet.


Most 'large' botnets are run of off private IRC servers. Any good IRC
admin would notice when more then 1k 'bots' started joining their
servers. They can look at channel topics and see if it says something
like .scan .advscan etc etc. Theres a whole list of commands the old
RXBot use to do, I'm sure its more advanced then it was two years ago
when I last used IRC. 

http://www.darksun.ws/phatrxbot/rxbot.html

Typically it's the really new kiddies who setup botnets on public IRCD
servers, as the IRC admins don't want the extra traffic caused by the
bots, nor the problems the script kiddies cause. So adding a public
EFNet server to their redirect list wasn't best, however it's simply a
false positive. These bots are very simple to use, and you can simply
find your better 'bots' by checking the ISP it's from and its uptime.
Take that then make it download a preconfigured IRCD such as Unreal and
make it run in the background and you have a private IRCD server to
route your bots to. So it may not be as fruitful if the public IRC
servers are in fact ensuring script kiddies don't live on their
networks, but if they check the packets to see what FQDN they are using
for their botnet then it wouldn't bother me that they change the DNS to
their own 'cleansing' servers. But in doing this it may lead to false
positives such as the problem when the EFNet server got blocked.

Just my thoughts...

Raymond Corbin
Support Analyst
HostMySite.com



More information about the NANOG mailing list