Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Slow Bruteforce Botnet(s) May Be Learning

Posted by kdawson on from the knock-who's-there-knock dept.

badger.foo writes "We've seen stories about the slow bruteforcers — we've discussed it here — and based on the data, my colleague Egil Möller was the first to suggest that since we know the attempts are coordinated, it is not too far-fetched to assume that the controlling system measures the rates of success for each of the chosen targets and allocates resources accordingly. (The probes of my systems have slowed in the last month.) If Egil's assumption is right, we are seeing the bad guys adapting. And they're avoiding OpenBSD machines." For fans of raw data, here are all the log entries (3MB) that badger.foo has collected since noticing the slow bruteforce attacks.

4 of 327 comments (clear)

  1. Re:How do the botnets know it's OpenBSD? by MichaelSmith · · Score: 4, Insightful

    Probably it is just avoiding secure hosts, like yours. OpenBSD hosts tend to be secure because it is selected by people who put security before other requirements.

    --
    http://michaelsmith.id.au
  2. Re:AI by Al+Dimond · · Score: 4, Insightful

    My understanding of botnets is that all their activity is centrally coordinated: the bots sit in an IRC channel waiting for orders and do what they're ordered to do. It doesn't seem likely to me that the listeners are doing anything very sophisticated here. As it's always been with brute-force attacks, There are lots of target hosts, lots of usernames and passwords to try, and lots of bots to try them. Assuming every attempt gives you about the same odds of success it doesn't matter much what order you try them in. So some people changed the order, and changed the way they divide up work, to avoid detection.

    I won't deny that it's a clever adaption, or claim I definitely would have thought of it in their situation. But as far as adaptivity goes, the major tactical advance came from an explicit change in behavior by the botnet masters themselves. The parts of the software that might be adaptive, slowing down attempts on hosts where they are repeatedly unsuccessful and avoiding OpenBSD boxes, were probably specifically programmed to adapt in these ways. They're no more advanced than, say, TCP flow control behavior, or P2P programs.

  3. Re:Economics by he-sk · · Score: 4, Insightful

    Are you implying that the botnets operators are in bed with their adversaries? If so, why not spell it out? And who are these fighters exactly? Anti-virus firms, sysadmins, politicians?

    What you write sounds a bit like the broken window fallacy. Specifically, if there were no botnets those who are fighting them could use their time to pursue other goals most likely creating value elsewhere. Meanwhile, there would be no damage done by botnets, resulting in a net plus.

    --
    Free Manning, jail Obama.
  4. Oh great by coryking · · Score: 4, Insightful

    Here. I admit. I'm part of the so-called "whitehat guys" who profit from stoping the botnets. But since I have no ethics or morals, I dont really stop them, I just give them kickbacks to make it look like I'm stopping them.

    Now excuse me while I go get a back massage on from the hot ladies serving me martinis on the beach in Tahiti. Me and my fellow whitehats are making millions off you poor fools. If you only knew!

    (adjust your tinfoil good sir, you are blocking the wrong signals)