{"id":873,"date":"2008-09-25T00:00:00","date_gmt":"2008-09-25T00:00:00","guid":{"rendered":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/2008\/09\/25\/shadowserver-to-build-sinkhole-server-to-find-errant-bots\/"},"modified":"2021-12-30T11:38:18","modified_gmt":"2021-12-30T11:38:18","slug":"shadowserver-to-build-sinkhole-server-to-find-errant-bots","status":"publish","type":"post","link":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/2008\/09\/25\/shadowserver-to-build-sinkhole-server-to-find-errant-bots\/","title":{"rendered":"Shadowserver to Build ‘Sinkhole’ Server to Find Errant Bots"},"content":{"rendered":"","protected":false},"excerpt":{"rendered":"

The Shadowserver Foundation, a volunteer organization that gathers intelligence on the Internet’s dark side, has begun building a so-called “sinkhole” server that poses as those now-defunct malicious domain servers in order to find out what they left behind.<\/p>\n

The project, which is in the early phases, will allow Shadowserver to emulate both botnet IRC and HTTP traffic as a way to study those botnets as well as find bots that remain infected by them, says Steven Adair, a security expert with Shadowserver, who revealed the new project to attendees of the OWASP USA security conference here.<\/p>\n

“There are still a lot of [machines] communicating with” these now-defunct servers, Shadowserver’s Adair says.<\/p>\n

Shadowserver then could trace those infected machines and alert the organizations whose machines or Web servers are still infected by the botnets, he says.<\/p>\n

Shadowserver’s sinkhole server will be able to accept incoming traffic from infected machines as they try to communicate with their former command and control server, for example.<\/p>\n

One infamous HTTP-based botnet Shadowserver has been studying closely is Black Energy, which traditionally has been used for distributed denial-of-service (DDOS) attacks.<\/p>\n

“It went from a mundane botnet to stealing [credentials] and taking when it can from the same infection.”<\/p>\n

http:\/\/www.darkreading.com\/document.asp?doc_id=164571&WT.svl=news1_2<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[29],"tags":[],"class_list":["post-873","post","type-post","status-publish","format-standard","hentry","category-news"],"_links":{"self":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/873","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/comments?post=873"}],"version-history":[{"count":1,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/873\/revisions"}],"predecessor-version":[{"id":3360,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/873\/revisions\/3360"}],"wp:attachment":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/media?parent=873"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/categories?post=873"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/tags?post=873"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}