To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ----------Title: Re: [botnets] mocbot spam analysis
Not a product plug... just a note that we have been blocking offending IP addresses, IRC channels, and the like for a while now. I am not sure what others are but perhaps their are others. My guess is that this is not a big problem in the Enterprise. Its more of a home issue. Smarter enterprises should be blocking IRC by signature already by policy. Not much business needs these days for IRC traffic and it could realistically be limited to certain users (most of which hopefully know what they are doing).Of course we do see infections still that come in via laptops, etc...they cannot connect to their phone home location but its nice to know who is infected so when they can be cleaned before they leave the castle.
From: J. Oquendo [mailto:[EMAIL PROTECTED]
Sent: Tue 8/15/2006 8:07 PM
To: Gadi Evron
Cc: [email protected]
Subject: Re: [botnets] mocbot spam analysisTo report a botnet PRIVATELY please email: [EMAIL PROTECTED]
----------
Gadi Evron wrote:
> To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
> ----------
> I'd like to quote Joe, for historical purposes:
>
> Obviously there is money being made here - the economics of exploiting
> end-user systems for the purposes of spam has been an established business
> model for at least four years now.
Perhaps its been longer than that. Maybe its just been noticed within the past four who knows.
Anyhow, its surprising that some software vendor hasn't upped the ante here and begun to block offending IP addresses associated with these C&C's. How difficult would it be to say create a scripted module that "greps" out the IP addressing from these bots, and takes that IP address, firewalls it out from their subnet.
Eg:
Supposing my logfiles alert me with an IP and port which looks like:
192.168.1.10:18607
10.1.20.123:32312
120.120.110.110:18607
awk '/18607/{gsub (/:/," ");print "iptables -A INPUT -p tcp -j DROP -s", $1}' logfiles|xargs exec
Or pick your favorite script... Anyhow, I'm sure most understand what I'm getting to. Sure this only works on networks where ipchains is used, but I can think of plenty of ways to filter these issues before they infest your network...
What I still find strange, and I guess I will be an odd man out is, why providers are so reluctant to get off their rears and address these issues. Let's be realistic who on the planet is using port 18607. I know if I was still in the ISP business and I saw these obscure ass ports, they'd be filtered. Last thing I need would be some crazy ass code red like worm taking my network down. It's surprising most engineers (and you lazy bums know who you are) allow stupidity. I guess the Forest Gump rule applies stupid is as stupid does.
Gadi by the way, I know a few years back (I don't know maybe 2 or so around the SDBot days... Hell I don't even know if you recall) I had intended on helping with this project (Botnet). Apologies I've been off and on, but I relocated, etc., etc. If you need anything give a holler.
====================================================
J. Oquendo
sil . infiltrated @ net http://www.infiltrated.net
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743
26:0608031813:J. Oquendo::fNaE6zH/HDTggYKS:005zLMj
The happiness of society is the end of government.
John Adams
_______________________________________________
To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
All list and server information are public and available to law enforcement upon request.
http://www.whitestar.linuxbox.org/mailman/listinfo/botnets_______________________________________________ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
