Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Re: Know Your Enemy: Tracking Botnets (ThorstenHolz)

From: Steele <lists () lowkeysoft com>
Date: Mon, 14 Mar 2005 17:50:43 -0500
Valdis.Kletnieks () vt edu wrote:


Notice that often, a "nothing new" paper can still be important just due to
readability by an audience other than the technical geeks.  For example, it's
been *years* since "Smashing the stack for fun and profit" made it all clear
for the bitheads among us - but would you give it to your upper management as
justification for a project?  No, you'd need to find a white paper that had
"nothing new" in it, but which stated it in a way that the threat becomes clear
even to a manager.  And writing something that's accessible by a *novice*
sysadmin that has maybe a year or two experience is an entirely different skill....
Whether or not this is anything new, Valdis pretty much hit the nail on the head right there. Botnets, whether ircbots, spambots, proxybots or whatever have been around for years now. The problem is no one with the power to do anything knows enough to give a damn. These are the kind of papers we need floating around out there for some lowly tech at an ISP to be able to bring to their boss. Imagine if Comcast or Roadrunner or (insert big Inet company here) actually took the time to create a small team to analyze their traffic for even the most basic of bot giveaways and started cleaning up their network.
For those of us "in the know" IRCbots are the fodder of the bot and zombie world. You can't download a simple britney spears(or whatever the kids are into nowadays) naked screensaver off Usenet without running into an ircbot that dies about 24 hours later. And yet, start talking about the basics of how they work or what they do to some higher up and watch their eyes glaze over.
Until we can get those idiots to be more comfortable with the basics of what these networks are, they're never going to be taken seriously.
Like I said IRCbot's are pretty much fodder. Some of the better web based or p2p nets are a lot harder to come across and even harder to gain access to. And these suckers aren't being run by some bored teen with nothing better to do. They're run with a purpose and an organization behind them. Some of the data I've retrieved off the control servers had me pretty nervous. A couple million dollars worth of bank account info is nothing to scoff at. That money has got to be going somewhere and somehow I don't think it's for taking the kids to Disneyland. 

Paper I released back in October that shows another type of network.
Not nearly as in depth :) you guys win :)
http://lowkeysoft.com/proxy/

</rant mode>

Sorry bout that :)
I only skimmed the paper, but over all I thought it was pretty good. I would have liked to see a bit more info on those DNS bots, still haven't run across one of those yet. And I don't suppose you guys kept track of the Average TTL of these nets? It was rare for me to find one that didn't die before I had the chance to shut it down. 

-steele out
BTW: Due to "hardware problems" I've had to drop out of the game for a couple months. should be up and running again by the end of this month. To the few people I was talking to before I disappeared, I lost your email addresses during the hardware issues :) hit me up :) 

----------------------
LowKeysoft.com
-Tricking the tricksters
steele.lowkey[at]gmail.com


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://www.secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: