North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: How should ISPs notify customers about Bots (Was Re: DNS Hijacking
On Tue, 24 Jul 2007 12:00:40 CDT, Joe Greco said: > Hardly unexpected. The continuing evolution is likely to be pretty > scary. Disposables are nice, but the trouble and slowness in seeding > makes them less valuable. I'm expecting that we'll see > compartmentalized bots, where each bot has a small number of neighbors, > a pseudo-scripting command language, extensible communication ABI to > facilitate the latest in detection avoidance, and some basic logic to > seed/pick neighbors that aren't local. Build in some strong > encryption, have them each repeat the encrypted orders to their > neighbors, and you have a structure that would be exceedingly > difficult to deal with. > > Considering how long ago that sort of model was proposed, it is actually > remarkable that it doesn't seem to have been perfected by now, and that > we're still blocking IRC. Obviously, botnet authors are lazy, and not motivated to do all that work to do all that extra stuff, when we're still focusing on the *last* generation of "use a well-known IRC net for C&C" bots, and haven't really address the *current* "use a hijacked host running a private IRC net" bots yet. Equally likely - somebody's already written the code, but is waiting for when it is actually *needed* before deploying. If you're the leading side of an arms race, tipping your hand regarding the next escalation is usually a bad idea....