'Fast-Flux' Foils Botnet Takedowns

["Paul Ferguson" <fergdawg () netzero net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I'm very happy to see this issue getting more attention...

Via SecurityFocus.

[snip]

Network security analyst Lawrence Baldwin has helped take down his share of
bot nets, but he worries that those days may largely be over.

Traditional bot nets have used Internet relay chat (IRC) servers to control
each of the compromised PCs, or bots, but the central IRC server is also a
weakness, giving defenders a single server to target and take down. An
increasingly popular technique, known as fast-flux domain name service
(DNS), allows bot nets to use a multitude of servers to hide a key host or
to create a highly-available control network. The result: No single point
of weakness on which defenders can focus their efforts.

Last month, two significant online threats -- the Storm Worm and a recent
MySpace Web virus -- became the latest malicious programs to incorporate
fast-flux hosting into their infrastructure. A recent Storm Worm infection,
for example, connected to a bot net that had more than 2,000 redundant
hosts spread amongst 384 providers in more than 50 countries, said analyst
Baldwin, who is the chief forensics officer for myNetWatchman.com.

[snip]

More:
http://www.securityfocus.com/news/11473

- - ferg

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.6.2 (Build 2014)

wj8DBQFGksTwq1pz9mNUZTMRAm39AJwPeo6t5Sqk0SqaKVIs/EUIwV02uACgqE80
fjAWLuCN/cF/IT8vdGgEJfs=
=ev1U
-----END PGP SIGNATURE-----


--
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawg(at)netzero.net
 ferg's tech blog: http://fergdawg.blogspot.com/


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.