[tor-project] New UAE Users

Rabbi Rob Thomas robt at cymru.com
Wed Mar 15 15:21:20 UTC 2017


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Dear team,

>> Typically botnets have victims in many countries, though, right?
>> How did they manage to contain their bots to just UAE hosts?
> 
> Back in 2008, a variant of the Conficker worm wouldn't infect
> Ukrainian hosts.  It used to look at the victim's IP address and
> keyboard layout to figure out where you are from.  I suppose you
> can do the reverse to target only UAE users, despite some false
> positives and negatives.

Such behavior is not uncommon.  The botherders will look for user
agent strings, language packs, IP-to-CC (country code) mappings, and
the like.  Some of their customers are discriminating, e.g. "I only
want bots in South Korea."  The reasons range from spam sourcing to
DDoS to gaming mayhem.

There are multiple bots that report their CC as part of their nickname.

Be well,
Rabbi Rob.
- -- 
Rabbi Rob Thomas                                           Team Cymru
   "It is easy to believe in freedom of speech for those with whom we
    agree." - Leo McKern

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCAAGBQJYyVvtAAoJEEPoYWL6hfKNYR8P/0Z53X3BS05ygXb2Ff3SbAxa
kNXL0nVGZ9bA3Fdk2evGNhLkXT0fUuEvuFreiVmglCWbIE/3LMVsLAj3EC+qNMIY
UfghUG0vyGQAATkzzkvHuC2NEVv0OcmzIYLbCr+rbpCKhYfvQ54OvpX+K4mW4X1a
yrVPTzXXjoeR94wXGVbn6GmMXbXhrwy5jVtegzHKhYNHN9eTOJCMFpmdsPgYASVl
OuFIjBpqNLG8sjo5T8znRTwn1uy4uKGyaLVsRhyCyXRK3fXPnNgrDBl2u5qijY0t
MBL2A0SYRFEuwaiNGMAqnOiAJNQIe8u02xaN3QgAHIRaRsBH+dUMY8WQC9FOvEb5
t9dExm8KNfDgi2PlwcFqSJxdOyt2T264PNs/yAHIBBNvkL3/sq8FB18aIFBab3iI
wY2sve9nOPXl4noKM1KszHHZ3zl3njYxhfoBUMgX9JW8U/Juedqn1X3ddwQcJGN7
nvTz4GwmcydoMe+g5XSYc+4GK7Cwzog16fFypnrjfC8nwY6OtCVP2Kj9fLb8zfyK
QavF3MM0cojzjPJvmxQB5vEwpZCPUHYDuCSflhUKDh+p3LvXTq0vFJaNtI0uyy/Z
ZTiQ04YXMrX5Jbnxc2KxzIwvtX8dgo3aDtRg6Z8IEkDTm7FpiPEQA8V6yM0nU4rs
RCoWBpkaZnJn4eAei1ZL
=C3Ys
-----END PGP SIGNATURE-----


More information about the tor-project mailing list