[Dshield] how to take down a 'bot-net' ?

KeithTarrant KeithTarrant at spamcop.net
Sat Oct 5 19:21:36 GMT 2002


>So far, the methods I am using are:

>- notify owners of infected machines... mixed results here. It works
> great in some cases, not at all in others (depends on what machines
> are connected).

When does it work best and when worst?  This would be a hint as to how
better communicate.  Is it english being a foreign language?  Too much
lingo?  Certain industries?

>-notify IRC operators... usually useless as they are the once running
> the botnet.
>- notify the owner of the IRC server. Sometimes works great, sometimes
>  not at all. Depends usually if they know what a 'botnet' is all about.

What definition are you giving them?  It's not a simple concept to explain
to total laypeople, but if you want I could work on one.

>- issue a 'kill' command... haven't done that so far. Basically, these
>  bots are pretty much standardized. So in some cases, you could send
>  an 'uninstall' command. But that has legal issues...
>- notify authorities: Which authorities?





More information about the list mailing list