Full Disclosure mailing list archives
Re: Re: Know Your Enemy: Tracking Botnets (ThorstenHolz)
From: Thorsten Holz <thorsten.holz () mmweg rwth-aachen de>
Date: Mon, 14 Mar 2005 19:57:32 +0100
Egoist wrote:
We start with an introduction to botnets and how they work, withthey work perfectly if coded not by kids, they use crypted communication, most of them moving to p2p technology to eliminate servers
Did you read the whole paper? To repeat parts of the conclusion: "[...] Since our current approach focuses on bots that use IRC for C&C, we focused in the paper on IRC-based bots. We have also observed other bots, but these are rare and currently under development. In a few months/years more and more bots will use non-IRC C&C, potentially decentralized p2p-communication. [...]" And yes, there are of course also bots that use encrypted communication or IPv6-only botnets.
examples of their uses. We then briefly analyze the three most common bot variants used. Next we discuss a technique to observe botnets,technique to observe botnets: run vmware, goto sexocean.com, surf porno, infect yourself, run tcpdump, spend months to understand protocols, disassemble, try to reconstruct source code.
Again, did you read the paper? To repeat parts of the conclusion: "In the future, we hope to develop more advanced honeypots that help us to gather information about threats such as botnets. Examples include 'Client honeypots' that actively participate in networks (e.g. by crawling the web, idling in IRC channels, or using P2P-networks) [...]" By the way: Running inside VMware can be detected by the bots, so you should use a native system...
i think i should impelemnt fakemalware.c and fakemalware.h today, so kill your "technique" in automated fashion
Looking forward for your implementation. If you really want to defeat our current methodology, please contact me in private and we can discuss this further... Cheers, Thorsten _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://www.secunia.com/
Current thread:
- Re: Know Your Enemy: Tracking Botnets (Thorsten Holz) David Jungerson (Mar 14)
- Re: Re: Know Your Enemy: Tracking Botnets (ThorstenHolz) phased (Mar 14)
- Re: Re: Know Your Enemy: Tracking Botnets (ThorstenHolz) Valdis . Kletnieks (Mar 14)
- Re[2]: Re: Know Your Enemy: Tracking Botnets (ThorstenHolz) Egoist (Mar 14)
- Re: Re[2]: Re: Know Your Enemy: Tracking Botnets (ThorstenHolz) Valdis . Kletnieks (Mar 14)
- Re[4]: Re: Know Your Enemy: Tracking Botnets (ThorstenHolz) Egoist (Mar 14)
- Re: Re[4]: Re: Know Your Enemy: Tracking Botnets (ThorstenHolz) Valdis . Kletnieks (Mar 14)
- Re[6]: Re: Know Your Enemy: Tracking Botnets (ThorstenHolz) Egoist (Mar 14)
- Re: Re[6]: Re: Know Your Enemy: Tracking Botnets (ThorstenHolz) Valdis . Kletnieks (Mar 14)
- Re: Re: Know Your Enemy: Tracking Botnets (ThorstenHolz) Valdis . Kletnieks (Mar 14)
- Re: Re: Know Your Enemy: Tracking Botnets (ThorstenHolz) Thorsten Holz (Mar 14)
- Re: Re: Know Your Enemy: Tracking Botnets (ThorstenHolz) phased (Mar 14)
- Re: Re: Know Your Enemy: Tracking Botnets (ThorstenHolz) Thorsten Holz (Mar 14)
- RE: Re: Know Your Enemy: Tracking Botnets(ThorstenHolz) Aditya Deshmukh (Mar 14)
- Good security books Scott White (Mar 14)
- Re: Good security books Dave King (Mar 14)
- Re: [FD] Good security books Andrew J Caines (Mar 14)
- RE: Re: [FD] Good security books Scott White (Mar 14)
- RE: Re: [FD] Good security books Edward Ray (Mar 14)
- Re: Re: [FD] Good security books Anders Langworthy (Mar 15)
- Re: Good security books bugtraq (Mar 14)
- Message not available
- Fwd: Good security books 0xception (Mar 14)
- Re: Re: Know Your Enemy: Tracking Botnets (ThorstenHolz) Steele (Mar 14)