Full Disclosure mailing list archives
Re[4]: Know Your Enemy: Tracking Botnets
From: Egoist <mastah () phreaker net>
Date: Mon, 14 Mar 2005 15:26:55 +0300
Hello Randall, Monday, March 14, 2005, 2:49:41 PM, you wrote: RM> Now that you two have reacquainted yourselves can we can back to the paper? RM> -----Original Message----- RM> From: full-disclosure-bounces () lists grok org uk RM> [mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of pingywon RM> Sent: Sunday, March 13, 2005 10:02 PM RM> To: Egoist RM> Cc: full-disclosure () lists grok org uk; honeypots () securityfocus com; RM> dailydave RM> Subject: Re: Re[2]: [Full-disclosure] Know Your Enemy: Tracking Botnets RM> hello cock monger RM> ~pingywon RM> ----- Original Message ----- RM> From: "Egoist" <mastah () phreaker net> RM> To: "pingywon" <pingywon () hotmail com> RM> Cc: "Thorsten Holz" <thorsten.holz () mmweg rwth-aachen de>; "dailydave" RM> <dailydave () lists immunitysec com>; <honeypots () securityfocus com>; RM> <full-disclosure () lists grok org uk> RM> Sent: Sunday, March 13, 2005 10:40 PM RM> Subject: Re[2]: [Full-disclosure] Know Your Enemy: Tracking Botnets
Hello pingywon, Monday, March 14, 2005, 6:22:43 AM, you wrote: p> haha .. I didnt think anyone was REALLY named Thorsten p> ... I mean good paper.... p> ~pingywon p> ----- Original Message ----- p> From: "Thorsten Holz" <thorsten.holz () mmweg rwth-aachen de> p> To: "dailydave" <dailydave () lists immunitysec com>; p> <honeypots () securityfocus com>; <full-disclosure () lists grok org uk> p> Sent: Sunday, March 13, 2005 10:08 PM p> Subject: [Full-disclosure] Know Your Enemy: Tracking BotnetsGreetings, The Honeynet Project and Research Alliance is excited to announce the release of a new paper "KYE: Tracking Botnets". This paper is based on the extensive research by the German Honeynet Project. KYE: Tracking Botnets http://www.honeynet.org/papers/bots/ Abstract: --------- Honeypots are a well known technique for discovering the tools,
RM> tactics,
and motives of attackers. In this paper we look at a special kind of threat: the individuals and organizations who run botnets. A botnet is
RM> a
network of compromised machines that can be remotely controlled by an attacker. Due to their immense size (tens of thousands of systems can
RM> be
linked together), they pose a severe threat to the community. With the help of honeynets we can observe the people who run botnets - a task that is difficult using other techniques. Due to the wealth of data logged, it is possible to reconstruct the actions of attackers, the tools they use, and study them in detail. In this paper we take a
RM> closer
look at botnets, common attack techniques, and the individuals
RM> involved.
We start with an introduction to botnets and how they work, with examples of their uses. We then briefly analyze the three most common bot variants used. Next we discuss a technique to observe botnets, allowing us to monitor the botnet and observe all commands issued by
RM> the
attacker. We present common behavior we captured, as well as statistics on the quantitative information learned through monitoring more than
RM> one
hundred botnets during the last few months. We conclude with an
RM> overview
of lessons learned and point out further research topics in the area of botnet-tracking, including a tool called mwcollect2 that focuses on collecting malware in an automated fashion. Thank you for your time, Thorsten Holz, on behalf of the GHP (http://www-i4.informatik.rwth-aachen.de/lufg/honeynet) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://www.secunia.com/p> _______________________________________________ p> Full-Disclosure - We believe in it. p> Charter: http://lists.grok.org.uk/full-disclosure-charter.html p> Hosted and sponsored by Secunia - http://www.secunia.com/ lol i am too shit my botnet just increases in size wow -- Best regards, Egoist mailto:mastah () phreaker net
RM> _______________________________________________ RM> Full-Disclosure - We believe in it. RM> Charter: http://lists.grok.org.uk/full-disclosure-charter.html RM> Hosted and sponsored by Secunia - http://www.secunia.com/ today i see strange packets coming to my bots, mostly trying to spoof authorization requests, mostly UDP, but of course those bad guys even can't fix request checksum the war begins? -- Best regards, Egoist mailto:mastah () phreaker net _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://www.secunia.com/
Current thread:
- Know Your Enemy: Tracking Botnets Thorsten Holz (Mar 13)
- Re: Know Your Enemy: Tracking Botnets pingywon (Mar 13)
- Re[2]: Know Your Enemy: Tracking Botnets Egoist (Mar 13)
- Re: Re[2]: Know Your Enemy: Tracking Botnets pingywon (Mar 13)
- RE: Re[2]: Know Your Enemy: Tracking Botnets Randall M (Mar 14)
- Re[2]: Know Your Enemy: Tracking Botnets Egoist (Mar 13)
- Re: Know Your Enemy: Tracking Botnets pingywon (Mar 13)
- <Possible follow-ups>
- Re[4]: Know Your Enemy: Tracking Botnets Egoist (Mar 14)