lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 14 Sep 2006 18:49:18 +0100
From: "Dave \"No, not that one\" Korn" <davek_throwaway@...mail.com>
To: full-disclosure@...ts.grok.org.uk
Cc: botnets@...testar.linuxbox.org
Subject: Re: the world of botnets article and wrong numbers

Gadi Evron wrote:

> Numbers...
> I can't speak for others, but I can try to answer better than I did
> on the botnets mailing list on whitestar.
>
> On individual honey nets, even rather large ones, the number of unique
> samples often assembled can be somewhere between 200 and 800
> a month.. depending on how wide it is spread and the networks it sits
> on. Which is why many of us cooperate.
>
>> From cumulative honey nets monitoring of such smaller (yet very
> effective) nets, and some larger nets, we get to a number of about
> 15K new bot samples every month (Alan Solomon and myself wrote 12K,
> so we underplayed it a bit due to statistics being a bit shaky). So
> the real avg number is somewhere around 15K new unique samples a
> month.

  Can you go into detail about the methodology you're using here?  How do 
you "get to a number" of 15,000 from a number "between 200 and 800"?  Is 
this a statistical extrapolation, or are you saying that your honeynet gets 
200 to 800 unique samples a month, and so does that one over there, and that 
one, and that one.... and they all add up to 15000?  Do you attempt to 
correct for variants that are simply re-packed using a different compressor, 
or other trivial changes?  Do you attempt to correct for complex polymorphic 
variants?

> Further, the anti virus world sees about the same numbers.
>
> The Microsoft anti malware team (and Ziv Mador specifically) spoke of
> 15K avg bot samples a month, as well.

  Got a link/quote/reference to that?  Does Ziv explain the methodology that 
they are using?

> I don't know what others may be seeing, but this is our best estimate
> as to what's going on with the number of unique samples released
> every month.
>
> Jose Nazarijo from Arbor replied on the botnets list that he sees
> similar numbers.
>
> I hope this helps... what are you looking to hear?

  Some kind of explanation for the huge disjunction between these numbers 
and our instinctive ideas about what's possible.  Of course, being 
un-worked-out intuitive estimates, such ideas are of course entirely likely 
to be off the mark, but off the mark by two orders of magnitude?  Hence the 
request for more methodological details.

    cheers,
      DaveK
-- 
Can't think of a witty .sigline today.... 



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ