Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Watching a Botnet From the Inside

Trailrunner7 (1100399) writes | more than 2 years ago

Botnet 0

Trailrunner7 (1100399) writes "When you hear about botnets such as Rustock, Mariposa or Grum being taken down, one of the tactics that's usually involved is sinkholing. The technique, which involves pointing the infected machines to a server controlled by good guys rather than attackers, often is used as one of the last steps to take the botnet offline. But some recent work done by researchers at Damballa took a slightly different tack and used the sinkhole as a way to study a recently discovered botnet in operation, and what they found in their traffic analysis was pretty interesting.

The Damballa researchers had come across the botnet, which they have not named, in recent weeks and were looking at the way that the network used a domain-generation algorithm to come up with new command-and-control domains for infected machines to contact. Many botnets use this same method, as it give them the ability to react quickly when one domain is taken down or blacklisted by a large number of security products. When that happens, the botmaster can simply send out an instruction for all of the bots to connect to the new domain. Or the bots can be programmed to connect to various new domains at regular intervals, based on the date or other variables.

In this case, the researchers saw that a lot of bots were trying to connect to some domains that had not been registered yet. So they did some quick statistical analysis and picked out some of the most frequently requested domains and registered the domains themselves. The Damballa researchers then pointed the domains to a sinkhole maintained by the Georgia Tech Information Security Center and sat back and watched the action."

Link to Original Source

Sorry! There are no comments related to the filter you selected.

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?