Home page logo

nanog logo nanog mailing list archives

Re: On the back of other 'security' posts....
From: Richard Cox <Richard () mandarin com>
Date: Sat, 30 Aug 2003 19:14:05 +0100

On Sat, 30 Aug 2003 17:36 UTC Jack Bates <jbates () brightok net> wrote:

| The person responsible is the bot maintainer.  Finding the controller
| medium (probably irc) is the hard part, but once done, monitoring who
| controls the bots isn't near as hard.

For various values of "control".  In the cases where we've tracked down
bot-masters, they have themselves been throw-away trojaned machines in
countries like Taiwan, Korea, etc.  The bots found their master through
DNS - and the person controlling the DNS had effective control of the
botnetwork.  If the trojaned site was taken down or tampered with, the
human controller would just point the DNS at a different trojaned box.
In those cases. the most valuable evidence can therefore be got just
by seeing who makes the changes to the DNS for the domain being used.

(Of course, different bot-maintainers will have different approaches;
I'm not suggesting this is the only system out there!)

Co-operation from the LE authorities in the country involved would be
a prerequisite to tracking which machines connected to that botmaster
and I'm sure the trojaned boxes used were chosen with thought for the
likely level of co-operation from the country they were in!

| A few media enriched prison sentences would be good.

Some interest from law enforcement authorities in "friendly" countries
(like, the ones we live and work in) would be a good way to start.
More commonly they won't get involved because it's too difficult, plus
they don't understand the technology properly, they're under-resourced
(particularly in terms of handling the international relationships) and
there are no guarantees of brownie-points from the effort anyway!

Without law-enforcement interest and adduceable evidence you don't get
any prosecutions, and without prosecutions you don't get any prison
sentences, media-enriched or otherwise.  It's a hard world (for us).

Richard Cox
%% HELO - the first word of every Email transaction - is in Welsh! %%

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]