Trailrunner7 (1100399) writes "When you hear about botnets such as Rustock, Mariposa or Grum being taken down, one of the tactics that's usually involved is sinkholing. The technique, which involves pointing the infected machines to a server controlled by good guys rather than attackers, often is used as one of the last steps to take the botnet offline. But some recent work done by researchers at Damballa took a slightly different tack and used the sinkhole as a way to study a recently discovered botnet in operation, and what they found in their traffic analysis was pretty interesting.
The Damballa researchers had come across the botnet, which they have not named, in recent weeks and were looking at the way that the network used a domain-generation algorithm to come up with new command-and-control domains for infected machines to contact. Many botnets use this same method, as it give them the ability to react quickly when one domain is taken down or blacklisted by a large number of security products. When that happens, the botmaster can simply send out an instruction for all of the bots to connect to the new domain. Or the bots can be programmed to connect to various new domains at regular intervals, based on the date or other variables.
In this case, the researchers saw that a lot of bots were trying to connect to some domains that had not been registered yet. So they did some quick statistical analysis and picked out some of the most frequently requested domains and registered the domains themselves. The Damballa researchers then pointed the domains to a sinkhole maintained by the Georgia Tech Information Security Center and sat back and watched the action."
Link to Original Source