Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: On the back of other 'security' posts....

  • From: Richard Cox
  • Date: Sat Aug 30 14:17:04 2003

On Sat, 30 Aug 2003 17:36 UTC Jack Bates <> wrote:

| The person responsible is the bot maintainer.  Finding the controller
| medium (probably irc) is the hard part, but once done, monitoring who
| controls the bots isn't near as hard.

For various values of "control".  In the cases where we've tracked down
bot-masters, they have themselves been throw-away trojaned machines in
countries like Taiwan, Korea, etc.  The bots found their master through
DNS - and the person controlling the DNS had effective control of the
botnetwork.  If the trojaned site was taken down or tampered with, the
human controller would just point the DNS at a different trojaned box.
In those cases. the most valuable evidence can therefore be got just
by seeing who makes the changes to the DNS for the domain being used.

(Of course, different bot-maintainers will have different approaches;
I'm not suggesting this is the only system out there!)

Co-operation from the LE authorities in the country involved would be
a prerequisite to tracking which machines connected to that botmaster
and I'm sure the trojaned boxes used were chosen with thought for the
likely level of co-operation from the country they were in!

| A few media enriched prison sentences would be good.

Some interest from law enforcement authorities in "friendly" countries
(like, the ones we live and work in) would be a good way to start.
More commonly they won't get involved because it's too difficult, plus
they don't understand the technology properly, they're under-resourced
(particularly in terms of handling the international relationships) and
there are no guarantees of brownie-points from the effort anyway!

Without law-enforcement interest and adduceable evidence you don't get
any prosecutions, and without prosecutions you don't get any prison
sentences, media-enriched or otherwise.  It's a hard world (for us).

Richard Cox
%% HELO - the first word of every Email transaction - is in Welsh! %%

Discussion Communities

About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home

Merit Network, Inc.