To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ---------- If you already know the DNS, just force responses to 0.0.0.0 at your DNS gateway. Additionally add a Snort rule for these queries that firewalls the infected clients totally out. Then tell the owners to manually disinfect as `.remove' commands are highly unreliable and the syntax varies anyway.
Regards, Georg 'oxff' Wicherski DJD wrote: > To report a botnet PRIVATELY please email: [EMAIL PROTECTED] > ---------- > Hi list!! > > I would like to know how many zombie hosts are within my network... > What about a sink hole network? > > I couldn't detect a new botnet in that way... but could I be aware of > how many host are being used by each botnet (detected previously) > within my network (without having a sensor in each segment of my > network /16) by a configuration into the DNS to resolve de domain into > the sink hole network.??? > > The idea is that the IP resolved by the DNS can even have an IRC, HTTP > etc (the same as the original C&C server) in order to simulate the > botnet and even send a "remove" command to stop the malware process in > the zombie host. > > Do you see it as a feasible solution to minimize the number of zombies > in my network?? > > I know it wouldn't stop the infection or any external or internal > compromise, but right now I would like to stop the use of our hosts > for ilegal proposes.. > > -- > ------------------ > DJD > _ > _______________________________________________ > To report a botnet PRIVATELY please email: [EMAIL PROTECTED] > All list and server information are public and available to law enforcement > upon request. > http://www.whitestar.linuxbox.org/mailman/listinfo/botnets > > _______________________________________________ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
