427 Botnet fm qxd

attempts to the fake C&C. At the fake C&C, various choices can be made,
including simply studying the traffic as it passes by, or blocking the traffic to
make the botnet itself ineffective. If something like this is attempted, it is
probably a good idea to block any local botnet clients from talking to some-
thing other than the fake C&C, as they may have backdoor channels you did
not know about beforehand. Another simple option is to simply remove the
DNS entries altogether. In step 4, the botnet herder says a bad word.The
Dynamic DNS provider should be prepared for a DDoS attack, if the both-
erder has more divisions of zombies to do his bidding.You can find more
detail on the Karstnet approach at www.cc.gatech.edu/classes/AY2006/
cs6262_spring/botnets.ppt.
Figure 12.2
Using a Blackhole to Disable a Botnet
A Call to Arms
So, let’s look in the crystal ball and predict the future. It’s not hard. Botnets
represent a leading edge of computer crime in both technological and profit
terms. Botnets will evolve to some extent because people will find holes in
complex software systems, and some botnet herders will use different control
www.syngress.com
Responding to Botnets • Chapter 12
445
427_Botnet_12.qxd 1/9/07 3:08 PM Page 445

mechanisms.They may use strong encryption.They may use P2P for com-
mand and control, or still use IRC because working software is useful and
human beings are often averse to change, even hackers.Turing proved that
holes are unavoidable, and common sense tells us that software systems tend
to complexity. It doesn’t matter if you blame it on Microsoft or Linux; normal
folks rarely buy a computer with less memory.The bottom line here is that
botnets will get more complicated. And in response, vendors will create more
complex systems for detecting malware, be it network gear like intrusion
detection systems or anti-virus software, or “honeynets in a box.” So, botnets
will change their stripes. However, IT professionals will analyze what the
black-hats do and invent new countermeasures.
The following list includes general categories of concepts or things that
could affect the existence and proliferation of botnets.The categories listed
are a generalization of a taxonomy of phishing solutions developed by the
Financial Services Technology Consortium.The original categories can be
found in Appendix A and are used with the permission of the Financial
Services Technology Consortium (FSTC).These categories were taken from
Appendix B of “FSTC Counter Phishing Solutions Survey Summary,” pub-
lished by FSTC on December 4, 2004.
■
Hardening Hardware and Software
■
Endpoints and Connections
■
Fueling or Reducing the Demand
■
Mobile Devices
■
Supporting Applications
■
Internet Infrastructure
■
Online Applications Security 
■
Industry Countermeasures
■
Things Related to Gathering and Sharing Information
■
Industry Monitoring and Surveillance Measures
■
Proactive Measures
■
Nontechnical Measures
■
Awareness,Training, and Education and End User Engagement

Download 6,98 Mb.

Do'stlaringiz bilan baham: