[91462] in North American Network Operators' Group
Re: AW: mitigating botnet C&Cs has become useless
daemon@ATHENA.MIT.EDU (Gadi Evron)
Mon Jul 31 13:31:25 2006
Date: Mon, 31 Jul 2006 12:30:48 -0500 (CDT)
From: Gadi Evron <ge@linuxbox.org>
To: Dean Anderson <dean@av8.com>
Cc: Gunther Stammwitz <gstammw@gmx.net>, nanog@merit.edu
In-Reply-To: <Pine.LNX.4.44.0607311320340.4429-100000@citation2.av8.net>
Errors-To: owner-nanog@merit.edu
On Mon, 31 Jul 2006, Dean Anderson wrote:
> You are approaching the problem the wrong way. Many failover systems
> work very well when the primary fails entirely--when the salesman pulls
> the plug. Few work well when the primary doesn't entirely fail, but
> just doesn't work correctly, as is usually the case in the real world.
Such as? How does it apply to the network world?
> Try that approach on the C&Cs: infiltrate and use the C&C to the
> botnets' disadvantage. Probably, you can cause an "upgrade" to be
> distributed to the infected hosts that doesn't have a secondary control
> channel, but that doesn't overly alert the human bot operators until its
> too late.
Infiltration is intelligence, not network.. uploading a file is illegal
and unethical...
Good solid ideas, but unfortunately failed in the past.
>
> Of course, Nanog seems not to appreciate my contributions, so I won't be
> sharing anything else I know about the problem. Good luck.
>
> --Dean
>
> On Mon, 31 Jul 2006, Gadi Evron wrote:
>
> >
> > On Sun, 30 Jul 2006, Gunther Stammwitz wrote:
> > > The really interesting question is when botnets are going to use
> > > p2p-technologies since one wouldn't know how to stop them then.
> > > Please let that never happen....
> > >
> >
> > I am not sayin gyou are wrong, or that dynamic channels won't happen far
> > more widely. Currently they are not widely used as they are not
> > needed. Web, IRC, etc. are quite efficient.
> >
> > That said, there is one problem to solve with every evolved C&C, the more
> > complex it is the easier it is to follow.
> >
> > Gadi.
> >
> >
> >
>
> --
> Av8 Internet Prepared to pay a premium for better service?
> www.av8.net faster, more reliable, better service
> 617 344 9000
>
>
