So, one Washington Times reporter did what a whole "Can Spam" act couldn't do, make a significant dent in spam. It is still down 2/3, which worldwide is huge!
As a designer of anti-spam software at www.maysoft.com/, it did make me start to think that if we could figure out how the botnets work technically, then we could begin to shut them down. To defeat an enemy, you must think like them. So, to understand how to build a botnet in detail, I decided to do a "thought experiment" of building a sustainable fault tolerant botnet system. So, the first thing we need are some requirements. The "requirements" if one were to build a botnet, would be the following:
- A master server (host) that gives instructions to all the bots
- Bots need to check into a host daily to get instructions
- Host needs to be able to give it pointers to a list of email recipients and the message(s) for today
- Host needs to give bot a number of messages to run (or instructions to run the whole list)
- Fault tolerance - Botnet needs to tolerate if a host is unavailable, having the ability to look for another host
Requirement 5 is interesting, as it applies to McColo going off-line, and the recent reduction of spam by 2/3 because the bots are not sending billions of messages. Why? Because they have no controlling host to get instructions from. Where are the botnets going to go next? The spammers have deployed an amazing grid computing platform. I have to believe anyone capable of building such a platform would have thought about what happens if the host becomes unavailable, making it a single point of failure? My design would be for it to try other servers if the default host is unavailable for 1 day.
How to do that? This was a puzzle at first. If you just hard code IP addresses, you give computer forensic researchers (anti-virus companies, government agencies, and hackers) a list of all of your servers. Not a good idea if you run an illegal operation. So, you would generate DNS names randomly. Then look for them. But if you do it randomly, how can the host know which DNS names to create?
The answer for my design would be to have the bots try to connect to a domain name and use DNS to find the server. For example, spammer1.com, spammer2.com, etc. This is still pretty easy to stop. So my design would be to have the domain names generated by the bots based on an algorithm based on date, so they are dynamic. The spammer creates the new domains as needed and points them to the new host computer. This could change daily to avoid the problem of cutting off one host. (Frank's note: This answer is too basic. I think their actual system is more clever than this simple approach).
So that is my idea of how to design a botnet. So when these zombies start reconnecting, and my guess is soon, unfortunately these millions of compromised computers will start to spew more spam.
So the answer here seems to be to find ways to locate and disable the host computers. I prefer technical solutions to legal ones. But in this case, if the techies can notify the government(s) where these hosts are located, maybe that one-two punch will really help to "Can Spam" !
(Read my other postings about Lotus Notes Spam at http://blog.maysoft.org )
No comments:
Post a Comment