Back to the articleObvious, really. #
Posted Tuesday 29th April 2008 00:16 GMT
Not that I would ever write a bot or such, but the innovations described seem quite obvious. It is a surprise that nobody has done these things already.
Botnet agent plays lost sheep to avoid detection
Eminently bustable #
Posted Tuesday 29th April 2008 00:12 GMT
>"a variable length from seven to 12 characters, followed with one of the domain suffixes: dyndns.org, yi.org, mooo.com, dynserv.com, com, cc or net."
So if those four providers could be persuaded to co-operate, a simple regex match on their server logs could spot it the moment anyone tries to register one of those names.
If the controllers are smart enough to hide their tracks, it won't be possible to track them from that, but it would at least be simple to block them (and not register the domain). Or even to set up fake control servers that answer to those names and tell the bot to disinfect.
Annoying... #
Posted Tuesday 29th April 2008 09:24 GMT
There is a simple solution to most of this.
Most botnets are used to send spam, the zombied machine connects to whichever server is the MX for a domain, and pretends to be another email server relaying a message for one of it's users.
So by default ISP's should restrict connection to SMTP servers so end user machines cannot connect to any SMTP servers apart from the ones owned by the ISP.
Your run of the mill AOL,Tiscali,BT customer uses the email address that came with the ISP, so they'd be fine. The rest probably use web based systems like gmail/hotmail etc.
The more techy savvy of us, who lets face it aren't really the big risk when it comes to ending up on a botnet, would of course have some kind of web interface on the ISP so we can permit other SMTP servers, or open it up for all. Please note web interface, not a call centre in India! (Done that once this week already thanks!)
It's not as if it's a hard thing to spot from an ISP level. They spend so much cash and technology mangling P2P, it wouldn't take 10 minutes to spot zombie behaviour, nobody normal initiates over a thousand SMTP connection in a day for starters. That would be enough to pass on their details to the sales team and send them an internet security package, or at least some advice on protection!
Lost sheep and shepherd? #
Posted Tuesday 29th April 2008 09:24 GMT
Dunno about bot sheep, but the meat variety we have here in NZ don't try to find their shepherds. The bastards will avoid you if at all possible. I've spent too many afternoons running up and down hills chasing them. If a sheep willingly approaches you, look for signs of foam about the mouth, or a cameraman lurking in the bush filming a sequel to Black Sheep (something I hope is never made).
Impressive #
Posted Tuesday 29th April 2008 11:37 GMT
It's really interesting to follow the evolution of the industry in this domain. The impressiveness of the adaptability and ingenuity of the malware writers is only outdone by the sadness of their quest : to infect even more PCs with spam-sending filth.
It's kind of like meeting a psychopathic serial killer who is on the verge of discovering faster-than-light travel. You know he's good, but you have to kill him anyway.
Pity.
people from Wales and New Zealand and Sheep #
Posted Tuesday 29th April 2008 17:25 GMT
Reply to
Lost sheep and shepherd?
So its true what they say about people from Wales and New Zealand and Sheep!
Sign up, sign up for The Register's weekly IT security newsletter - click here
Popular Whitepapers
- Managing desktop software for fun and profit
On-demand webcast - Analyst Keynote: The Register Agile Data Center Summit
On-Demand: Audio Only - Enabling the Agile Data Center
On-Demand: Audio Only - Airport insecurity: the case of lost laptops
Research and key findings - Rack mount solutions
How to manage, consolidate, secure, expand and deploy - Automating the Acquisition Process with Enterprise Level CRM
Sales Force Automation buyer’s guide
