| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: mastah at phreaker.net (Egoist) Subject: Re: Know Your Enemy: Tracking Botnets (ThorstenHolz) Hello Valdis, Monday, March 14, 2005, 9:11:08 PM, you wrote: VKve> On Mon, 14 Mar 2005 20:21:35 +0300, phased said: >> >> no they didnt, shit paper, nothing new, absolute crap just publicity bollocks VKve> (I haven't actually read the paper in question yet, but still..) VKve> Notice that often, a "nothing new" paper can still be important just due to VKve> readability by an audience other than the technical geeks. For example, it's VKve> been *years* since "Smashing the stack for fun and profit" made it all clear VKve> for the bitheads among us - but would you give it to your upper management as VKve> justification for a project? No, you'd need to find a white paper that had VKve> "nothing new" in it, but which stated it in a way that the threat becomes clear VKve> even to a manager. And writing something that's accessible by a *novice* VKve> sysadmin that has maybe a year or two experience is an entirely different skill.... VKve> In fact, for some stuff like the FBI/SANS Top 20 we do every year, or the VKve> Center for Internet Security benchmarks, if something is "new", it's almost VKve> certainly out of scope - when I did a very early draft of what Hal Pomeranz VKve> ended up making into the CIS Solaris benchmark, "Have I heard this point enough VKve> times I want to gag" was one of the clearest indicators that something should VKve> be in the guidelines... > >> We start with an introduction to botnets and how they work, with they work perfectly if coded not by kids, they use crypted communication, most of them moving to p2p technology to eliminate servers i dont say about that lame toolz like agobot and friends > >> examples of their uses. We then briefly analyze the three most common > >> bot variants used. Next we discuss a technique to observe botnets, technique to observe botnets: run vmware, goto sexocean.com, surf porno, infect yourself, run tcpdump, spend months to understand protocols, disassemble, try to reconstruct source code. > >> allowing us to monitor the botnet and observe all commands issued by the > >> attacker. We present common behavior we captured, as well as statistics wow really u can? > >> on the quantitative information learned through monitoring more than one > >> hundred botnets during the last few months. We conclude with an overview > >> of lessons learned and point out further research topics in the area of > >> botnet-tracking, including a tool called mwcollect2 that focuses on > >> collecting malware in an automated fashion. i think i should impelemnt fakemalware.c and fakemalware.h today, so kill your "technique" in automated fashion -- Best regards, Egoist mailto:mastah@...eaker.net
Powered by blists - more mailing lists