Full Disclosure mailing list archives
Re: Re[6]: Re: Know Your Enemy: Tracking Botnets (ThorstenHolz)
From: Valdis.Kletnieks () vt edu
Date: Mon, 14 Mar 2005 21:15:39 -0500
On Mon, 14 Mar 2005 23:26:46 +0300, Egoist said:
Yes, you're right. How much computers exist on earth? 3m ?, 9m ?, 20m? Is 3,000,000 really big counter if we have another undetected malware that ownz 9,000,000 boxes? Maybe i just misunderstand you, but i try to inform you that here are millions of computers infected with malware that just not catched by AV.
I'm just objecting to the attitude that "since there's lots of computers that have problems not caught by AV, we should totally ignore any discussion of the ones that *are* easily detectable". If there's 3M agobot boxes (probably a low estimate) and 9M "undetected" malware boxes, that still means that we can find and fix 25% of the problem...
Know why? Because even stupid script kiddie can download iframe/ani/css epxloit from *sec*.com , write basic loader, put this all shit to their website, buy traffic from some traffic traders, change 1 #define in agobot (irc server) and 1 #define (channel), then buy dedicated server, setup ircd and became "cool hacker".
If you can't get the techies and managers to the point where they can usefully deal with the script kiddie bots, there's no hope of dealing with more stealthy stuff. Also, you have to remember that the script kiddie bots are, if anything, *more* dangerous than the stealthy stuff, precisely because they're run by script kiddies. Compare the number of people killed by professional assassins and the number of people killed by hot-headed gang members, and ponder for a bit....
Do you think your tcpdump show all traffic? (it uses windowz API) Do you think your process explorer show all proc's ? (it uses windowz API too)
Actually, my tcpdump uses 'socket(PF_NETLINK, SOCK_RAW, 0)', and my /bin/ps pokes around in /proc. There's no Windows API here. ;) (And yes, I know how to use a loadable kernel module to cloak stuff on this system, and how to do it if there's no kernel module support, and yes, there's stuff in place to make it more difficult for one of those critters to get itself installed...)
Attachment:
_bin
Description:
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://www.secunia.com/
Current thread:
- Re: Know Your Enemy: Tracking Botnets (Thorsten Holz) David Jungerson (Mar 14)
- Re: Re: Know Your Enemy: Tracking Botnets (ThorstenHolz) phased (Mar 14)
- Re: Re: Know Your Enemy: Tracking Botnets (ThorstenHolz) Valdis . Kletnieks (Mar 14)
- Re[2]: Re: Know Your Enemy: Tracking Botnets (ThorstenHolz) Egoist (Mar 14)
- Re: Re[2]: Re: Know Your Enemy: Tracking Botnets (ThorstenHolz) Valdis . Kletnieks (Mar 14)
- Re[4]: Re: Know Your Enemy: Tracking Botnets (ThorstenHolz) Egoist (Mar 14)
- Re: Re[4]: Re: Know Your Enemy: Tracking Botnets (ThorstenHolz) Valdis . Kletnieks (Mar 14)
- Re[6]: Re: Know Your Enemy: Tracking Botnets (ThorstenHolz) Egoist (Mar 14)
- Re: Re[6]: Re: Know Your Enemy: Tracking Botnets (ThorstenHolz) Valdis . Kletnieks (Mar 14)
- Re: Re: Know Your Enemy: Tracking Botnets (ThorstenHolz) Valdis . Kletnieks (Mar 14)
- Re: Re: Know Your Enemy: Tracking Botnets (ThorstenHolz) Thorsten Holz (Mar 14)
- Re: Re: Know Your Enemy: Tracking Botnets (ThorstenHolz) phased (Mar 14)
- Re: Re: Know Your Enemy: Tracking Botnets (ThorstenHolz) Thorsten Holz (Mar 14)
- RE: Re: Know Your Enemy: Tracking Botnets(ThorstenHolz) Aditya Deshmukh (Mar 14)
- Good security books Scott White (Mar 14)
- Re: Good security books Dave King (Mar 14)
- Re: [FD] Good security books Andrew J Caines (Mar 14)
- RE: Re: [FD] Good security books Scott White (Mar 14)
- RE: Re: [FD] Good security books Edward Ray (Mar 14)
- Re: Re: [FD] Good security books Anders Langworthy (Mar 15)
- Re: Good security books bugtraq (Mar 14)