On Wed, Apr 01, 2009 at 10:01:29AM -0600, Jason Iannone wrote:
What's the virus doing with all of those domain names?
Paul Vixie gave a presentation at the IEPG meeting before IETF 74. I don't think the IEPG meeting notes are up yet (they would be very informative if they were)...I don't pretend to be an expert, but my understanding based on that presentation is that the DNS is used for C&C of the botnet. Its owner only needs one of those domain names to be registered to give out orders. If they only used one, it would be relatively easy to shut them down. They use so many so that, when the good guys bust in the door and shut down the C&C domain/hosting, they can just open up shop somewhere else like nothing happened. Not entirely unlike terrorist cells. -- David W. Hankins "If you don't do it right the first time, Software Engineer you'll just have to do it again." Internet Systems Consortium, Inc. -- Jack T. Hankins