On Thu, Dec 02, 2004 at 04:18:52PM -0500, Hannigan, Martin wrote:
Can you direct me toward a singluar entity of 1MM bots controlled by a single master?
Nobody can, except the single master who's in control of same, and whoever that is -- if there is -- is unlikely to voluntarily share that information publicly. That's part of the problem: we know that that are huge numbers of them. How huge? 10e7 was probably a good estimate early in 2004, 10e8 is starting to look plausible given reported discovery rates. And the quasi-related problem of spyware/adware is exacerbating it: it's not like that cruft is exactly fastidious about making sure that it doesn't open the door to things worse than itself. We don't know how many there are. We probably can't know how many there are -- unless they do something to make themselves noticed, and surely those controlling them are smart enough to realize this and keep plenty in reserve. We can only know how many have made themselves visible, and even knowing that's hard. We don't know who's controlling them: are we up against 10 people or 10,000? We don't know everything they're doing with them. We don't know everything they're going to try to do with them. We don't know where they'll be next: they may move around (thanks to DHCP and similar), may show up in multiple places (thanks to VPNs) or they may *really* move around (laptops). We don't know how many are "server" systems as opposed to end-user systems. We don't know how to how to keep more from being created. We don't have a mechanism for un-zombie'ing the ones that already exist (other than laboriously going after them one at a time). We don't have a means to keep them from being re-zombied -- just as soon as the latest IE-bug-of-the-day hits Bugtraq. We don't have a viable way of controlling their actions other than disconnecting them entirely: sure, blocking outbound port 25 connections stops them from attempting spam delivery directly into mail servers, but surely nobody is so naive as to think those controlling these botnets are going to shrug their shoulders and give up when that happens? There are all kinds of other things they could be doing. *Are doing*. We don't have a clear understanding of who they're being controlled: are they quasi-autonomous? centrally directed? via a tree structure? do they "phone home"? are they operating p2p? all of the above? And so on. But we darn well should find out. ---Rsk