North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: How should ISPs notify customers about Bots (Was Re: DNS Hijacking
On Tue, Jul 24, 2007 at 12:00:40PM -0500, Joe Greco wrote: > > > Yes there are a few bots around still using IRC but a lot of them have > > moved to other, better things (and there's fun "headless" bots too, > > hardcoded with instructions and let loose so there's no C&C, no > > centralized domain or dynamic dns for takedown.. you want to make a > > change? just release another bot into the wild). > > Hardly unexpected. The continuing evolution is likely to be pretty > scary. Disposables are nice, but the trouble and slowness in seeding > makes them less valuable. I'm expecting that we'll see > compartmentalized bots, where each bot has a small number of neighbors, > a pseudo-scripting command language, extensible communication ABI to > facilitate the latest in detection avoidance, and some basic logic to > seed/pick neighbors that aren't local. Build in some strong > encryption, have them each repeat the encrypted orders to their > neighbors, and you have a structure that would be exceedingly > difficult to deal with. > > Considering how long ago that sort of model was proposed, it is actually > remarkable that it doesn't seem to have been perfected by now, and that > we're still blocking IRC. Thats because there is a huge world out there of badly protected hosts just waiting to become bots and a fairly basic set of tactics being deployed to prevent them. ie until globally it is somewhat more difficult to build a botnet there is no need to develop complicated solutions. the simpler ones are proven, easy to roll out, easy to modify. its just supply and demand... Steve
|