Re: Bots don't honor 301 :(

Tue, 13 Jan 2009 21:00:01 -0800

virgins...@vfemail.net wrote: 
Yes, but the number of compromised hosts isn't critical - it's the
number of unique scan queues which is important to evading tarpits.
If a botnet has 50,000,000 nodes, is vulnerable to tarpitting, and
scans every IP address on the Internet in exactly the same order, then
a single tarpit would still save 1/2 the hosts on the Internet from
ever being probed.

The crucial element is the *order* in which prospective hosts are
scanned.  Assuming the bot is deterministic, hosts are likely to be
scanned in the same order by every copy of the bot.
>From http://www.honeynet.org/node/54:

Most botnets use a topic command like:

   1. ".advscan lsass 200 5 0 -r -s"

The first topic tells the bot to spread further with the help of the LSASS vulnerability. 200 concurrent threads should scan with a delay of 5 seconds for an unlimited time (parameter 0). The scans should be random (parameter -r) and silent (parameter -s), thus avoiding too much traffic due to status reports.

Scans are almost always random nowadays. The bots download their commands from an IRC channel or some other command-and-control channel, so they don't have the same list of addresses to scan as the others. The C&C spreads the address ranges for scans around to reduce visibility to behavioral analysis tools.

There are a number of articles, white papers, research topics available on distributed scanning, address partitioning and management at the C&C end.

Bots are not deterministic. They get new addresses often. They are updated with new payloads and new behaviors. Portions of them are rented out to others who have differing needs (DDOS, spamming, etc.). Their updates often come from varied sources as those channels are fast fluxed and thus change constantly & continually. No two bots are likely to be completely the same. Why would they have them all scan the same addresses or behave in a strictly predictable fashion? Brownian motion provides adequate coverage. Spread the address ranges around to gain greater coverage. Adjust behavior based on success or failure.

Delaying a single mind-controlled foot soldier, or even destroying such a soldier, does not prevent, or even slow, the battle from continuing as the swarm is chaotic. It does not need to be lock-step to accomplish its goals.

_______________________________________________
gnhlug-discuss mailing list
gnhlug-discuss@mail.gnhlug.org
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/

Reply via email to