[76165] in North American Network Operators' Group
zombies.. again - good! here are some actual facts [was: How many
daemon@ATHENA.MIT.EDU (Gadi Evron)
Thu Dec 2 17:13:07 2004
Date: Fri, 03 Dec 2004 00:19:00 +0200
From: Gadi Evron <ge@linuxbox.org>
To: nanog list <nanog@merit.edu>
In-Reply-To: <20041202213341.GH9324@hesketh.com>
Errors-To: owner-nanog-outgoing@merit.edu
> By all means, enlighten me. All I see from my limited pov is that bots
> are useless if disallowed from sending spam via port 25 outbound, and
> that every day sees hundreds if not thousands, of new bots trying to
> send spam to my users, which suggests that /nothing is being done to
> prevent them from using the available resources/. Convince me otherwise,
> please. I'm all ears.
1. Huge botnets of 25K-200K bots exist, and in vast numbers. They exist
now for quite a few years. Only a numbered few are "fighting" them. Some
of us have been lecturing on this for years, and being completely ignored.
I am glad I had a small part in making this issue known.
2. Only these past few months is this becoming a "buzz". AV companies
finally lowered their efforts on hyping 99% similar worms and started
talking about drone armies. Currently estimates per botnet are 1K-20K,
usually. 8 years ago these numbers might have been current information.
3. They (the zombie program/malware) change and get replaced very often.
4. Each infected machine is part of several such nets, as once a machine
is pwned...
5. Blocking port 25 (under whatever restrictions) will stop current
worms and Trojan horses from working (sending spam and themselves).
Period. Not trying to be a FUSSP, it's just how they work.
6. They (the zombies) could just as easily send out spam using the
user's own credentials and real account. It won't be as useful as just
sending out whatever they like.. but with the huge amounts of them out
there - I don't see it (port 25 blocking) solving the problem as a
whole. It would kill off the current strain of malware, though.
Gadi Evron.
