lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4235DE9C.7000207@mmweg.rwth-aachen.de>
From: thorsten.holz at mmweg.rwth-aachen.de (Thorsten Holz)
Subject: Re: Know Your Enemy: Tracking Botnets
	(ThorstenHolz)

Egoist wrote:

>>>> We start with an introduction to botnets and how they work,
>>>> with
> 
> they work perfectly if coded not by kids, they use crypted 
> communication, most of them moving to p2p technology to eliminate 
> servers

Did you read the whole paper?

To repeat parts of the conclusion:
"[...] Since our current approach focuses on bots that use IRC for C&C,
we focused in the paper on IRC-based bots. We have also observed other
bots, but these are rare and currently under development. In a few
months/years more and more bots will use non-IRC C&C, potentially
decentralized p2p-communication. [...]"

And yes, there are of course also bots that use encrypted communication
or IPv6-only botnets.

>>>> examples of their uses. We then briefly analyze the three most
>>>> common bot variants used. Next we discuss a technique to
>>>> observe botnets,
> 
> technique to observe botnets: run vmware, goto sexocean.com, surf 
> porno, infect yourself, run tcpdump, spend months to understand 
> protocols, disassemble, try to reconstruct source code.

Again, did you read the paper?

To repeat parts of the conclusion:
"In the future, we hope to develop more advanced honeypots that help us
to gather information about threats such as botnets. Examples include
'Client honeypots' that actively participate in networks (e.g. by
crawling the web, idling in IRC channels, or using P2P-networks) [...]"

By the way: Running inside VMware can be detected by the bots, so you
should use a native system...

> i think i should impelemnt fakemalware.c and fakemalware.h today, so 
> kill your "technique" in automated fashion

Looking forward for your implementation. If you really want to defeat
our current methodology, please contact me in private and we can discuss
this further...

Cheers,
   Thorsten


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ