lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.21.0609141632170.26926-100000@linuxbox.org>
Date: Thu, 14 Sep 2006 16:39:04 -0500 (CDT)
From: Gadi Evron <ge@...uxbox.org>
To: "Dave \"No, not that one\" Korn" <davek_throwaway@...mail.com>
Cc: botnets@...testar.linuxbox.org, full-disclosure@...ts.grok.org.uk
Subject: Re: [botnets] the world of botnets article and
 wrong numbers

On Thu, 14 Sep 2006, Dave "No, not that one" Korn wrote:
>   Can you go into detail about the methodology you're using here?  How do 
> you "get to a number" of 15,000 from a number "between 200 and 800"?  Is 

My comment here was in regard to what most honey nets see.

> this a statistical extrapolation, or are you saying that your honeynet gets 
> 200 to 800 unique samples a month, and so does that one over there, and that 
> one, and that one.... and they all add up to 15000?  Do you attempt to 

Yes. Also, some are large enough to get to that number, and there are
other sources as well such as the AV community or the Microsoft data... as
examples.

> correct for variants that are simply re-packed using a different compressor, 

This counts bot samples. Whether they are variants (changed) or
insignificant changes such as only the IP address to the C&C, they are
counted as unique.

This is why we now run different sharing projects between established
honey nets.

> or other trivial changes?  Do you attempt to correct for complex polymorphic 
> variants?

There aren't many of those.. really. :)


> > Further, the anti virus world sees about the same numbers.
> >
> > The Microsoft anti malware team (and Ziv Mador specifically) spoke of
> > 15K avg bot samples a month, as well.
> 
>   Got a link/quote/reference to that?  Does Ziv explain the methodology that 
> they are using?

Nope, but I will ask. Most of the numbers I get are at 15K. I can only
prove *on my own* without relying on other sources, as reliable as they
may be, 12K, which is the number we mentioned in the article. We were
being conservative due to that reason, but the number is higher.

> > I don't know what others may be seeing, but this is our best estimate
> > as to what's going on with the number of unique samples released
> > every month.
> >
> > Jose Nazarijo from Arbor replied on the botnets list that he sees
> > similar numbers.
> >
> > I hope this helps... what are you looking to hear?
> 
>   Some kind of explanation for the huge disjunction between these numbers 
> and our instinctive ideas about what's possible.  Of course, being 

I followed you this far, but to be honest, your ideas (what are
they?) are indeed very far from reality... :)

> un-worked-out intuitive estimates, such ideas are of course entirely likely 
> to be off the mark, but off the mark by two orders of magnitude?  Hence the 
> request for more methodological details.

No problem, I quite understand. There is not that much science into it
really:
"Yo, how many unique samples do you see?" as a lone dataset if they won't
share.
"Yo, how many unique samples do we all see?" if they share.
"Yo, how many unique samples do others see?"

AVG is 15K, I can prove *on my own* 12K... counting banking/phishing
trojan horses, general purpose trojans, dialers, etc (from the large bot
families).

	Gadi.


> 
>     cheers,
>       DaveK
> -- 
> Can't think of a witty .sigline today.... 
> 
> 
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> _______________________________________________
> To report a botnet PRIVATELY please email: c2report@...tf.org
> All list and server information are public and available to law enforcement upon request.
> http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
> 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ