I know a lot of people smarter than me have though of these things, but I have been out of the game for a few years...
On 9/5/07, coderman <[EMAIL PROTECTED]> wrote: > On 9/5/07, Dude VanWinkle <[EMAIL PROTECTED]> wrote: > > ... What ever happened to looking at the C&C for > > incoming connections and ngrepping out the IP's ? > > the C&C for storm and other advanced botnets has moved into > distributed hash tables so most comcast machines send hash fragments over the web? or is it just port 443 traffic to legitimate sites? I tried googling but found only theory. If anyone has a good link I would appreciate it. It seems impossible to me that they have no centralized communications, else how would commands be given? Does anyone have some pcap files to share? > and dns fast flux reached via multiple hops > (where each hop is monitored upstream as well, to know when to cut and > run...) You can use their size against them, you cant personally watch that many machines at once, or is the cut-and-run programmatic, because if so, I see a great solution ;-) > this is actually the most interesting aspect of these modern botnets, > the decentralized and anonymized control structures pulling the > strings I keep thinking that if the bot herder has a way to tell all machines to do something (DDoS, send spam, etc), we could take advantage of that and tell them to uninstall the malware.. after RCE'ing their code > more details would be excellent, but seem sparse for some reason. > (researchers don't want to encourage more adoption of effective > countermeasures?) > > > > Is there no programmatic way to use the detection methods in place to > > generate a list of currently controlled bots? > > it would require constantly scanning a large DHT ring (overnet) with a > fair amount of node churn. perhaps someone is doing this (CAIDA?) but > it would take a good amount of bandwidth, honeypots, and effort. > > and even if they are, they're not publishing the data, and even if > they did, i bet you money they'd disappear under a DDoS flood within > hours... :) > > best regards, thanks for the info! I have a lot of terms to google! -JP _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
