Bot Nets - Moving to Prime Time
While investigating a bot net we found some interesting new tricks. When I first /whois'd the IRC operator it immediately kicked me off and banned me from the server. (It did return the info first though). Poking around a little more at what IRC server version they are using and the features available to it provided some very eye-opening developments. This particular IRC server was using an 11 month old version, while the newest versions support things such as SSL client/server communication and hostname cloaking. A little more tweaking and research and they can make bot nets fairly stealth and much harder to break apart, especially if they start using SSL certificates and the actual IRC linking functions in the server software. (i.e. they have 20 IRC servers serving the bot net that all talk to each other so you have to take down all 20 to shutdown the net).
AV Vendors Taking Out Valuable Resource
Many readers might be familiar with Virustotal ( http://www.virustotal.com ). This service provides its users the ability to submit a file and have several anti-virus engines scan it. Unfortunately, several major anti-virus vendors decided this was not a good use of their product (probably because it exposes which vendors are lagging on getting updates out) and have badgered Virustotal to remove their engines. Apparently too many customers would come back to AV vendors using Virustotal results to harass them about lagging signatures.
John C. A. Bambenek, bambenek /at/ gmail.com
Handler of the Day
Nov 13th 2004
1 decade ago