Mike Schwartz wrote:

quotes: ("The worm [...] [exploits] a MS Windows vulnerability [...]");

http://www.nytimes.com/2009/01/23/technology/internet/23worm.html?hp

New York Times (01/23/09) Markoff, John

the above news item was summarized (and, linked to) from:

http://technews.acm.org/archives.cfm?fo=2009-01-jan/jan-23-2009.html#396185

in an item titled
Worm Infects Millions of Computers Worldwide
("forwarded" to PLUG-Discuss by:)

I was thinking about this today...
"Each day it generates a new list of 250 domain names. Instructions from any one of these domain names would be obeyed. To control the botnet, an attacker would need only to register a single domain to send instructions to the botnet globally"

So what is keeping *anyone* (besides the author/botherder) from disassembling the worm to find out what DNS names its looking for (or heck, even just run wireshark on your machine to see), and then registering the domain themselves and using it to take control of the entire botnet? The only hurdle would be figuring out the protocol, which could probably be easily gleaned from looking at the disassembled code, or sniffing the connection of a compromised machine once the botherder does finally take control of it.

I guess the answer to my question is "nothing". Actually probably the fact that the authorities are now looking for the botherder, so they probably have a honeypot and/or compromised machines and waiting to catch the guy, so anyone else taking advantage would be mistaken for the real author...oops.

Interesting that they chose not to infect computers with Ukranian keyboards...I'd guess the author didn't want to screw over his home country :P