| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <200503150215.j2F2FeO1018598@turing-police.cc.vt.edu> From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks@...edu) Subject: Re: Know Your Enemy: Tracking Botnets (ThorstenHolz) On Mon, 14 Mar 2005 23:26:46 +0300, Egoist said: > Yes, you're right. > How much computers exist on earth? 3m ?, 9m ?, 20m? > > Is 3,000,000 really big counter if we have another undetected malware > that ownz 9,000,000 boxes? > > Maybe i just misunderstand you, but i try to inform you that here are > millions of computers infected with malware that just not catched by > AV. I'm just objecting to the attitude that "since there's lots of computers that have problems not caught by AV, we should totally ignore any discussion of the ones that *are* easily detectable". If there's 3M agobot boxes (probably a low estimate) and 9M "undetected" malware boxes, that still means that we can find and fix 25% of the problem... > Know why? Because even stupid script kiddie can download iframe/ani/css > epxloit from *sec*.com , write basic loader, put this all shit > to their website, buy traffic from some traffic traders, > change 1 #define in agobot (irc server) and 1 #define (channel), then > buy dedicated server, setup ircd and became "cool hacker". If you can't get the techies and managers to the point where they can usefully deal with the script kiddie bots, there's no hope of dealing with more stealthy stuff. Also, you have to remember that the script kiddie bots are, if anything, *more* dangerous than the stealthy stuff, precisely because they're run by script kiddies. Compare the number of people killed by professional assassins and the number of people killed by hot-headed gang members, and ponder for a bit.... > Do you think your tcpdump show all traffic? (it uses windowz API) > Do you think your process explorer show all proc's ? (it uses windowz > API too) Actually, my tcpdump uses 'socket(PF_NETLINK, SOCK_RAW, 0)', and my /bin/ps pokes around in /proc. There's no Windows API here. ;) (And yes, I know how to use a loadable kernel module to cloak stuff on this system, and how to do it if there's no kernel module support, and yes, there's stuff in place to make it more difficult for one of those critters to get itself installed...) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 226 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050314/530230fe/attachment.bin
Powered by blists - more mailing lists