How should ISPs notify customers about Bots (Was Re: DNS Hijacking

Joe_Greco · July 24, 2007, 5:00pm

> The problem is isolating the traffic in question. Since you DO NOT HAVE
> GIGABITS OF TRAFFIC destined for IRC servers, this becomes a Networking
> 101-style question. A /32 host route is going to be effective.
> Manipulating DNS is definitely the less desirable method, because it has
> the potential for breaking more things. But, hey, it can be done, and
> with an amount of effort that isn't substantially different from the
> amount of work Cox would have had to do to accomplish what they did.

Yup - though I still dont see much point in specialcasing IRC.

This is probably true. However, in this case, apparently Cox felt there
was some benefit to tackling this class of bot.

My guess would have been that they were abandoned, and as such, there
wouldn't have been much point to doing this. However, maybe that wasn't
the case.

It
would probably be much more cost effective in the long run to have
something rather more comprehensive.

Sure, but that actually *is* more difficult. It isn't just a technical
solution. It has to involve actual ongoing analysis of botnets, and how
they operate, plus technical countermeasures. Are there ISP's who are
willing to devote resources to that?

Yes there are a few bots around still using IRC but a lot of them have
moved to other, better things (and there's fun "headless" bots too,
hardcoded with instructions and let loose so there's no C&C, no
centralized domain or dynamic dns for takedown.. you want to make a
change? just release another bot into the wild).

Hardly unexpected. The continuing evolution is likely to be pretty
scary. Disposables are nice, but the trouble and slowness in seeding
makes them less valuable. I'm expecting that we'll see
compartmentalized bots, where each bot has a small number of neighbors,
a pseudo-scripting command language, extensible communication ABI to
facilitate the latest in detection avoidance, and some basic logic to
seed/pick neighbors that aren't local. Build in some strong
encryption, have them each repeat the encrypted orders to their
neighbors, and you have a structure that would be exceedingly
difficult to deal with.

Considering how long ago that sort of model was proposed, it is actually
remarkable that it doesn't seem to have been perfected by now, and that
we're still blocking IRC.

... JG

Valdis_Kletnieks · July 24, 2007, 5:52pm

Obviously, botnet authors are lazy, and not motivated to do all that work to do
all that extra stuff, when we're still focusing on the *last* generation of
"use a well-known IRC net for C&C" bots, and haven't really address the
*current* "use a hijacked host running a private IRC net" bots yet.

Equally likely - somebody's already written the code, but is waiting for when
it is actually *needed* before deploying. If you're the leading side of an
arms race, tipping your hand regarding the next escalation is usually a bad
idea....

Stephen_Wilcox1 · July 24, 2007, 6:13pm

Thats because there is a huge world out there of badly protected hosts just waiting to become bots and a fairly basic set of tactics being deployed to prevent them.

ie until globally it is somewhat more difficult to build a botnet there is no need to develop complicated solutions. the simpler ones are proven, easy to roll out, easy to modify.

its just supply and demand...

Steve

Raymond_L_Corbin · July 24, 2007, 7:43pm

Obviously, botnet authors are lazy, and not motivated to do all that

work >to do

all that extra stuff, when we're still focusing on the *last*

generation of

"use a well-known IRC net for C&C" bots, and haven't really address the
*current* "use a hijacked host running a private IRC net" bots yet.

Most 'large' botnets are run of off private IRC servers. Any good IRC
admin would notice when more then 1k 'bots' started joining their
servers. They can look at channel topics and see if it says something
like .scan .advscan etc etc. Theres a whole list of commands the old
RXBot use to do, I'm sure its more advanced then it was two years ago
when I last used IRC.

http://www.darksun.ws/phatrxbot/rxbot.html

Typically it's the really new kiddies who setup botnets on public IRCD
servers, as the IRC admins don't want the extra traffic caused by the
bots, nor the problems the script kiddies cause. So adding a public
EFNet server to their redirect list wasn't best, however it's simply a
false positive. These bots are very simple to use, and you can simply
find your better 'bots' by checking the ISP it's from and its uptime.
Take that then make it download a preconfigured IRCD such as Unreal and
make it run in the background and you have a private IRCD server to
route your bots to. So it may not be as fruitful if the public IRC
servers are in fact ensuring script kiddies don't live on their
networks, but if they check the packets to see what FQDN they are using
for their botnet then it wouldn't bother me that they change the DNS to
their own 'cleansing' servers. But in doing this it may lead to false
positives such as the problem when the EFNet server got blocked.

Just my thoughts...

Raymond Corbin
Support Analyst
HostMySite.com