[98001] in North American Network Operators' Group
Re: How should ISPs notify customers about Bots (Was Re: DNS Hijacking
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Mon Jul 23 14:05:07 2007
To: Sean Donelan <sean@donelan.com>
Cc: Joe Greco <jgreco@ns.sol.net>, nanog@merit.edu
In-Reply-To: Your message of "Mon, 23 Jul 2007 11:39:35 EDT."
<Pine.GSO.4.64.0707231134020.21768@clifden.donelan.com>
From: Valdis.Kletnieks@vt.edu
Date: Mon, 23 Jul 2007 12:52:33 -0400
Errors-To: owner-nanog@merit.edu
--==_Exmh_1185209553_3395P
Content-Type: text/plain; charset=us-ascii
On Mon, 23 Jul 2007 11:39:35 EDT, Sean Donelan said:
> messages. The irc.foonet.com server clearly sends several cleaning
> commands used by several well-known, and very old, Bots.
Old and well-known bots. Remember that for a moment, and think "6 month old
antivirus signatures" for a bit....
> service (can't look for help)? Or should the ISP only disrupt the minimum
> number of services needed to clean the Bot?
Is there any indication that the commands actually pushed have a *significant*
chance of actually wiping any resident bots, or is it "That's an old worn-out
magic word" time? It's one thing if 95% of the time, hijacking the connection
and pushing command strings actually cleans a bot up. It's another thing
entirely if it only works 5 or 10% of the time because most of the bots
currently out there are no longer susceptible to that cleaning method.
--==_Exmh_1185209553_3395P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
iD8DBQFGpNzRcC3lWbTT17ARAvV7AJ4r2nvALZYmEr2hF+Mpdyje4boaQACdG9Qi
G+27P6IuXvvHp3W6mx81K50=
=wXsX
-----END PGP SIGNATURE-----
--==_Exmh_1185209553_3395P--
