lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <838794248.20050314232646@phreaker.net>
From: mastah at phreaker.net (Egoist)
Subject: Re: Know Your Enemy: Tracking Botnets
	(ThorstenHolz)

Hello Valdis,

Monday, March 14, 2005, 10:45:32 PM, you wrote:

VKve> On Mon, 14 Mar 2005 22:01:39 +0300, Egoist said:

>> Lot of systems? Where you get that statistic ? How do u analyze that?
>> Antivirus software catched agobot on some computer and you just increment counters?

VKve> Right. I find an agobot, I increment a counter.

VKve> If the counter ends up at '3', agobot hasn't hit many systems.

VKve> If the counter ends up at '3,000,000', agobot has hit a lot of systems.

Yes, you're right.
How much computers exist on earth? 3m ?, 9m ?, 20m?

Is 3,000,000 really big counter if we have another undetected malware
that ownz 9,000,000 boxes?

Maybe i just misunderstand you, but i try to inform you that here are
millions of computers infected with malware that just not catched by
AV.

VKve> Are you seriously trying to convince us that agobot *didn't* infect a lot of

It did.

VKve> systems?  I suppose that next, you're going to try to convince us that the lame
VKve> code in Nimda and Nachi didn't hit many systems either, because of its lameness....

I never will say that.

VKve> I never claimed there weren't bots that weren't being detected - what I said was
VKve> that the lamely-coded bots have still managed to nail a lot of systems.

Know why? Because even stupid script kiddie can download iframe/ani/css
epxloit from *sec*.com , write basic loader, put this all shit
to their website, buy traffic from some traffic traders,
change 1 #define in agobot (irc server) and 1 #define (channel), then
buy dedicated server, setup ircd and became "cool hacker".

VKve> And just because my car has a slow oil leak that I haven't been able to track down
VKve> the exact cause is no reason to not change the brake pads when they start squealing.

Right.


Do you think your tcpdump show all traffic? (it uses windowz API)
Do you think your process explorer show all proc's ? (it uses windowz
API too)

Even if you setup FreeBSD router behind you and internet at your home
(like i have)
Do you really think that good coded malware can't 'investigate' your
normal traffic and try to be like it?

How? This is another story...

-- 
Best regards,
 Egoist                            mailto:mastah@...eaker.net



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ