> I have found irc bots on peoples computers and it really is not that heard to find out where they are accessing eg Connects to a predefined IRC channel, using its own IRC client, and listens for the commands from the attacker. I mean get real.. just get on the network.

Problem is that a lot of them are in (or bounced through) countries that aren't particularly co-operative. We could use technical measures to disconnect them, but that is ethically dubious, and likely to hurt a lot of innocent bystanders. Also, some of the smarter ones use many redundant servers. For example, if you read the recent Security Focus article on Beagle, you'd notice that altogether, various incarnations used eighty-two different hosts to "phone home"; many of these hosts were in Russia. Others were on free throw-away accounts at free usage websites, which were discarded within days - after they had collected control lists of infected PCs, and before the AV companies had reverse engineered (or in some cases, even discovered) the new variant.

Nevertheless, there have been some attempts at technical intervention. For example on Steve Gibson's site:
http://grc.com
you can read about Steve's efforts to backtrack from a DDoS attack on his site, to an infected PC, back to the controlling IRC channel.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/246/26647#26647