Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

Why do researcher need to control all C&C servers of a botnet? Wouldn\'t it be e

ID: 655606 • Letter: W

Question

Why do researcher need to control all C&C servers of a botnet?

Wouldn't it be easier to spread a deinstall command to all reachable PCs to cripple the botnet? This could be done over and over again until most PCs are clean.

Apparently I don't know enough about botnets, so please help me out. Do clients check commands from multiple sources? I.e. in a P2P botnet, do they accept multiple commands from various other bots and then compare them to check which one is valid? Same for C&C servers. Will they connect to the first active C&C and execute whatever command is placed for there? If so, the only two things hindering researchers from using the botnet infrastructure is access to C&C servers and possibly encryption keys to send valid commands.

The point is that simply removing the C&C servers leaves the affected PC wide open an possibly even in a state where it constantly tries to communicate with other bots / download commands? So if ever another C&C server gets reachable, the bots will be active again.

A possible reason that sprung to my mind was that deinstalling anything from a target PC could possibly be seen as an unlawful interaction with one's PC.

Explanation / Answer

In answer to your questions about bots, this depends on the bot itself, I mean it is up to its designer to design how the bot itself receives commands.

The 'traditional' method is ofcourse to connect to a IRC channel and wait for instruction,

P2P is often more difficult to implement (due to NAT/Port Forwarding) and easier to detect (because holes in firewalls are easier to see. )

'Taking ownership' of C&C Servers, it is primarily to ensure that nobody else does, even by accident, and primarily to ensure that a IP address does not get 'hammered' to much if the IP is allowed back into general circulation (for example, imaging a botnet of 2 million machines hitting a IP address once per day, thats 1388.8 tcp connections per minute. could have a detrimental effect. )

As for 'not self destructing' the bots themselves, it is because it is not ethical to run code on another machine without the users consent (even if it is for their own good. ). Its possible that the removal might require a reboot in some cases, or might effect running processes. (if my machine reboots without my knowledge I am going to go out hunting for blood. can you imagine the backlash if the un-install process caused some damage by accident?)

Related Questions

Why do firms in a monopolistically competitive industry advertise? Research a fi
Question #1223356
Why do firms in a monopolistically competitive industry advertise? Research a fi
Question #1223369
Why do firms want to price discriminate? Question 5 options: so they can implici
Question #1228012
Why do firms want to price discriminate? multiple choice a) so they can implicit
Question #1228168
Why do functionally \"anomalous\" characters (e.g., the whale\'s non-functional
Question #35185
Why do government leaders impose price controls? Question 23 options: They are t
Question #1173964
Why do hedge fund executives earn so much compared to the chosen labor group? Em
Question #2342333
Why do higher marketing variable costs not increase total variable costs on the
Question #2797864
Hire Me For All Your Tutoring Needs
Integrity-first tutoring: clear explanations, guidance, and feedback.
Drop an Email at
drjack9650@gmail.com
Chat Now And Get Quote

Navigate

Previous
Why do reagents like NaOH and DCP need to be standardized before use? A Because
Next
Why do researchers believe color deficiencies often havegenetic causes? Dietary

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.