On Tue, Jul 24, 2007 at 12:00:40PM -0500, Joe Greco wrote:
Yes there are a few bots around still using IRC but a lot of them have moved to other, better things (and there's fun "headless" bots too, hardcoded with instructions and let loose so there's no C&C, no centralized domain or dynamic dns for takedown.. you want to make a change? just release another bot into the wild).
Hardly unexpected. The continuing evolution is likely to be pretty scary. Disposables are nice, but the trouble and slowness in seeding makes them less valuable. I'm expecting that we'll see compartmentalized bots, where each bot has a small number of neighbors, a pseudo-scripting command language, extensible communication ABI to facilitate the latest in detection avoidance, and some basic logic to seed/pick neighbors that aren't local. Build in some strong encryption, have them each repeat the encrypted orders to their neighbors, and you have a structure that would be exceedingly difficult to deal with.
Considering how long ago that sort of model was proposed, it is actually remarkable that it doesn't seem to have been perfected by now, and that we're still blocking IRC.
Thats because there is a huge world out there of badly protected hosts just waiting to become bots and a fairly basic set of tactics being deployed to prevent them. ie until globally it is somewhat more difficult to build a botnet there is no need to develop complicated solutions. the simpler ones are proven, easy to roll out, easy to modify. its just supply and demand... Steve