Follow Slashdot blog updates by subscribing to our blog RSS feed


Forgot your password?

Slashdot videos: Now with more Slashdot!

  • View

  • Discuss

  • Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).


+ - Watching a Botnet From the Inside->

Submitted by Trailrunner7
Trailrunner7 (1100399) writes "When you hear about botnets such as Rustock, Mariposa or Grum being taken down, one of the tactics that's usually involved is sinkholing. The technique, which involves pointing the infected machines to a server controlled by good guys rather than attackers, often is used as one of the last steps to take the botnet offline. But some recent work done by researchers at Damballa took a slightly different tack and used the sinkhole as a way to study a recently discovered botnet in operation, and what they found in their traffic analysis was pretty interesting.

The Damballa researchers had come across the botnet, which they have not named, in recent weeks and were looking at the way that the network used a domain-generation algorithm to come up with new command-and-control domains for infected machines to contact. Many botnets use this same method, as it give them the ability to react quickly when one domain is taken down or blacklisted by a large number of security products. When that happens, the botmaster can simply send out an instruction for all of the bots to connect to the new domain. Or the bots can be programmed to connect to various new domains at regular intervals, based on the date or other variables.

In this case, the researchers saw that a lot of bots were trying to connect to some domains that had not been registered yet. So they did some quick statistical analysis and picked out some of the most frequently requested domains and registered the domains themselves. The Damballa researchers then pointed the domains to a sinkhole maintained by the Georgia Tech Information Security Center and sat back and watched the action."

Link to Original Source
This discussion was created for logged-in users only, but now has been archived. No new comments can be posted.

Watching a Botnet From the Inside

Comments Filter:

"If truth is beauty, how come no one has their hair done in the library?" -- Lily Tomlin