[98073] in North American Network Operators' Group
Re: How should ISPs notify customers about Bots (Was Re: DNS Hijacking
daemon@ATHENA.MIT.EDU (Stephen Wilcox)
Tue Jul 24 14:55:15 2007
Date: Tue, 24 Jul 2007 19:13:08 +0100
From: Stephen Wilcox <steve.wilcox@packetrade.com>
To: Joe Greco <jgreco@ns.sol.net>
Cc: Suresh Ramasubramanian <ops.lists@gmail.com>, nanog@merit.edu
In-Reply-To: <200707241700.l6OH0eIe080434@aurora.sol.net>
Errors-To: owner-nanog@merit.edu
On Tue, Jul 24, 2007 at 12:00:40PM -0500, Joe Greco wrote:
>
> > Yes there are a few bots around still using IRC but a lot of them have
> > moved to other, better things (and there's fun "headless" bots too,
> > hardcoded with instructions and let loose so there's no C&C, no
> > centralized domain or dynamic dns for takedown.. you want to make a
> > change? just release another bot into the wild).
>
> Hardly unexpected. The continuing evolution is likely to be pretty
> scary. Disposables are nice, but the trouble and slowness in seeding
> makes them less valuable. I'm expecting that we'll see
> compartmentalized bots, where each bot has a small number of neighbors,
> a pseudo-scripting command language, extensible communication ABI to
> facilitate the latest in detection avoidance, and some basic logic to
> seed/pick neighbors that aren't local. Build in some strong
> encryption, have them each repeat the encrypted orders to their
> neighbors, and you have a structure that would be exceedingly
> difficult to deal with.
>
> Considering how long ago that sort of model was proposed, it is actually
> remarkable that it doesn't seem to have been perfected by now, and that
> we're still blocking IRC.
Thats because there is a huge world out there of badly protected hosts just waiting to become bots and a fairly basic set of tactics being deployed to prevent them.
ie until globally it is somewhat more difficult to build a botnet there is no need to develop complicated solutions. the simpler ones are proven, easy to roll out, easy to modify.
its just supply and demand...
Steve
