[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re[6]: [Full-disclosure] Re: Know Your Enemy: Tracking Botnets (ThorstenHolz)

To: Valdis.Kletnieks@xxxxxx
Subject: Re[6]: [Full-disclosure] Re: Know Your Enemy: Tracking Botnets (ThorstenHolz)
From: Egoist <mastah@xxxxxxxxxxxx>
Date: Mon, 14 Mar 2005 23:26:46 +0300

Hello Valdis,

Monday, March 14, 2005, 10:45:32 PM, you wrote:

VKve> On Mon, 14 Mar 2005 22:01:39 +0300, Egoist said:

>> Lot of systems? Where you get that statistic ? How do u analyze that?
>> Antivirus software catched agobot on some computer and you just increment 
>> counters?

VKve> Right. I find an agobot, I increment a counter.

VKve> If the counter ends up at '3', agobot hasn't hit many systems.

VKve> If the counter ends up at '3,000,000', agobot has hit a lot of systems.

Yes, you're right.
How much computers exist on earth? 3m ?, 9m ?, 20m?

Is 3,000,000 really big counter if we have another undetected malware
that ownz 9,000,000 boxes?

Maybe i just misunderstand you, but i try to inform you that here are
millions of computers infected with malware that just not catched by
AV.

VKve> Are you seriously trying to convince us that agobot *didn't* infect a lot 
of

It did.

VKve> systems?  I suppose that next, you're going to try to convince us that 
the lame
VKve> code in Nimda and Nachi didn't hit many systems either, because of its 
lameness....

I never will say that.

VKve> I never claimed there weren't bots that weren't being detected - what I 
said was
VKve> that the lamely-coded bots have still managed to nail a lot of systems.

Know why? Because even stupid script kiddie can download iframe/ani/css
epxloit from *sec*.com , write basic loader, put this all shit
to their website, buy traffic from some traffic traders,
change 1 #define in agobot (irc server) and 1 #define (channel), then
buy dedicated server, setup ircd and became "cool hacker".

VKve> And just because my car has a slow oil leak that I haven't been able to 
track down
VKve> the exact cause is no reason to not change the brake pads when they start 
squealing.

Right.

Do you think your tcpdump show all traffic? (it uses windowz API)
Do you think your process explorer show all proc's ? (it uses windowz
API too)

Even if you setup FreeBSD router behind you and internet at your home
(like i have)
Do you really think that good coded malware can't 'investigate' your
normal traffic and try to be like it?

How? This is another story...

-- 
Best regards,
 Egoist                            mailto:mastah@xxxxxxxxxxxx

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://www.secunia.com/

Follow-Ups:
- Re: Re[6]: [Full-disclosure] Re: Know Your Enemy: Tracking Botnets (ThorstenHolz)
  - From: Valdis . Kletnieks

References:
- Re: [Full-disclosure] Re: Know Your Enemy: Tracking Botnets (ThorstenHolz)
  - From: phased
- Re: [Full-disclosure] Re: Know Your Enemy: Tracking Botnets (ThorstenHolz)
  - From: Valdis . Kletnieks
- Re[2]: [Full-disclosure] Re: Know Your Enemy: Tracking Botnets (ThorstenHolz)
  - From: Egoist
- Re: Re[2]: [Full-disclosure] Re: Know Your Enemy: Tracking Botnets (ThorstenHolz)
  - From: Valdis . Kletnieks
- Re[4]: [Full-disclosure] Re: Know Your Enemy: Tracking Botnets (ThorstenHolz)
  - From: Egoist
- Re: Re[4]: [Full-disclosure] Re: Know Your Enemy: Tracking Botnets (ThorstenHolz)
  - From: Valdis . Kletnieks

Prev by Date: RE: [Full-disclosure] Botnets and tracking and busting scriptkiddies
Next by Date: Re: [Full-disclosure] Botnets and tracking and busting scriptkiddies
Previous by thread: Re: Re[4]: [Full-disclosure] Re: Know Your Enemy: Tracking Botnets (ThorstenHolz)
Next by thread: Re: Re[6]: [Full-disclosure] Re: Know Your Enemy: Tracking Botnets (ThorstenHolz)
Index(es):
- Date
- Thread