[Emerging-Sigs] Emerging-sigs Digest, Vol 4, Issue 13
Jim McQuaid
jim.mcquaid at gmail.com
Wed Mar 12 20:32:03 EST 2008
> 2 different issues. The fast flus stuff is botnet controllers, mostly
> (as far as I see) medium level to small time operators. RBN uses
> redundant dns and the like, but they're more into the static fraud, fake
> products stuff of late. Static websites, fake AV and antispyware, etc.
> Not fast flux for any on those. That correlate with what you're
> seeing Jim?
Yes. It tends to suggest that the fake security products are an
important cash cow for them; they really want people to find those
sites.
> 3. Sounds like an interesting two-pronged strategy would be to
> block IPs
> of "regular" RBN domains and domains themselves which are part of a
> fast-flux botnet... Not sure what the easiest way to do this is
> besides a script to check each domain to see if it's fast-flux'ed...
> We've got a version of that running behind the RBN ruleset and the
> compromised domains. RBN is the static nets. mostly what Jim is tracking
> and what shows up in the sandnet. The compromised is fast flux, storm
> major peers, and others that show up as just plain and obviously
> hostile.
I noticed that the Australian Honeynet Project (I think it was the
Australians) have a fast flux script. They were testing on 5
seconds...
More information about the Emerging-sigs
mailing list