Threat Level: green Handler on Duty: Adrien de Beaupre

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Bot Nets - Moving to Prime Time, AV Vendors Taking Out Valuable Resource,

Published: 2004-11-12
Last Updated: 2004-11-13 00:57:59 UTC
by John Bambenek (Version: 1)
0 comment(s)
Bot Nets - Moving to Prime Time

While investigating a bot net we found some interesting new tricks. When I first /whois'd the IRC operator it immediately kicked me off and banned me from the server. (It did return the info first though). Poking around a little more at what IRC server version they are using and the features available to it provided some very eye-opening developments. This particular IRC server was using an 11 month old version, while the newest versions support things such as SSL client/server communication and hostname cloaking. A little more tweaking and research and they can make bot nets fairly stealth and much harder to break apart, especially if they start using SSL certificates and the actual IRC linking functions in the server software. (i.e. they have 20 IRC servers serving the bot net that all talk to each other so you have to take down all 20 to shutdown the net).

AV Vendors Taking Out Valuable Resource

Many readers might be familiar with Virustotal ( http://www.virustotal.com ). This service provides its users the ability to submit a file and have several anti-virus engines scan it. Unfortunately, several major anti-virus vendors decided this was not a good use of their product (probably because it exposes which vendors are lagging on getting updates out) and have badgered Virustotal to remove their engines. Apparently too many customers would come back to AV vendors using Virustotal results to harass them about lagging signatures.

--
John C. A. Bambenek, bambenek /at/ gmail.com
Handler of the Day

Keywords:
0 comment(s)
Diary Archives