On 10/31/06, Greg Martin <gregm@econet.com> wrote:
The second factor is available zombie management. A pure pull method
with http would make it hard for the bot herder to track his available
zombies, rather than just looking how many users are in an IRC
channel.
Common sense tell us botnets will continue to use IRC less as detection
efforts such as the one described in the thread become more common. The
real challenge will be when they go to covert tunneling capabilities for
C&C such icmp and dns packets.
There are so many ways for botnets to hide their traffic that the ones
that are may be so well hidden it would be difficult to find them. As
bit torrent, IM and VoIP become more popular, it will be easy to hide
in the noise.
Also, pull does not present a problem for bots during the gathering
phase where the need to manage the majority of the bot herd is
minimal. At least one bot herder was using a web traffic analyser to
keep count of the bots. Then, when a gig comes in, the bot herder can
redirect the bots to a push-pull command channel.
--
Eric Hacker, CISSP
aptronym (AP-troh-NIM) noun
A name that is especially suited to the profession of its owner
I _can_ leave well enough alone, but my criteria for well enough is
pretty darn high.
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------
