Re[2]: Re: Know Your Enemy: Tracking Botnets (ThorstenHolz)

[Egoist <mastah () phreaker net>]

Hello Valdis,

Monday, March 14, 2005, 9:11:08 PM, you wrote:

VKve> On Mon, 14 Mar 2005 20:21:35 +0300, phased said:
> > no they didnt, shit paper, nothing new, absolute crap just publicity bollocks

VKve> (I haven't actually read the paper in question yet, but still..)

VKve> Notice that often, a "nothing new" paper can still be important just due to
VKve> readability by an audience other than the technical geeks.  For example, it's
VKve> been *years* since "Smashing the stack for fun and profit" made it all clear
VKve> for the bitheads among us - but would you give it to your upper management as
VKve> justification for a project?  No, you'd need to find a white paper that had
VKve> "nothing new" in it, but which stated it in a way that the threat becomes clear
VKve> even to a manager.  And writing something that's accessible by a *novice*
VKve> sysadmin that has maybe a year or two experience is an entirely different skill....

VKve> In fact, for some stuff like the FBI/SANS Top 20 we do every year, or the
VKve> Center for Internet Security benchmarks, if something is "new", it's almost
VKve> certainly out of scope - when I did a very early draft of what Hal Pomeranz
VKve> ended up making into the CIS Solaris benchmark, "Have I heard this point enough
VKve> times I want to gag" was one of the clearest indicators that something should
VKve> be in the guidelines...


> > > We start with an introduction to botnets and how they work, with
they work perfectly if coded not by kids, they use crypted
communication, most of them moving to p2p technology to eliminate
servers
i dont say about that lame toolz like agobot and friends
> > > examples of their uses. We then briefly analyze the three most common
> > > bot variants used. Next we discuss a technique to observe botnets,
technique to observe botnets: run vmware, goto sexocean.com, surf
porno, infect yourself, run tcpdump, spend months to understand
protocols, disassemble, try to reconstruct source code.
> > > allowing us to monitor the botnet and observe all commands issued by
the
> > > attacker. We present common behavior we captured, as well as statistics
wow really u can?
> > > on the quantitative information learned through monitoring more than
one
> > > hundred botnets during the last few months. We conclude with an
overview
> > > of lessons learned and point out further research topics in the area of
> > > botnet-tracking, including a tool called mwcollect2 that focuses on
> > > collecting malware in an automated fashion.

i think i should impelemnt fakemalware.c and fakemalware.h today, so
kill your "technique" in automated fashion

-- 
Best regards,
 Egoist                            mailto:mastah () phreaker net


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://www.secunia.com/