[98072] in North American Network Operators' Group
Re: How should ISPs notify customers about Bots (Was Re: DNS Hijacking
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Tue Jul 24 14:44:30 2007
To: Joe Greco <jgreco@ns.sol.net>
Cc: ops.lists@gmail.com (Suresh Ramasubramanian), nanog@merit.edu
In-Reply-To: Your message of "Tue, 24 Jul 2007 12:00:40 CDT."
<200707241700.l6OH0eIe080434@aurora.sol.net>
From: Valdis.Kletnieks@vt.edu
Date: Tue, 24 Jul 2007 13:52:04 -0400
Errors-To: owner-nanog@merit.edu
--==_Exmh_1185299524_3413P
Content-Type: text/plain; charset=us-ascii
On Tue, 24 Jul 2007 12:00:40 CDT, Joe Greco said:
> Hardly unexpected. The continuing evolution is likely to be pretty
> scary. Disposables are nice, but the trouble and slowness in seeding
> makes them less valuable. I'm expecting that we'll see
> compartmentalized bots, where each bot has a small number of neighbors,
> a pseudo-scripting command language, extensible communication ABI to
> facilitate the latest in detection avoidance, and some basic logic to
> seed/pick neighbors that aren't local. Build in some strong
> encryption, have them each repeat the encrypted orders to their
> neighbors, and you have a structure that would be exceedingly
> difficult to deal with.
>
> Considering how long ago that sort of model was proposed, it is actually
> remarkable that it doesn't seem to have been perfected by now, and that
> we're still blocking IRC.
Obviously, botnet authors are lazy, and not motivated to do all that work to do
all that extra stuff, when we're still focusing on the *last* generation of
"use a well-known IRC net for C&C" bots, and haven't really address the
*current* "use a hijacked host running a private IRC net" bots yet.
Equally likely - somebody's already written the code, but is waiting for when
it is actually *needed* before deploying. If you're the leading side of an
arms race, tipping your hand regarding the next escalation is usually a bad
idea....
--==_Exmh_1185299524_3413P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
iD8DBQFGpjxEcC3lWbTT17ARAvjiAKDV/v8sTFdDdUBpb4xbiDsJVIdIUgCg0/yt
txCFW1Fcdfcrvt0HSjeJUUQ=
=fKyF
-----END PGP SIGNATURE-----
--==_Exmh_1185299524_3413P--
