[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <8f1f7b60609142026r713c3963i9e0c8d1a15a87842@mail.gmail.com>
Date: Thu, 14 Sep 2006 23:26:12 -0400
From: "Peter Dawson" <slash.pd@...il.com>
To: "Gadi Evron" <ge@...uxbox.org>, full-disclosure@...ts.grok.org.uk
Subject: Re: [botnets] the world of botnets article and
wrong numbers
I cant' present data, but I'll opinion that Gadi is pretty much on track
with figures and numbers. In fact his stat's are on the lower side
our current intel reports indicates overall incidents by " Zombie machines
on organization's network/ bots/use of network by BotNets" = 20%. which is
ANY NET based data sets for incident mngt.
this indiates a 36% increase from July 2004 - June 2005 with a mean
"unknown base" being equated to 15.1%. This pecent implies the rate of fresh
nodes being propagated, or rather the rate of growth for Botnets!!
hypothecially, you can if flatline these stats against whatever date sets
you have ...I'll leave you all to you better judgements :)-
/pd
On 9/14/06, Gadi Evron <ge@...uxbox.org> wrote:
>
> On Thu, 14 Sep 2006, Dude VanWinkle wrote:
> > On 9/14/06, Gadi Evron <ge@...uxbox.org> wrote:
> > > This counts bot samples. Whether they are variants (changed) or
> > > insignificant changes such as only the IP address to the C&C, they are
> > > counted as unique.
> >
> > So if you have multiple machines NAT'ed under one IP, that is one pot.
> > err bot eh? OK.
>
> And if I see 10 bots usingthe same address on a dynamic range.. ever heard
> of DHCP? The number crunching schemes arenever perfect but they are pretty
> good.
>
> I count, much like many others, unique IPs. A bot is defined as an
> instance of an installed Trojan horse. One machine mayhave (and probably
> does have) several. We can count IPs and we do.
>
> 3.5 Million hosts, note, for spam alone. The total population count is
> mind-boggling. I believe spamhaus has it pinned at 3.2 millions, other
> have higher numbers. That's about where it is for EMAIL based spam, per
> day.
>
> >
> > >
> > > This is why we now run different sharing projects between established
> > > honey nets.
> >
> > So you dont count botnets that detect honeynets eh?
> >
>
> Honey pot detection is an interesting field, I am familiar with it and
> even consider myself somewhat of a knowledgable person on it, but there
> are those who research it actively.
>
> As interesting as it may be, it's not much of a field yet, sorry to
> say. Honey pots of different kinds work marvelously.
>
> Not all our sources for samples are the same. It would be silly of me to
> divulge them all (especially as personally I have no use for samples these
> days and others do). Still, we can only report what we see, what do you
> see?
>
> > > > or other trivial changes? Do you attempt to correct for complex
> polymorphic
> > > > variants?
> >
> > Nah, just contributors who dont all have publicly routable IP's and
> > this herders that know about VMware/Honeywall
> >
> >
> > > There aren't many of those.. really. :)
> >
> > Really? Ok.
> >
> > > > > Further, the anti virus world sees about the same numbers.
> >
> > Using the same methods?
> >
>
> And their reporting user-base, alliances and sharing artners, and what
> not. Yes. D o you think all bots are extremely smart rootkits? I am
> quite happy to say most botnets are nothing if not the re-use of old code,
> which is freely available, using the same old methods.
>
> There are other types of malware out there.
>
> > > > > The Microsoft anti malware team (and Ziv Mador specifically) spoke
> of
> > > > > 15K avg bot samples a month, as well.
> >
> > Gotcha, you MS and Symantec share numbers based of who doesnt know how
> > to disable your detection methods
>
> You assume too much Dude.
> Still, you are right, 100%. I can only detect what I know how to
> detect. But samples are not the only way to follow botnets, and there are
> many ends on how to approach one problems.
>
> Cryptic? I suppose, but hey, Google for methods, see what you find, and
> tell me what you think. I believe we have pretty good coverage, but I also
> need to admit most anti viruses do not cover bot detection very well.
>
> > I am just saying, the larger the organization, the sharper the focus
> > from the other side. Maybe a loose coalition of known non-bullshitters
> > would have a more accurate picture.
>
> The picture you got is pretty accurate. Don't take my word for it
> though. I am happy to examine and share (as much as I can, which is more
> than enough to show the numbers (lower numbers) we chose to show in the
> article.
>
> What numbers do you need? What makes you doubt what we have given? I'd be
> more than happy to answer any question you have or counter-numbers you
> have, but your love for me is as irrelevant as you calling me a
> *********** when you don't show your own data or challange mine with
> actual questions like Dave (the other dave) did.
>
> Thanks,
>
> Gadi.
>
> > still love ja tho Gadi,
> >
> > -JP<the douchebg>
> >
> > > >
> > > > Got a link/quote/reference to that? Does Ziv explain the
> methodology that
> > > > they are using?
> > >
> > > Nope, but I will ask. Most of the numbers I get are at 15K. I can only
> > > prove *on my own* without relying on other sources, as reliable as
> they
> > > may be, 12K, which is the number we mentioned in the article. We were
> > > being conservative due to that reason, but the number is higher.
> > >
> > > > > I don't know what others may be seeing, but this is our best
> estimate
> > > > > as to what's going on with the number of unique samples released
> > > > > every month.
> > > > >
> > > > > Jose Nazarijo from Arbor replied on the botnets list that he sees
> > > > > similar numbers.
> > > > >
> > > > > I hope this helps... what are you looking to hear?
> > > >
> > > > Some kind of explanation for the huge disjunction between these
> numbers
> > > > and our instinctive ideas about what's possible. Of course, being
> > >
> > > I followed you this far, but to be honest, your ideas (what are
> > > they?) are indeed very far from reality... :)
> > >
> > > > un-worked-out intuitive estimates, such ideas are of course entirely
> likely
> > > > to be off the mark, but off the mark by two orders of
> magnitude? Hence the
> > > > request for more methodological details.
> > >
> > > No problem, I quite understand. There is not that much science into it
> > > really:
> > > "Yo, how many unique samples do you see?" as a lone dataset if they
> won't
> > > share.
> > > "Yo, how many unique samples do we all see?" if they share.
> > > "Yo, how many unique samples do others see?"
> > >
> > > AVG is 15K, I can prove *on my own* 12K... counting banking/phishing
> > > trojan horses, general purpose trojans, dialers, etc (from the large
> bot
> > > families).
> > >
> > > Gadi.
> > >
> > >
> > > >
> > > > cheers,
> > > > DaveK
> > > > --
> > > > Can't think of a witty .sigline today....
> > > >
> > > >
> > > >
> > > > _______________________________________________
> > > > Full-Disclosure - We believe in it.
> > > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > > > Hosted and sponsored by Secunia - http://secunia.com/
> > > > _______________________________________________
> > > > To report a botnet PRIVATELY please email: c2report@...tf.org
> > > > All list and server information are public and available to law
> enforcement upon request.
> > > > http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
> > > >
> > >
> > > _______________________________________________
> > > Full-Disclosure - We believe in it.
> > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > > Hosted and sponsored by Secunia - http://secunia.com/
> > >
> >
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists