Re: AW: mitigating botnet C&Cs has become useless

[Gadi Evron <ge () linuxbox org>]

On Mon, 31 Jul 2006, Dean Anderson wrote:
> You are approaching the problem the wrong way. Many failover systems
> work very well when the primary fails entirely--when the salesman pulls
> the plug.  Few work well when the primary doesn't entirely fail, but
> just doesn't work correctly, as is usually the case in the real world.

Such as? How does it apply to the network world?

> Try that approach on the C&Cs: infiltrate and use the C&C to the
> botnets' disadvantage.  Probably, you can cause an "upgrade" to be
> distributed to the infected hosts that doesn't have a secondary control
> channel, but that doesn't overly alert the human bot operators until its
> too late.

Infiltration is intelligence, not network.. uploading a file is illegal
and unethical...

Good solid ideas, but unfortunately failed in the past.

> Of course, Nanog seems not to appreciate my contributions, so I won't be 
> sharing anything else I know about the problem. Good luck.
>
>               --Dean
>
> On Mon, 31 Jul 2006, Gadi Evron wrote:
>
> > On Sun, 30 Jul 2006, Gunther Stammwitz wrote:
> > > The really interesting question is when botnets are going to use
> > > p2p-technologies since one wouldn't know how to stop them then.
> > > Please let that never happen....
> >
> > I am not sayin gyou are wrong, or that dynamic channels won't happen far
> > more widely. Currently they are not widely used as they are not
> > needed. Web, IRC, etc. are quite efficient.
> >
> > That said, there is one problem to solve with every evolved C&C, the more
> > complex it is the easier it is to follow.
> >
> >     Gadi.
>
> -- 
> Av8 Internet   Prepared to pay a premium for better service?
> www.av8.net         faster, more reliable, better service
> 617 344 9000