[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Re: Know Your Enemy: Tracking Botnets (ThorstenHolz)
- To: Egoist <mastah@xxxxxxxxxxxx>
- Subject: Re: [Full-disclosure] Re: Know Your Enemy: Tracking Botnets (ThorstenHolz)
- From: Thorsten Holz <thorsten.holz@xxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 14 Mar 2005 20:57:36 +0100
Egoist wrote:
VKve> Have to admit, for such a lame tool as agobot, it's certainly
nailed a lot VKve> of systems. ;)
Lot of systems? Where you get that statistic ? How do u analyze that?
One possible way to estimate this is taking a look at logfiles: For
example, Agobot performs a speed test on startup. One of the domains for
this test is www.belwue.de. So if you are in the lucky position and are
admin for this domain, just take a look how often this speed test is
performed (HTTP POST of file with size of 1MB). In Mai 2004, about
300,000 IP addresses could be identified per _day_ in this way. Even if
you take doubles into account, I would say that it nailed a lot of
systems :-)
Reference: 12th DFN-CERT Workshop (http://www.dfn-cert.de/events/ws/2005)
Cheers,
Thorsten
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://www.secunia.com/