I just read this very interesting post on self destructing botnets.
The post refer to security experts saying that the kill switch may be used to remove evidence, and to buy phishers time to get away with information - i.e. stealing the info, then kill the net and create havoc.
I say think like a criminal here. When you have stolen the data, there is really no need to create havoc just to postpone the discovery of the theft. Actually, I believe that by pushing the killswitch, the criminal are actually getting more attention than if he did not. If I had such a botnet installed, I would use it to gather intelligence over time. I can see only two reasons to push the kill switch:
- The botnet has served it's purpose, and you'd like to remove the evidence (still, I would put it to sleep, not kill it...
- Prove that I control the net, and can take it out unless you pay ransom. But - I would only take out a portion to prove it, and the rest only if they do not pay up.
What reasons do you think a botnet master would use to flip the killswitch?
Recent comments
14 weeks 5 days ago
14 weeks 6 days ago
14 weeks 6 days ago
15 weeks 3 hours ago
15 weeks 14 hours ago
15 weeks 1 day ago
18 weeks 2 days ago
19 weeks 4 days ago
21 weeks 6 days ago
22 weeks 1 day ago