[<prev] [next>] [day] [month] [year] [list]
Message-ID: <924901146.20050314152655@phreaker.net>
From: mastah at phreaker.net (Egoist)
Subject: Know Your Enemy: Tracking Botnets
Hello Randall,
Monday, March 14, 2005, 2:49:41 PM, you wrote:
RM> Now that you two have reacquainted yourselves can we can back to the paper?
RM> -----Original Message-----
RM> From: full-disclosure-bounces@...ts.grok.org.uk
RM> [mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of pingywon
RM> Sent: Sunday, March 13, 2005 10:02 PM
RM> To: Egoist
RM> Cc: full-disclosure@...ts.grok.org.uk; honeypots@...urityfocus.com;
RM> dailydave
RM> Subject: Re: Re[2]: [Full-disclosure] Know Your Enemy: Tracking Botnets
RM> hello cock monger
RM> ~pingywon
RM> ----- Original Message -----
RM> From: "Egoist" <mastah@...eaker.net>
RM> To: "pingywon" <pingywon@...mail.com>
RM> Cc: "Thorsten Holz" <thorsten.holz@...eg.rwth-aachen.de>; "dailydave"
RM> <dailydave@...ts.immunitysec.com>; <honeypots@...urityfocus.com>;
RM> <full-disclosure@...ts.grok.org.uk>
RM> Sent: Sunday, March 13, 2005 10:40 PM
RM> Subject: Re[2]: [Full-disclosure] Know Your Enemy: Tracking Botnets
>> Hello pingywon,
>>
>> Monday, March 14, 2005, 6:22:43 AM, you wrote:
>>
>> p> haha .. I didnt think anyone was REALLY named Thorsten
>>
>> p> ... I mean good paper....
>>
>> p> ~pingywon
>>
>>
>> p> ----- Original Message -----
>> p> From: "Thorsten Holz" <thorsten.holz@...eg.rwth-aachen.de>
>> p> To: "dailydave" <dailydave@...ts.immunitysec.com>;
>> p> <honeypots@...urityfocus.com>; <full-disclosure@...ts.grok.org.uk>
>> p> Sent: Sunday, March 13, 2005 10:08 PM
>> p> Subject: [Full-disclosure] Know Your Enemy: Tracking Botnets
>>
>>
>> >> Greetings,
>> >>
>> >> The Honeynet Project and Research Alliance is excited to announce the
>> >> release of a new paper "KYE: Tracking Botnets". This paper is based on
>> >> the extensive research by the German Honeynet Project.
>> >>
>> >> KYE: Tracking Botnets
>> >> http://www.honeynet.org/papers/bots/
>> >>
>> >> Abstract:
>> >> ---------
>> >>
>> >> Honeypots are a well known technique for discovering the tools,
RM> tactics,
>> >> and motives of attackers. In this paper we look at a special kind of
>> >> threat: the individuals and organizations who run botnets. A botnet is
RM> a
>> >> network of compromised machines that can be remotely controlled by an
>> >> attacker. Due to their immense size (tens of thousands of systems can
RM> be
>> >> linked together), they pose a severe threat to the community. With the
>> >> help of honeynets we can observe the people who run botnets - a task
>> >> that is difficult using other techniques. Due to the wealth of data
>> >> logged, it is possible to reconstruct the actions of attackers, the
>> >> tools they use, and study them in detail. In this paper we take a
RM> closer
>> >> look at botnets, common attack techniques, and the individuals
RM> involved.
>> >>
>> >> We start with an introduction to botnets and how they work, with
>> >> examples of their uses. We then briefly analyze the three most common
>> >> bot variants used. Next we discuss a technique to observe botnets,
>> >> allowing us to monitor the botnet and observe all commands issued by
RM> the
>> >> attacker. We present common behavior we captured, as well as statistics
>> >> on the quantitative information learned through monitoring more than
RM> one
>> >> hundred botnets during the last few months. We conclude with an
RM> overview
>> >> of lessons learned and point out further research topics in the area of
>> >> botnet-tracking, including a tool called mwcollect2 that focuses on
>> >> collecting malware in an automated fashion.
>> >>
>> >> Thank you for your time,
>> >> Thorsten Holz, on behalf of the GHP
>> >> (http://www-i4.informatik.rwth-aachen.de/lufg/honeynet)
>> >>
>> >>
>> >> _______________________________________________
>> >> Full-Disclosure - We believe in it.
>> >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> >> Hosted and sponsored by Secunia - http://www.secunia.com/
>> >>
>> p> _______________________________________________
>> p> Full-Disclosure - We believe in it.
>> p> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> p> Hosted and sponsored by Secunia - http://www.secunia.com/
>>
>> lol i am too
>>
>> shit my botnet just increases in size wow
>>
>> --
>> Best regards,
>> Egoist mailto:mastah@...eaker.net
>>
>>
>>
RM> _______________________________________________
RM> Full-Disclosure - We believe in it.
RM> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
RM> Hosted and sponsored by Secunia - http://www.secunia.com/
today i see strange packets coming to my bots, mostly trying to spoof
authorization requests, mostly UDP, but of course those bad guys even can't fix
request checksum
the war begins?
--
Best regards,
Egoist mailto:mastah@...eaker.net
Powered by blists - more mailing lists