On Sat, 30 Aug 2003 17:36 UTC Jack Bates <jbates@brightok.net> wrote: | The person responsible is the bot maintainer. Finding the controller | medium (probably irc) is the hard part, but once done, monitoring who | controls the bots isn't near as hard. For various values of "control". In the cases where we've tracked down bot-masters, they have themselves been throw-away trojaned machines in countries like Taiwan, Korea, etc. The bots found their master through DNS - and the person controlling the DNS had effective control of the botnetwork. If the trojaned site was taken down or tampered with, the human controller would just point the DNS at a different trojaned box. In those cases. the most valuable evidence can therefore be got just by seeing who makes the changes to the DNS for the domain being used. (Of course, different bot-maintainers will have different approaches; I'm not suggesting this is the only system out there!) Co-operation from the LE authorities in the country involved would be a prerequisite to tracking which machines connected to that botmaster and I'm sure the trojaned boxes used were chosen with thought for the likely level of co-operation from the country they were in! | A few media enriched prison sentences would be good. Some interest from law enforcement authorities in "friendly" countries (like, the ones we live and work in) would be a good way to start. More commonly they won't get involved because it's too difficult, plus they don't understand the technology properly, they're under-resourced (particularly in terms of handling the international relationships) and there are no guarantees of brownie-points from the effort anyway! Without law-enforcement interest and adduceable evidence you don't get any prosecutions, and without prosecutions you don't get any prison sentences, media-enriched or otherwise. It's a hard world (for us). -- Richard Cox RC1500-RIPE %% HELO - the first word of every Email transaction - is in Welsh! %%