To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
----------
Georg Wicherski wrote:
> To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
> ----------
> If you already know the DNS, just force responses to 0.0.0.0 at your DNS
> gateway. Additionally add a Snort rule for these queries that firewalls
> the infected clients totally out. Then tell the owners to manually
> disinfect as `.remove' commands are highly unreliable and the syntax
> varies anyway.
>
>
> Regards,
> Georg 'oxff' Wicherski
To quote an older email:
Dan wrote:
>> Yanno, Most bot code I've seen has a 'kill' or uninstall feature built
>> in.
>>
>> It might be an idea to built a "counter" botnet, that will act in our
>> favor when a botnet is found. We could have a bot infiltrate the
>> existing net, and attempt to issue a number of kill/uninstall commands,
>> so the net will eat itself.
>>
>> *shrug*
Hi Dan. :)
That depends significantly on several issues:
1. Is that command remote? (I.e. requiring a remote connection and a
remove?)
If so, I'd hesitate to do so. Even if it was not illegal, it is indeed
unethical to connect to the remote machine uninvited. Further, your
actions can result in damage to the remote machine.
2. Is this done with a remote kill command?
Same as above, but the bot will re-surface on next re-boot.
3. Is this done by uploading a cleaner?
If that is the case, you may potentially also cause the machine to die. :)
4. Is this done via IRC commands at the C&C?
I have little problem with that, except that it may put you at risk.
All that said, here are a few items to think of:
1. If the remote machine in indeed compromised and insecure, it will
just get re-infected shortly.
2. If that is the case, it is also already probably infected by QUITE A
FEW other beasties and is already a part of other botnets (many other!)
Before I go on with wisdom of old, though, I'd like to hear some
thoughts from fresh people here. :)
I am very much in favor of actively mitigating risks, but there are
costs to any benefits and sometimes the benefits are not worth it, are
extremely short lived or just an illusion.
Gadi.
_______________________________________________
To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
All list and server information are public and available to law enforcement
upon request.
http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
