Obviously, botnet authors are lazy, and not motivated to do all that work >to do all that extra stuff, when we're still focusing on the *last* generation of "use a well-known IRC net for C&C" bots, and haven't really address the *current* "use a hijacked host running a private IRC net" bots yet.
Most 'large' botnets are run of off private IRC servers. Any good IRC admin would notice when more then 1k 'bots' started joining their servers. They can look at channel topics and see if it says something like .scan .advscan etc etc. Theres a whole list of commands the old RXBot use to do, I'm sure its more advanced then it was two years ago when I last used IRC. http://www.darksun.ws/phatrxbot/rxbot.html Typically it's the really new kiddies who setup botnets on public IRCD servers, as the IRC admins don't want the extra traffic caused by the bots, nor the problems the script kiddies cause. So adding a public EFNet server to their redirect list wasn't best, however it's simply a false positive. These bots are very simple to use, and you can simply find your better 'bots' by checking the ISP it's from and its uptime. Take that then make it download a preconfigured IRCD such as Unreal and make it run in the background and you have a private IRCD server to route your bots to. So it may not be as fruitful if the public IRC servers are in fact ensuring script kiddies don't live on their networks, but if they check the packets to see what FQDN they are using for their botnet then it wouldn't bother me that they change the DNS to their own 'cleansing' servers. But in doing this it may lead to false positives such as the problem when the EFNet server got blocked. Just my thoughts... Raymond Corbin Support Analyst HostMySite.com