North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: short Botnet list and Cashing in on DoS

  • From: Gadi Evron
  • Date: Thu Oct 07 02:40:13 2004

Here's a link to a bugtraq post I made a couple of months ago, about what Trojan horses are used in drone armies today, it is not really up-to-date, but should give you a general idea:

And now to your post...

I've been slowly compiling a list of known botnets should
anyone care to filter, or check them in your netblocks if someone in your
range is passing off garbage, etc. Information has been passed from others
admins having to deal with these pest. Care to pass on a host that you're
seeing I'll post it for others to see as well. Perhaps when I have
spare time, I may or may not throw up something where admins can check,
add, hosts they're seeing. Don't know if I want my connection getting
toasted for doing so, but it could be something informative, a-la
spamhaus. Bothaus anyone?
Very interesting. However, in my opinion, half-useless for firewall blocking.

These botnets show up daily, with two main factors that never change (I don't know if it will really be two, I just learned to say two/three in the military about everything):
1. The botnets change daily.
2. The drones composing the botnets change daily.

First, there are quite a few of these out there, and changing where they report to or simply getting new ones is extremely easy for people with such big botnets.
Second, the drones change their software (i.e. the Trojan horse) quite often.
Third, blocking servers won't block the DDoS, it will block your users from being able to connect to these servers.
Fourth, most botnets would simply hop a server when they see one is not there. Once they changed servers, the runners would switch their permanent servers list.
Fifth, they never run out of servers.
Sixth, they are used to running and hiding because there are a few of us who hunt them down constantly.

I believe this idea is as good as blocking port 25 on ISP's for customers not paying/asking for static addresses and/or mail server capabilities, but it is not as efficient nor do I predict it a long life.
The reasoning for it being a good idea, despite what I said above is; not all drones would hop. Runners count on the fact that they can hop their botnets to other servers (even though they usually bother with contingency plans).

Doing this can cause many problems from users who want to use IRC, and considering the users themselves are not yet protected, their machines would simply get re-infected and join three other botnets that same day.

Not to mention the fact that the runner would have their IP's saved and ready for re-claiming/uploading new data/malware.

That said, it's a good idea because it would mean making the lives of the runners a lot more difficult, making sure that in many cases your users won't DDoS (just check these IP's to see how many are connected from your places), and finally, perhaps, maybe, make runners have to use different medias to control their botnets - non as efficient or easy as IRC to date.

Maintaining the list you suggest is difficult, but I am more than interested in how you planned on doing it?

Gadi Evron.