So how do you connect to the real IRC server, then? Remember that most
end users are not nslookup-wielding shell commandos who can figure out
whois and look up the IP.
If those users are so technically unsophisticated, do you really expect
the other users with infected computers to figure out how to disinfect
their computer and remove the Bots instead?
I would imagine that if we're talking about "unsophisticated" users,
the majority of them have no idea what IRC is anyway -- most of them
are using AIM, or Yahoo! IM, or....
I would imagine that if we're talking about "unsophisticated" users,
the majority of them have no idea what IRC is anyway -- most of them
are using AIM, or Yahoo! IM, or....
Quite true. I do know of a small fraction, however, that when Yahoo
stopped supporting the chats for their groups, that went over to a Java
IRC client. Granted, they still don't know that its IRC, but they'll still
end up running into something totally unexplained.
and the sympton TODAY is 'irc', but in reality if cox spoke up I'd bet
they are doing this with much more than just this one irc server (or set
of irc servers)...
So, to back this up and get off the original complaint, if a service
provider can protect a large portion of their customer base with some
decent intelligence gathering and security policy implementation is that a
good thing? keeping in mind that in this implementation users who know
enough and are willing to forgoe that 'protection' (for some value of
protection) can certainly circumvent/avoid it.
It's perfectly plausible that cox implemented some trend-micro-like (or
maybe trend micro actual) device to do this work for them... just to pick
on one vendor of solutions in this space.
Should ISPs attempt to block Bot Command and Control connections (which is more general than just IRC C&C Bots), assuming ISPs try to avoid "legitimate" servers although mistakes might happen?
Right. Let us get to best practices rather than debating ethics.
So how would you keep your network clean of infected PCs?
* Gather information (log parsers, darknet / honeynet traffic
monitoring, feeds from XBL type blocklists)
* Redirect "common" bot abused services like IRC by default either
across your network or on whatever part of your network you see bot
activity as evidenced from darknet etc observation (and run the risk
that right after you get that IP information, the infected XP box on
that IP is replaced not by another XP box but by a fully loaded geek
install of freebsd, rather than by an infected win2k box, a patched
vista etc)
* Walled garden type outbound IDS to quarantine an IP completely when
malware activity is noted. Yes, irc bots arent the only kind of bots
- those are positively old fashioned, yes there can be multiple
malware on a single PC, yes, port 25 blocking to stop bots is treating
lung cancer with cough sirup (tip of the hat to Joe St.Sauver) ..
etc etc etc. A good BCP would be a nice thing to have around.