That's the solution. IRC traffic has no place in
business environments.
Inside the botnets that never make the news
by Dancho Danchev | May 20, 2009 12:00pm PDT | Image 1 of 26
Previous | Next
Small Targeted Botnet
This screenshot is a great example of the social networking activities taking place inside the cybercrime ecosystem. The modest botnet consisting of 78 infected hosts has a LOL (abbreviation for laughing out loud) sign added by a competing botnet master aiming to expose a scammer pretending to have a much bigger botnet.
Just In
You're forgetting, any type of traffic can go over any port. It is not a simple firewall rule. It either requires deep packet inspection (which doesn't do any good if it is SSH'ed, or a lot of manual labor. Your premise is right, but "the devil is in the details."
Yes, devil is in the details. This will take some substantial resources to inspect all of packets as they come in though your normally open ports to prevent these botnet from controlling your system if they are infected by any botnet.
Not getting the bot in your system in the first place a better method than trying to thwart the botmaster from getting to your afterwards.
If you have no bot then most likely the botmaster will not control anything.
Not getting the bot in your system in the first place a better method than trying to thwart the botmaster from getting to your afterwards.
If you have no bot then most likely the botmaster will not control anything.
Excuse me, but what is a "BOT"? Anybody have a simple answer for a simple minded person like me.
Thanks,
Tom
Thanks,
Tom
this post.
IRC can be set to use literally ANY port, not just the well-publicised ports that are used by most casual IRC users. The same problem occurs when you block known IRC hosts (either by domain or IP range) - all you're doing is blocking the major IRC nets. Botnet operators can set up their own servers/nets, using IRC server 'ware available for free for just about any OS.
Stateful packet inspection's the only viable method, and this gets expensive in terms of processing power needed to scan each inbound and outbound packet. You CAN impose the CIS version of Social Engineering with a "Thou Shalt Not" edict, but unless you have a method of catching someone breaking it, it's hard to enforce.
It's better to close the vulnerabilities at the point of infection/subversion, by aggressive anti-malware scanning, IM proxy servers, or straight-up blocking of the software from the desktops via a GPO.
Stateful packet inspection's the only viable method, and this gets expensive in terms of processing power needed to scan each inbound and outbound packet. You CAN impose the CIS version of Social Engineering with a "Thou Shalt Not" edict, but unless you have a method of catching someone breaking it, it's hard to enforce.
It's better to close the vulnerabilities at the point of infection/subversion, by aggressive anti-malware scanning, IM proxy servers, or straight-up blocking of the software from the desktops via a GPO.
except we needed to do more application patching to reduce our software vulnerability posture.
Did you do the obfuscating? If not, how do you know they're all on the same server?
I like the slide of a copyright disclaimer for one of the botnets.
"Botnet with anti RIAA, anti-piracy disclaimer".
Who is this person going to call any violation of this policy, the "Ghostbusters"?
It is interesting that all of them are using some IRC application so if you wanted to stop them you need to stop illicit IRC traffic.
"Botnet with anti RIAA, anti-piracy disclaimer".
Who is this person going to call any violation of this policy, the "Ghostbusters"?
It is interesting that all of them are using some IRC application so if you wanted to stop them you need to stop illicit IRC traffic.
you cant block IRC channles many people use thous channles for legit reason like some of the good mmorpg Games that we have on the net.
and other websit that provide you with music use the IRC world so doing that is only gonna cut people nose off
and other websit that provide you with music use the IRC world so doing that is only gonna cut people nose off
Join the conversation!
The best of ZDNet, delivered
ZDNet Newsletters
Get the best of ZDNet delivered straight to your inbox
Vendor Showcase
