Re: How should ISPs notify customers about Bots (Was Re: DNS Hijacking )

["Chris L. Morrow" <christopher.morrow () verizonbusiness com>]

On Tue, 24 Jul 2007, Paul Ferguson wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> - -- Christopher Morrow <christopher.morrow () verizonbusiness com> wrote:
>
> > I'd love to see CPE dsl/cable-modem providers integrate with a 'service'
> > that lists out 'bad' things. it'd be nice if the user could even tailor
> > that list (just C&C or C&C + child-porn or C&C older not than X
> > days/hours/minutes) ... I think it might even help, and be vendor
> > > agnostic (from a provide and hardware) perspective.
>
> Ironically, that is exactly part of a product announcement that
> we (Trend Micro) are making on 30 July.

neat, if only our marketting folks would see such benefits :( good for
you! :)

> Since this topic arose, I saw Trend mentioned as a possible
> product "culprit" in this scenario, but it isn't. Yet. :-)

not a culprit so much as a way that this sort of dns redirection could
have been done, in a vendor supplied/supported device even.

> The particular service to be announced on Monday (BIS, or Botnet
> Identification Service), is nothing more than a BGP feed of _known_
> and _vetted_ botnet C&Cs as /32s, intended to be a black-hole feed.
>
> Interested folks should either e-mail me off-list, or just wait for
> the official announcement on 30 July.

note that this will take out vhost systems... unless they are vetted off
the list, which is certainly possible of course.