To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ---------- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Several of the C&C servers posted on the Bleeding Threats report are on IP space belonging to major hosting providers, either using leased space, or a compromise able service...They may or may not be big business, depending on your criteria. Also be aware that Shadowserver doesn't claim to be monitoring every botnet out there, and they limit their scope to certain criteria. Compare their data with other compromise reporting sites like Zone-H and RBL to get the bigger picture. As far a drones connecting to C&C's, where the drone is from a large business, it does happen, however the infection time is frequently limited to the machines next power cycle. Most businesses use firewalls, proxies and dropped privs for cases where the machine is at risk for infection. Meaning once the user logs off, the drone goes away -- until its reinfected again. Far more interesting to me is the large number of military and government machines in the armies of drone machines. Home users don't usually have an IT department with safeguards in place, and most home users will run with full administrator rights on the machine. Home users usually dont have good spam filters in place, and many will click on anything. I'm sure if you asked Shadowserver very nicely, they could provide some ASN data on the 500k+ drone ip's they are currently aware of. From that you could see exactly how many they see at a given ASN. And finally, Shadowserver works with law enforcement and their investigations must take priority over public disclosure. If they know of an investigation, it has been policy in the past to limit disclosure of networks related to that investigation. I would be surprised if they aren't sanitizing the data we all see. :) Nicholas Albright Adriel T. Desuatels wrote: > To report a botnet PRIVATELY please email: [EMAIL PROTECTED] > ---------- > List, > I have a team that has been performing research against information > collected from shadowserver. So far I'm seeing that bots are not > compromising major businesses, but do have a significant indirect negative > impact on those businesses. > > Has anyone seen bot coming from IP addresses registered to major > businesses? Has anyone seen C&C servers installed on networks run by major > businesses? Or, are these compromises mostly smaller businesses and home > users? > > > > > On 2/16/07 6:43 PM, "Tom" <[EMAIL PROTECTED]> wrote: > >> To report a botnet PRIVATELY please email: [EMAIL PROTECTED] >> ---------- >>> On Wed, 14 Feb 2007, Jeremy Epstein wrote: >>>> There was also a really entertaining presentation from Patrick Petersen of >>>> IronPort at RSA, in which he mentioned use of defaced web sites as proxy >>>> forwarders for spammers. According to the presentation, the spammers have >>>> a >>>> fairly sophisticated toolkit that takes over the site and turns it into a >>>> pharmacy (or whatever) redirect site. A different goal from the Websense >>>> presentation, but still a purpose other than simple defacement. >>> Indeed. I can post some screenshots of some of these tools if you are >>> interested in them. >>> >>> Anon remailers, spam tools, etc. More and more spam is being sent using >>> web servers. >>> >>> I am looking for someone to volunteer to create spam assasin rules based >>> on how these tools send mail. >> Rules are easy when either you don't have it installed or you are >> proactive and installed it in a non default location which is what we >> do. >> >> I have a couple of rules based upon log analysis and can probably >> generate more but can't you just use: >> http://bleedingthreats.net/bleeding-web.rules >> http://bleedingthreats.net/bleeding-exploit.rules >> http://bleedingthreats.net/bleeding-attack_response.rules >> >> Tom > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQIVAwUBRdxqW5SxqRV26ARGAQKyZg//TImHBrvSM0Ve3FD27SbvU2SdHRu9Z89f kzx+oGAeknftt7bEyM2c4Uc7yl3XKCNWP/90SktXbBfMiUTTB7SGJ4+DV1DDJ6mA hMeizaO0PPLbO58II0jQxSyeoEf3XJ+uDo0DNQJpPM6GeObyoic3YuTFh5V+T46N yEa4dsK39Ok7Klq91dx0EZtvnCmY9L79OFOuEftRHKw7RjOHD3x6v7GazYxgBasW rFreosuy/39QlBiojfrj72GWe/+p/TayLWn0HM//Xfn7kuX8rMenKJPD5wVKYEre oQMCr8zMCCFECl9vpIuiRg91ge7E2yGpkzJY2KP61XUWM/5Kwufnc3IuBgyXjmoC ZEZ01e3Fmsz58kbn0KEep1ylb6JlRX2EvdgSdT5FgUeUqCXhcUiWSQL3Nk0A1dlr +P9borX29X9seja02aLr3duf+Su9Mxq8IMCdbOwC2TyaYsQixVGl+Fw6keIt3Xj9 G30BfBqX8nyYhUM9GuJmRixx0X6KQ8MTx2qYmF/AudkBNbV+6pNweM215uv4Iruh esihtaZPhenwXBQF3g5wpjoRh7QjVt5HrnkzpWhVQECd29K6sta6ELBSIk4LWVcV lLktgaC0m54R5pgWvnkdl+/dPTkgncIB5si6VRp4W0ot/kJPT17Ul/MW7TaRdK2g diDNOtbEq3g= =1KGo -----END PGP SIGNATURE----- _______________________________________________ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
