[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4235DE9C.7000207@mmweg.rwth-aachen.de>
From: thorsten.holz at mmweg.rwth-aachen.de (Thorsten Holz)
Subject: Re: Know Your Enemy: Tracking Botnets
(ThorstenHolz)
Egoist wrote:
>>>> We start with an introduction to botnets and how they work,
>>>> with
>
> they work perfectly if coded not by kids, they use crypted
> communication, most of them moving to p2p technology to eliminate
> servers
Did you read the whole paper?
To repeat parts of the conclusion:
"[...] Since our current approach focuses on bots that use IRC for C&C,
we focused in the paper on IRC-based bots. We have also observed other
bots, but these are rare and currently under development. In a few
months/years more and more bots will use non-IRC C&C, potentially
decentralized p2p-communication. [...]"
And yes, there are of course also bots that use encrypted communication
or IPv6-only botnets.
>>>> examples of their uses. We then briefly analyze the three most
>>>> common bot variants used. Next we discuss a technique to
>>>> observe botnets,
>
> technique to observe botnets: run vmware, goto sexocean.com, surf
> porno, infect yourself, run tcpdump, spend months to understand
> protocols, disassemble, try to reconstruct source code.
Again, did you read the paper?
To repeat parts of the conclusion:
"In the future, we hope to develop more advanced honeypots that help us
to gather information about threats such as botnets. Examples include
'Client honeypots' that actively participate in networks (e.g. by
crawling the web, idling in IRC channels, or using P2P-networks) [...]"
By the way: Running inside VMware can be detected by the bots, so you
should use a native system...
> i think i should impelemnt fakemalware.c and fakemalware.h today, so
> kill your "technique" in automated fashion
Looking forward for your implementation. If you really want to defeat
our current methodology, please contact me in private and we can discuss
this further...
Cheers,
Thorsten
Powered by blists - more mailing lists