Mike Schwartz wrote:
> *
> quotes: ("The worm [...] [exploits] a MS Windows vulnerability [...]");
> http://www.nytimes.com/2009/01/23/technology/internet/23worm.html?hp
> /New York Times (01/23/09) Markoff, John/
> the above news item was summarized (and, linked to) from:
> http://technews.acm.org/archives.cfm?fo=2009-01-jan/jan-23-2009.html#396185
> in an item titled
> Worm Infects Millions of Computers Worldwide *
> ("forwarded" to PLUG-Discuss by:)
I was thinking about this today...
"Each day it generates a new list of 250 domain names. Instructions from
any one of these domain names would be obeyed. To control the botnet, an
attacker would need only to register a single domain to send
instructions to the botnet globally"
So what is keeping *anyone* (besides the author/botherder) from
disassembling the worm to find out what DNS names its looking for (or
heck, even just run wireshark on your machine to see), and then
registering the domain themselves and using it to take control of the
entire botnet? The only hurdle would be figuring out the protocol, which
could probably be easily gleaned from looking at the disassembled code,
or sniffing the connection of a compromised machine once the botherder
does finally take control of it.
I guess the answer to my question is "nothing". Actually probably the
fact that the authorities are now looking for the botherder, so they
probably have a honeypot and/or compromised machines and waiting to
catch the guy, so anyone else taking advantage would be mistaken for the
real author...oops.
Interesting that they chose not to infect computers with Ukranian
keyboards...I'd guess the author didn't want to screw over his home
country :P
---------------------------------------------------
PLUG-discuss mailing list -
PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
(text/plain)