To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ---------- On Fri, 15 Sep 2006, Jörg Weber wrote: > I can second that, from a not-associated-with-anyone-POV. I get many, many > slightly mutated versions of the same bot every day, on average one new > version a day, on a very small honeynet. More often than not, AV fails to > detect these mods. I obviously don't reach 15k/month, but in this case size > does matter. > > Seen that these mutations could be simply mailed around, too, and AV wouldn't > detect them either, makes counting them as unique, new, bots a valid POV, > methinks.
Indeed. You should note though that the bad guys have the advantage of being able to test their creations against the anti viruses before release.. which is kind of an issue. The AV is not any type of perfect solution for a long time now. It plays a critical part in the fight, but it is far behind being just "reactive". Indeed. > Cheers, > > Joerg > > -- > > Joerg Weber M. A. > Teamleiter Netzwerk-Sicherheit/Netzwerk-Applikationen > > infoServe GmbH > Nell-Breuning-Allee 6 > D-66115 Saarbruecken > > T: (0681) 8 80 08 - 59 > F: (0681) 8 80 08 - 33 > www.infos.de > mailto: [EMAIL PROTECTED] > > > > it sounds like we're on the same page, but you may feel it's hyping the > > problem to talk about new bots based on unique MD5 values. it's not my > > favorite way of thinking about it, but it is easily underscored by a > > real-world fact: many AV vendors fail to detect the same bot source simply > > repackaged or re-configured (ie a new IRC server, everything else the > > same). hence, each new MD5 means a new detection hit for them. so, hype > > has a real-world backing, namely AV detection issues. > _______________________________________________ > To report a botnet PRIVATELY please email: [EMAIL PROTECTED] > All list and server information are public and available to law enforcement > upon request. > http://www.whitestar.linuxbox.org/mailman/listinfo/botnets > _______________________________________________ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
