Full Disclosure mailing list archives

Re: Re[6]: Re: Know Your Enemy: Tracking Botnets (ThorstenHolz)

From: Valdis.Kletnieks () vt edu
Date: Mon, 14 Mar 2005 21:15:39 -0500

On Mon, 14 Mar 2005 23:26:46 +0300, Egoist said:

Yes, you're right.
How much computers exist on earth? 3m ?, 9m ?, 20m?

Is 3,000,000 really big counter if we have another undetected malware
that ownz 9,000,000 boxes?

Maybe i just misunderstand you, but i try to inform you that here are
millions of computers infected with malware that just not catched by
AV.


I'm just objecting to the attitude that "since there's lots of computers
that have problems not caught by AV, we should totally ignore any discussion
of the ones that *are* easily detectable".

If there's 3M agobot boxes (probably a low estimate) and 9M "undetected" malware
boxes, that still means that we can find and fix 25% of the problem...

Know why? Because even stupid script kiddie can download iframe/ani/css
epxloit from *sec*.com , write basic loader, put this all shit
to their website, buy traffic from some traffic traders,
change 1 #define in agobot (irc server) and 1 #define (channel), then
buy dedicated server, setup ircd and became "cool hacker".


If you can't get the techies and managers to the point where they can usefully
deal with the script kiddie bots, there's no hope of dealing with more stealthy
stuff.

Also, you have to remember that the script kiddie bots are, if anything, *more*
dangerous than the stealthy stuff, precisely because they're run by script
kiddies. Compare the number of people killed by professional assassins and the
number of people killed by hot-headed gang members, and ponder for a bit....

Do you think your tcpdump show all traffic? (it uses windowz API)
Do you think your process explorer show all proc's ? (it uses windowz
API too)


Actually, my tcpdump uses 'socket(PF_NETLINK, SOCK_RAW, 0)', and my /bin/ps
pokes around in /proc.  There's no Windows API here. ;)

(And yes, I know how to use a loadable kernel module to cloak stuff on this
system, and how to do it if there's no kernel module support, and yes, there's
stuff in place to make it more difficult for one of those critters to get
itself installed...)

Attachment: _bin
Description:

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://www.secunia.com/

Current thread:

Re: Know Your Enemy: Tracking Botnets (Thorsten Holz) David Jungerson (Mar 14)
- Re: Re: Know Your Enemy: Tracking Botnets (ThorstenHolz) phased (Mar 14)
  - Re: Re: Know Your Enemy: Tracking Botnets (ThorstenHolz) Valdis . Kletnieks (Mar 14)
    - Re[2]: Re: Know Your Enemy: Tracking Botnets (ThorstenHolz) Egoist (Mar 14)
    - Re: Re[2]: Re: Know Your Enemy: Tracking Botnets (ThorstenHolz) Valdis . Kletnieks (Mar 14)
    - Re[4]: Re: Know Your Enemy: Tracking Botnets (ThorstenHolz) Egoist (Mar 14)
    - Re: Re[4]: Re: Know Your Enemy: Tracking Botnets (ThorstenHolz) Valdis . Kletnieks (Mar 14)
    - Re[6]: Re: Know Your Enemy: Tracking Botnets (ThorstenHolz) Egoist (Mar 14)
    - Re: Re[6]: Re: Know Your Enemy: Tracking Botnets (ThorstenHolz) Valdis . Kletnieks (Mar 14)
    - Re: Re: Know Your Enemy: Tracking Botnets (ThorstenHolz) Thorsten Holz (Mar 14)
    - Re: Re: Know Your Enemy: Tracking Botnets (ThorstenHolz) Thorsten Holz (Mar 14)
    - RE: Re: Know Your Enemy: Tracking Botnets(ThorstenHolz) Aditya Deshmukh (Mar 14)
    - Good security books Scott White (Mar 14)
    - Re: Good security books Dave King (Mar 14)
    - Re: [FD] Good security books Andrew J Caines (Mar 14)
    - RE: Re: [FD] Good security books Scott White (Mar 14)
    - RE: Re: [FD] Good security books Edward Ray (Mar 14)
    - Re: Re: [FD] Good security books Anders Langworthy (Mar 15)
    - Re: Good security books bugtraq (Mar 14)

(Thread continues...)