[Dshield] how to take down a 'bot-net' ?
KeithTarrant at spamcop.net
Sat Oct 5 19:21:36 GMT 2002
>So far, the methods I am using are:
>- notify owners of infected machines... mixed results here. It works
> great in some cases, not at all in others (depends on what machines
> are connected).
When does it work best and when worst? This would be a hint as to how
better communicate. Is it english being a foreign language? Too much
lingo? Certain industries?
>-notify IRC operators... usually useless as they are the once running
> the botnet.
>- notify the owner of the IRC server. Sometimes works great, sometimes
> not at all. Depends usually if they know what a 'botnet' is all about.
What definition are you giving them? It's not a simple concept to explain
to total laypeople, but if you want I could work on one.
>- issue a 'kill' command... haven't done that so far. Basically, these
> bots are pretty much standardized. So in some cases, you could send
> an 'uninstall' command. But that has legal issues...
>- notify authorities: Which authorities?
More information about the list