Re: [fw-wiz] Botnets, IRC servers and firewalls?

From: Paul Robertson (
Date: 02/03/04

  • Next message: Ng Pheng Siong: "Re: [fw-wiz] Generic Rules Digest Software"
    To: Gadi Evron <>
    Date: Tue, 3 Feb 2004 08:45:01 -0500 (EST)

    On Tue, 3 Feb 2004, Gadi Evron wrote:

    > > I've yet to see a business need for BotNet clients to run successfully ;)
    > Perhaps application filtering for the Drone control protocol?

    Much better done in a controlled lab environment than on a production
    network. The bot connecting to a captive server isn't what I'd consider

    > Drone armies, although massive are nothing special.
    > They are usually built of the same 2-4 Trojan horses that are big at
    > that time.

    Yep, but the point I'm making is that we have widespread infections inside
    companies "protected" by firewalls- while the firewalls are perfectly
    capable of supporting sane security policies that would block the 98th
    percentile of these things.

    > Filtering the traffic for their control protocol, on whatever port, or
    > their repetetive echo commands/ special connections to IRC servers under
    > certain IRC names or nickname/ident/name pattern-combinations is pretty
    > easy to do when you come to think about it.

    Exactly my point.

    Paul D. Robertson "My statements in this message are personal opinions which may have no basis whatsoever in fact." Director of Risk Assessment TruSecure Corporation
    firewall-wizards mailing list

  • Next message: Ng Pheng Siong: "Re: [fw-wiz] Generic Rules Digest Software"