[LINK] Cornficker clones

[stephen at melbpc.org.au]

Agree completely, and all the points have been considered, by me, and
apparently the world's best minds on this topic. It's a 'poor' bottom
line defence, take-down of botnet target sites, but, apparently right
now, one of few defences we have. So, Registrars, in particular, whom
are in the firing line 'whatever' they do, may need help? Suggestions?

Scott writes,

> The bad guys still need to get only ONE of those up and running to
> connect to their botnet. And the bigger list of possibilities increases
> the odds they'll slip something by the security community.
>
> Researchers already know which domains the infected machines will check,
> but pre-emptively registering them all, or persuading the registrars to
> neutralize all of them, is a bigger hurdle."
>

What happens when amazon.com shows up in the list of domains that 
conficker is going to try?  Should that domain be "neutralized" ?

Of course, you can't simply just ignore existing domains, because there's
a good chance than the conficker writers have already registered one or
more of the future domains, ready for the day that the bots' domain
algorithm picks that specific domain and comes calling.  This domain
could well be hosting some randomm, innocent content - but of course the
worm writers will know the exact second hosts will start accessing it and
can change the content a few seconds earlier.

Even if you do ignore existing domains, at 50,000 domains per day, how far
out should be blacklisted?  10 days? (half a million domains!).  A month?
(1.5 million domains!)  What happens when they change the algorithm and it
becomes 500,000 domains a day?

And when I go to register the domain for my new company what should I be
told?  I can't register it today as it might be malicious, but if I come
back next Thursday after 6:51am everything will be OK?

  Scott.



Message sent using MelbPC WebMail Server