-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Dear team,
Typically botnets have victims in many countries, though, right? How did they manage to contain their bots to just UAE hosts?
Back in 2008, a variant of the Conficker worm wouldn't infect Ukrainian hosts. It used to look at the victim's IP address and keyboard layout to figure out where you are from. I suppose you can do the reverse to target only UAE users, despite some false positives and negatives.
Such behavior is not uncommon. The botherders will look for user agent strings, language packs, IP-to-CC (country code) mappings, and the like. Some of their customers are discriminating, e.g. "I only want bots in South Korea." The reasons range from spam sourcing to DDoS to gaming mayhem. There are multiple bots that report their CC as part of their nickname. Be well, Rabbi Rob. - -- Rabbi Rob Thomas Team Cymru "It is easy to believe in freedom of speech for those with whom we agree." - Leo McKern -----BEGIN PGP SIGNATURE----- iQIcBAEBCAAGBQJYyVvtAAoJEEPoYWL6hfKNYR8P/0Z53X3BS05ygXb2Ff3SbAxa kNXL0nVGZ9bA3Fdk2evGNhLkXT0fUuEvuFreiVmglCWbIE/3LMVsLAj3EC+qNMIY UfghUG0vyGQAATkzzkvHuC2NEVv0OcmzIYLbCr+rbpCKhYfvQ54OvpX+K4mW4X1a yrVPTzXXjoeR94wXGVbn6GmMXbXhrwy5jVtegzHKhYNHN9eTOJCMFpmdsPgYASVl OuFIjBpqNLG8sjo5T8znRTwn1uy4uKGyaLVsRhyCyXRK3fXPnNgrDBl2u5qijY0t MBL2A0SYRFEuwaiNGMAqnOiAJNQIe8u02xaN3QgAHIRaRsBH+dUMY8WQC9FOvEb5 t9dExm8KNfDgi2PlwcFqSJxdOyt2T264PNs/yAHIBBNvkL3/sq8FB18aIFBab3iI wY2sve9nOPXl4noKM1KszHHZ3zl3njYxhfoBUMgX9JW8U/Juedqn1X3ddwQcJGN7 nvTz4GwmcydoMe+g5XSYc+4GK7Cwzog16fFypnrjfC8nwY6OtCVP2Kj9fLb8zfyK QavF3MM0cojzjPJvmxQB5vEwpZCPUHYDuCSflhUKDh+p3LvXTq0vFJaNtI0uyy/Z ZTiQ04YXMrX5Jbnxc2KxzIwvtX8dgo3aDtRg6Z8IEkDTm7FpiPEQA8V6yM0nU4rs RCoWBpkaZnJn4eAei1ZL =C3Ys -----END PGP SIGNATURE-----