Re: How should ISPs notify customers about Bots (Was Re: DNS Hijacking

[Valdis.Kletnieks () vt edu]

On Tue, 24 Jul 2007 12:00:40 CDT, Joe Greco said:

> Hardly unexpected.  The continuing evolution is likely to be pretty 
> scary.  Disposables are nice, but the trouble and slowness in seeding 
> makes them less valuable.  I'm expecting that we'll see 
> compartmentalized bots, where each bot has a small number of neighbors,
> a pseudo-scripting command language, extensible communication ABI to 
> facilitate the latest in detection avoidance, and some basic logic to 
> seed/pick neighbors that aren't local.  Build in some strong 
> encryption, have them each repeat the encrypted orders to their 
> neighbors, and you have a structure that would be exceedingly 
> difficult to deal with.
>
> Considering how long ago that sort of model was proposed, it is actually
> remarkable that it doesn't seem to have been perfected by now, and that
> we're still blocking IRC.

Obviously, botnet authors are lazy, and not motivated to do all that work to do
all that extra stuff, when we're still focusing on the *last* generation of
"use a well-known IRC net for C&C" bots, and haven't really address the
*current* "use a hijacked host running a private IRC net" bots yet.

Equally likely - somebody's already written the code, but is waiting for when
it is actually *needed* before deploying.  If you're the leading side of an
arms race, tipping your hand regarding the next escalation is usually a bad
idea....

Attachment: _bin
Description: