On Tue, Jun 15, 2010 at 11:37 PM, Andreas Monitzer <[email protected]> wrote: > On Jun 15, 2010, at 23:31, Peter Schwindt wrote: > >> Martin (of hot-chilli.*) was the first to publicly (on jadmin-ML, about >> 2 weeks ago) mention a bunch of weird registrations. The accounts to be >> considered all look nearly the same: A posix timestamp + ("LOP" or >> "LMC") + server part (i.e. [email protected]). And there >> were lots of them. Right now I (administering jabber.ccc.de) see about >> 1k of them on my server. > > Maybe I'm stating the obvious here, but this really sounds like a > virus-originated botnet using XMPP as the control channel.
I am thinking it would be interesting to see some of the content they are sending. I wonder if it would be feasible to set up a 'honeypot' server for them, just for the purpose of observing the traffic and what they are doing - maybe that would let figure out in more details what it is and what it does, maybe even it's origin. > Regards, > Andreas > > -- viq
