On Thu, 9 Oct 2003 12:01:35 -0400 "McBurnett, Jim" <jmcburnett@msmgmt.com> wrote: | I think even if we get all the ones for this domain name today, | assuming we can muster even man hours to get it today, another | 5000 will be added tomorrow. And looking at my list We have US | (a very small ISP and a large ISP) RIPE, and LACNIC. This malware is not new, but is only just becoming widely visible. It succeeds solely because of the "Dynamic-DYS" (real-time updating) functionality built into the dot-biz registry. Certainly it can be killed, but the techniques to achieve that are better discussed OFF this list - for both AUP and other valid reasons. As soon as this exploit is killed, no doubt another, similar, exploit would follow. We therefore need a more generic solution to the issue. | This not only affects this instance but global security as a whole. | Just a few days ago, Cisco was taken offline by a large # of Zombies, | I am willing to say that those are potentially some of the same | compromised systems. Empirical evidence would seem to support your view. Even where they are not the same zombies, networks that allow this type of zombie to remain in place are just as likely to allow DDoS zombies to continue undisturbed. The problem is that many ISPs filter all issues of this nature through their abuse teams, rather than sending them directly to their security specialists. Most abuse teams have neither the time nor experience to investigate, and this particular trojan has been written to make it too easy for abuse teams to dismiss reports of its activity, and then to justify taking no action - that is exactly what the writers of the malware intended to happen. A step change in attitude from providers who offer 24/7-on connectivity is what is needed now, and agreement to separate all network security issues from their abuse desk procedures should be number one priority. -- Richard Cox