Re[4]: Know Your Enemy: Tracking Botnets

[Egoist <mastah () phreaker net>]

Hello Randall,

Monday, March 14, 2005, 2:49:41 PM, you wrote:

RM> Now that you two have reacquainted yourselves can we can back to the paper? 

RM> -----Original Message-----
RM> From: full-disclosure-bounces () lists grok org uk
RM> [mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of pingywon
RM> Sent: Sunday, March 13, 2005 10:02 PM
RM> To: Egoist
RM> Cc: full-disclosure () lists grok org uk; honeypots () securityfocus com;
RM> dailydave
RM> Subject: Re: Re[2]: [Full-disclosure] Know Your Enemy: Tracking Botnets

RM> hello cock monger


RM> ~pingywon
RM> ----- Original Message -----
RM> From: "Egoist" <mastah () phreaker net>
RM> To: "pingywon" <pingywon () hotmail com>
RM> Cc: "Thorsten Holz" <thorsten.holz () mmweg rwth-aachen de>; "dailydave"
RM> <dailydave () lists immunitysec com>; <honeypots () securityfocus com>;
RM> <full-disclosure () lists grok org uk>
RM> Sent: Sunday, March 13, 2005 10:40 PM
RM> Subject: Re[2]: [Full-disclosure] Know Your Enemy: Tracking Botnets


> > Hello pingywon,
> >
> > Monday, March 14, 2005, 6:22:43 AM, you wrote:
> >
> > p> haha .. I didnt think anyone was REALLY named Thorsten
> >
> > p> ... I mean good paper....
> >
> > p> ~pingywon
> >
> >
> > p> ----- Original Message ----- 
> > p> From: "Thorsten Holz" <thorsten.holz () mmweg rwth-aachen de>
> > p> To: "dailydave" <dailydave () lists immunitysec com>;
> > p> <honeypots () securityfocus com>; <full-disclosure () lists grok org uk>
> > p> Sent: Sunday, March 13, 2005 10:08 PM
> > p> Subject: [Full-disclosure] Know Your Enemy: Tracking Botnets
> >
> >
> > > > Greetings,
> > > >
> > > > The  Honeynet Project and Research Alliance is excited to announce the
> > > > release of a new paper "KYE: Tracking Botnets". This paper is based on
> > > > the extensive research by the German Honeynet Project.
> > > >
> > > >     KYE: Tracking Botnets
> > > >     http://www.honeynet.org/papers/bots/
> > > >
> > > > Abstract:
> > > > ---------
> > > >
> > > > Honeypots are a well known technique for discovering the tools,
RM> tactics,
> > > > and motives of attackers. In this paper we look at a special kind of
> > > > threat: the individuals and organizations who run botnets. A botnet is
RM> a
> > > > network of compromised machines that can be remotely controlled by an
> > > > attacker. Due to their immense size (tens of thousands of systems can
RM> be
> > > > linked together), they pose a severe threat to the community. With the
> > > > help of honeynets we can observe the people who run botnets - a task
> > > > that is difficult using other techniques. Due to the wealth of data
> > > > logged, it is possible to reconstruct the actions of attackers, the
> > > > tools they use, and study them in detail. In this paper we take a
RM> closer
> > > > look at botnets, common attack techniques, and the individuals
RM> involved.
> > > > We start with an introduction to botnets and how they work, with
> > > > examples of their uses. We then briefly analyze the three most common
> > > > bot variants used. Next we discuss a technique to observe botnets,
> > > > allowing us to monitor the botnet and observe all commands issued by
RM> the
> > > > attacker. We present common behavior we captured, as well as statistics
> > > > on the quantitative information learned through monitoring more than
RM> one
> > > > hundred botnets during the last few months. We conclude with an
RM> overview
> > > > of lessons learned and point out further research topics in the area of
> > > > botnet-tracking, including a tool called mwcollect2 that focuses on
> > > > collecting malware in an automated fashion.
> > > >
> > > > Thank you for your time,
> > > >    Thorsten Holz, on behalf of the GHP
> > > > (http://www-i4.informatik.rwth-aachen.de/lufg/honeynet)
> > > >
> > > >
> > > > _______________________________________________
> > > > Full-Disclosure - We believe in it.
> > > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > > > Hosted and sponsored by Secunia - http://www.secunia.com/
> > p> _______________________________________________
> > p> Full-Disclosure - We believe in it.
> > p> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > p> Hosted and sponsored by Secunia - http://www.secunia.com/
> >
> > lol i am too
> >
> > shit my botnet just increases in size wow
> >
> > -- 
> > Best regards,
> >  Egoist                            mailto:mastah () phreaker net
RM> _______________________________________________
RM> Full-Disclosure - We believe in it.
RM> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
RM> Hosted and sponsored by Secunia - http://www.secunia.com/

today i see strange packets coming to my bots, mostly trying to spoof
authorization requests, mostly UDP, but of course those bad guys even can't fix
request checksum

the war begins?

-- 
Best regards,
 Egoist                            mailto:mastah () phreaker net


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://www.secunia.com/