Re: The Criminal Underground: A Walk on the Dark Side

[coderman <coderman () gmail com>]

On 9/5/07, Dude VanWinkle <dudevanwinkle () gmail com> wrote:
> ... What ever happened to looking at the C&C for
> incoming connections and ngrepping out the IP's ?

the C&C for storm and other advanced botnets has moved into
distributed hash tables and dns fast flux reached via multiple hops
(where each hop is monitored upstream as well, to know when to cut and
run...)

this is actually the most interesting aspect of these modern botnets,
the decentralized and anonymized control structures pulling the
strings.

more details would be excellent, but seem sparse for some reason.
(researchers don't want to encourage more adoption of effective
countermeasures?)


> Is there no programmatic way to use the detection methods in place to
> generate a list of currently controlled bots?

it would require constantly scanning a large DHT ring (overnet) with a
fair amount of node churn.  perhaps someone is doing this (CAIDA?) but
it would take a good amount of bandwidth, honeypots, and effort.

and even if they are, they're not publishing the data, and even if
they did, i bet you money they'd disappear under a DDoS flood within
hours... :)

best regards,
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.