FireEye Malware Intelligence Lab
FE Malware Researcher Atif Mushtaq
Chasing CnC Servers – Part 1
The purpose of this series is to discuss limitations and challenges involved in using black lists (DNS & IP) for network based anomaly detections. I will focus more on the problems of tracking botnets using their control server identities alone. I will also discuss if there are better techniques available to detect compromised (botted) machines and terminate CnC channels to prevent further damage.
Catch me if you can. Bot herders are well aware that their botnets can easily be identified and destroyed if they don’t switch their CnC servers for an extended period of time. The shutdown of McColo crippled the world’s largest spam botnets in one go because they were not moving their CnCs quickly. Today, bot herders have learnt their lesson, the average life span of a CnC domain is very short, sometimes not more than a few days. Hence the continuous effort to update your blacklist is a race condition in which the bad guys will always be one step ahead.
http://blog.fireeye.com/research/2010/08/chasing-cncs-part1.html
Update
2010.08.30
Infiltrating Pushdo — Part 2
After identifying the botnets in question it was very easy for me to go through my botlab logs and try to find leftover command and control servers. There was no doubt that many of the CnC servers were null routed. But as mentioned by LastLine, there were still some servers which were acitve (sic) and serving contents.
http://blog.fireeye.com/research/2010/08/infiltrating-pushdo-part-2.html
