Re: [Full-disclosure] [botnets] the world of botnets article and wrong numbers
what about the inverted question: how much of the internet connected computers are *not* part of botnets? since exact number are hard to prove, the ratio BOTNETTED/NONBOTNETTED seems easier to be found. -- j EOM ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [botnets] the world of botnets article and wrong numbers
On 9/15/06, Richard Golodner <[EMAIL PROTECTED]> wrote: > As we had seen today everybody has an opinion about how the Botnet > metrics are computed. I have been reading Gadi's post for many years now and > believe he is a very knowledgeable and competent person. Give the guy a > break, he has supplied us with very useful and interesting facts on Botnets > and that is a lot more than I see coming from all the rest of the group > involved in this thread. > Where is everyone else's data?\ I have data collected over 5 class B's via darknet. Of course they are all 10.1.x.x, with only 1 virtual host per /16. Seems lke I am guessing. Not that I dont trust G, just wanted to see if I could goad him into releasing some data (as has been called for) -JP ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [botnets] the world of botnets article and wrong numbers
As we had seen today everybody has an opinion about how the Botnet metrics are computed. I have been reading Gadi's post for many years now and believe he is a very knowledgeable and competent person. Give the guy a break, he has supplied us with very useful and interesting facts on Botnets and that is a lot more than I see coming from all the rest of the group involved in this thread. Where is everyone else's data? Richard Golodner ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [botnets] the world of botnets article and wrong numbers
I cant' present data, but I'll opinion that Gadi is pretty much on track with figures and numbers. In fact his stat's are on the lower side our current intel reports indicates overall incidents by " Zombie machines on organization's network/ bots/use of network by BotNets" = 20%. which is ANY NET based data sets for incident mngt. this indiates a 36% increase from July 2004 - June 2005 with a mean "unknown base" being equated to 15.1%. This pecent implies the rate of fresh nodes being propagated, or rather the rate of growth for Botnets!! hypothecially, you can if flatline these stats against whatever date sets you have ...I'll leave you all to you better judgements :)- /pd On 9/14/06, Gadi Evron <[EMAIL PROTECTED]> wrote: On Thu, 14 Sep 2006, Dude VanWinkle wrote:> On 9/14/06, Gadi Evron < [EMAIL PROTECTED]> wrote:> > This counts bot samples. Whether they are variants (changed) or> > insignificant changes such as only the IP address to the C&C, they are> > counted as unique. >> So if you have multiple machines NAT'ed under one IP, that is one pot.> err bot eh? OK.And if I see 10 bots usingthe same address on a dynamic range.. ever heardof DHCP? The number crunching schemes arenever perfect but they are pretty good.I count, much like many others, unique IPs. A bot is defined as aninstance of an installed Trojan horse. One machine mayhave (and probablydoes have) several. We can count IPs and we do.3.5 Million hosts, note, for spam alone. The total population count ismind-boggling. I believe spamhaus has it pinned at 3.2 millions, otherhave higher numbers. That's about where it is for EMAIL based spam, perday. >> >> > This is why we now run different sharing projects between established> > honey nets.>> So you dont count botnets that detect honeynets eh?>Honey pot detection is an interesting field, I am familiar with it and even consider myself somewhat of a knowledgable person on it, but thereare those who research it actively.As interesting as it may be, it's not much of a field yet, sorry tosay. Honey pots of different kinds work marvelously. Not all our sources for samples are the same. It would be silly of me todivulge them all (especially as personally I have no use for samples thesedays and others do). Still, we can only report what we see, what do you see?> > > or other trivial changes? Do you attempt to correct for complex polymorphic> > > variants?>> Nah, just contributors who dont all have publicly routable IP's and > this herders that know about VMware/Honeywall>>> > There aren't many of those.. really. :)>> Really? Ok.>> > > > Further, the anti virus world sees about the same numbers. >> Using the same methods?>And their reporting user-base, alliances and sharing artners, and whatnot. Yes. D o you think all bots are extremely smart rootkits? I amquite happy to say most botnets are nothing if not the re-use of old code, which is freely available, using the same old methods.There are other types of malware out there.> > > > The Microsoft anti malware team (and Ziv Mador specifically) spoke of> > > > 15K avg bot samples a month, as well. >> Gotcha, you MS and Symantec share numbers based of who doesnt know how> to disable your detection methodsYou assume too much Dude.Still, you are right, 100%. I can only detect what I know how to detect. But samples are not the only way to follow botnets, and there aremany ends on how to approach one problems.Cryptic? I suppose, but hey, Google for methods, see what you find, andtell me what you think. I believe we have pretty good coverage, but I also need to admit most anti viruses do not cover bot detection very well.> I am just saying, the larger the organization, the sharper the focus> from the other side. Maybe a loose coalition of known non-bullshitters > would have a more accurate picture.The picture you got is pretty accurate. Don't take my word for itthough. I am happy to examine and share (as much as I can, which is morethan enough to show the numbers (lower numbers) we chose to show in the article.What numbers do you need? What makes you doubt what we have given? I'd bemore than happy to answer any question you have or counter-numbers youhave, but your love for me is as irrelevant as you calling me a *** when you don't show your own data or challange mine withactual questions like Dave (the other dave) did.Thanks, Gadi.> still love ja tho Gadi,>> -JP >> > >> > > Got a link/quote/reference to that? Does Ziv explain the methodology that> > > they are using?> >> > Nope, but I will ask. Most of the numbers I get are at 15K. I can only > > prove *on my own* without relying on other sources, as reliable as they> > may be, 12K, which is the number we mentioned in the article. We were> > being conservative due to that reason, but the number is higher. > >> > > > I don't know what others may be seeing, but this is our best estimate> > > > as to what's going on with the number of unique samples released> > > > every mont
Re: [Full-disclosure] [botnets] the world of botnets article and wrong numbers
On Thu, 14 Sep 2006, Dude VanWinkle wrote: > On 9/14/06, Gadi Evron <[EMAIL PROTECTED]> wrote: > > This counts bot samples. Whether they are variants (changed) or > > insignificant changes such as only the IP address to the C&C, they are > > counted as unique. > > So if you have multiple machines NAT'ed under one IP, that is one pot. > err bot eh? OK. And if I see 10 bots usingthe same address on a dynamic range.. ever heard of DHCP? The number crunching schemes arenever perfect but they are pretty good. I count, much like many others, unique IPs. A bot is defined as an instance of an installed Trojan horse. One machine mayhave (and probably does have) several. We can count IPs and we do. 3.5 Million hosts, note, for spam alone. The total population count is mind-boggling. I believe spamhaus has it pinned at 3.2 millions, other have higher numbers. That's about where it is for EMAIL based spam, per day. > > > > > This is why we now run different sharing projects between established > > honey nets. > > So you dont count botnets that detect honeynets eh? > Honey pot detection is an interesting field, I am familiar with it and even consider myself somewhat of a knowledgable person on it, but there are those who research it actively. As interesting as it may be, it's not much of a field yet, sorry to say. Honey pots of different kinds work marvelously. Not all our sources for samples are the same. It would be silly of me to divulge them all (especially as personally I have no use for samples these days and others do). Still, we can only report what we see, what do you see? > > > or other trivial changes? Do you attempt to correct for complex > > > polymorphic > > > variants? > > Nah, just contributors who dont all have publicly routable IP's and > this herders that know about VMware/Honeywall > > > > There aren't many of those.. really. :) > > Really? Ok. > > > > > Further, the anti virus world sees about the same numbers. > > Using the same methods? > And their reporting user-base, alliances and sharing artners, and what not. Yes. D o you think all bots are extremely smart rootkits? I am quite happy to say most botnets are nothing if not the re-use of old code, which is freely available, using the same old methods. There are other types of malware out there. > > > > The Microsoft anti malware team (and Ziv Mador specifically) spoke of > > > > 15K avg bot samples a month, as well. > > Gotcha, you MS and Symantec share numbers based of who doesnt know how > to disable your detection methods You assume too much Dude. Still, you are right, 100%. I can only detect what I know how to detect. But samples are not the only way to follow botnets, and there are many ends on how to approach one problems. Cryptic? I suppose, but hey, Google for methods, see what you find, and tell me what you think. I believe we have pretty good coverage, but I also need to admit most anti viruses do not cover bot detection very well. > I am just saying, the larger the organization, the sharper the focus > from the other side. Maybe a loose coalition of known non-bullshitters > would have a more accurate picture. The picture you got is pretty accurate. Don't take my word for it though. I am happy to examine and share (as much as I can, which is more than enough to show the numbers (lower numbers) we chose to show in the article. What numbers do you need? What makes you doubt what we have given? I'd be more than happy to answer any question you have or counter-numbers you have, but your love for me is as irrelevant as you calling me a *** when you don't show your own data or challange mine with actual questions like Dave (the other dave) did. Thanks, Gadi. > still love ja tho Gadi, > > -JP > > > > > > > Got a link/quote/reference to that? Does Ziv explain the methodology > > > that > > > they are using? > > > > Nope, but I will ask. Most of the numbers I get are at 15K. I can only > > prove *on my own* without relying on other sources, as reliable as they > > may be, 12K, which is the number we mentioned in the article. We were > > being conservative due to that reason, but the number is higher. > > > > > > I don't know what others may be seeing, but this is our best estimate > > > > as to what's going on with the number of unique samples released > > > > every month. > > > > > > > > Jose Nazarijo from Arbor replied on the botnets list that he sees > > > > similar numbers. > > > > > > > > I hope this helps... what are you looking to hear? > > > > > > Some kind of explanation for the huge disjunction between these numbers > > > and our instinctive ideas about what's possible. Of course, being > > > > I followed you this far, but to be honest, your ideas (what are > > they?) are indeed very far from reality... :) > > > > > un-worked-out intuitive estimates, such ideas are of course entirely > > > likely > > > to be off the mark, but off the mark by two orders of magnitude? Hence
Re: [Full-disclosure] [botnets] the world of botnets article and wrong numbers
On 9/14/06, Gadi Evron <[EMAIL PROTECTED]> wrote: > This counts bot samples. Whether they are variants (changed) or > insignificant changes such as only the IP address to the C&C, they are > counted as unique. So if you have multiple machines NAT'ed under one IP, that is one pot. err bot eh? OK. > > This is why we now run different sharing projects between established > honey nets. So you dont count botnets that detect honeynets eh? > > or other trivial changes? Do you attempt to correct for complex polymorphic > > variants? Nah, just contributors who dont all have publicly routable IP's and this herders that know about VMware/Honeywall > There aren't many of those.. really. :) Really? Ok. > > > Further, the anti virus world sees about the same numbers. Using the same methods? > > > The Microsoft anti malware team (and Ziv Mador specifically) spoke of > > > 15K avg bot samples a month, as well. Gotcha, you MS and Symantec share numbers based of who doesnt know how to disable your detection methods I am just saying, the larger the organization, the sharper the focus from the other side. Maybe a loose coalition of known non-bullshitters would have a more accurate picture. still love ja tho Gadi, -JP > > > > Got a link/quote/reference to that? Does Ziv explain the methodology that > > they are using? > > Nope, but I will ask. Most of the numbers I get are at 15K. I can only > prove *on my own* without relying on other sources, as reliable as they > may be, 12K, which is the number we mentioned in the article. We were > being conservative due to that reason, but the number is higher. > > > > I don't know what others may be seeing, but this is our best estimate > > > as to what's going on with the number of unique samples released > > > every month. > > > > > > Jose Nazarijo from Arbor replied on the botnets list that he sees > > > similar numbers. > > > > > > I hope this helps... what are you looking to hear? > > > > Some kind of explanation for the huge disjunction between these numbers > > and our instinctive ideas about what's possible. Of course, being > > I followed you this far, but to be honest, your ideas (what are > they?) are indeed very far from reality... :) > > > un-worked-out intuitive estimates, such ideas are of course entirely likely > > to be off the mark, but off the mark by two orders of magnitude? Hence the > > request for more methodological details. > > No problem, I quite understand. There is not that much science into it > really: > "Yo, how many unique samples do you see?" as a lone dataset if they won't > share. > "Yo, how many unique samples do we all see?" if they share. > "Yo, how many unique samples do others see?" > > AVG is 15K, I can prove *on my own* 12K... counting banking/phishing > trojan horses, general purpose trojans, dialers, etc (from the large bot > families). > > Gadi. > > > > > > cheers, > > DaveK > > -- > > Can't think of a witty .sigline today > > > > > > > > ___ > > Full-Disclosure - We believe in it. > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/ > > ___ > > To report a botnet PRIVATELY please email: [EMAIL PROTECTED] > > All list and server information are public and available to law enforcement > > upon request. > > http://www.whitestar.linuxbox.org/mailman/listinfo/botnets > > > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [botnets] the world of botnets article and wrong numbers
On 9/14/06, Jose Nazario <[EMAIL PROTECTED]> wrote: > i guess i'm curious about your position, then, and what you're meaning by > "our instinctive ideas about what's possible". You see, the universe operates with a distinct prejudice towards individuals with an inclination towards lunacy... they should have covered this in douchebaggery 101 f'er cryin' out loud! -JP ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [botnets] the world of botnets article and wrong numbers
On Thu, 14 Sep 2006, Dave "No, not that one" Korn wrote: > Can you go into detail about the methodology you're using here? How do > you "get to a number" of 15,000 from a number "between 200 and 800"? > Is this a statistical extrapolation, or are you saying that your > honeynet gets 200 to 800 unique samples a month, and so does that one > over there, and that one, and that one and they all add up to 15000? > Do you attempt to correct for variants that are simply re-packed using a > different compressor, or other trivial changes? Do you attempt to > correct for complex polymorphic variants? my numbers are based on unique MD5 values. the bulk of those are minor variants on a theme, ie repackaged bots or reconfigured bots, maybe a new module thrown in or something. only a small handful, maybe a dozen or so, are really new bots every month. very rarely do we see new bots or new capabilities added. the last major change was the use of the MS06-040 netapi exploit. the bulk of the bot binaries i see are derivatives of well known families. very few new families emerge in any given timeframe, but in the HTTP bot world, we're starting to see people develop tools and reuse them. unique bot samples, ~12-15k or higher a month. many independent teams can back that ballpark figure up. new bot samples, truly new like i outlined above, is far less. about three orders of magnitude less. by the way, in this day and age the bulk of people do not bother with polymorphism. they achieve it not through the classic - and elegant - methods of self modifying code but instead by churning out new bots fast and furious. same end result, though: confuse the naive, static detection tools out thare. > Some kind of explanation for the huge disjunction between these numbers > and our instinctive ideas about what's possible. Of course, being > un-worked-out intuitive estimates, such ideas are of course entirely > likely to be off the mark, but off the mark by two orders of magnitude? > Hence the request for more methodological details. i guess i'm curious about your position, then, and what you're meaning by "our instinctive ideas about what's possible". it sounds like we're on the same page, but you may feel it's hyping the problem to talk about new bots based on unique MD5 values. it's not my favorite way of thinking about it, but it is easily underscored by a real-world fact: many AV vendors fail to detect the same bot source simply repackaged or re-configured (ie a new IRC server, everything else the same). hence, each new MD5 means a new detection hit for them. so, hype has a real-world backing, namely AV detection issues. jose nazario, ph.d. [EMAIL PROTECTED] http://monkey.org/~jose/http://monkey.org/~jose/secnews.html http://www.wormblog.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [botnets] the world of botnets article and wrong numbers
On Thu, 14 Sep 2006, Dave "No, not that one" Korn wrote: > Can you go into detail about the methodology you're using here? How do > you "get to a number" of 15,000 from a number "between 200 and 800"? Is My comment here was in regard to what most honey nets see. > this a statistical extrapolation, or are you saying that your honeynet gets > 200 to 800 unique samples a month, and so does that one over there, and that > one, and that one and they all add up to 15000? Do you attempt to Yes. Also, some are large enough to get to that number, and there are other sources as well such as the AV community or the Microsoft data... as examples. > correct for variants that are simply re-packed using a different compressor, This counts bot samples. Whether they are variants (changed) or insignificant changes such as only the IP address to the C&C, they are counted as unique. This is why we now run different sharing projects between established honey nets. > or other trivial changes? Do you attempt to correct for complex polymorphic > variants? There aren't many of those.. really. :) > > Further, the anti virus world sees about the same numbers. > > > > The Microsoft anti malware team (and Ziv Mador specifically) spoke of > > 15K avg bot samples a month, as well. > > Got a link/quote/reference to that? Does Ziv explain the methodology that > they are using? Nope, but I will ask. Most of the numbers I get are at 15K. I can only prove *on my own* without relying on other sources, as reliable as they may be, 12K, which is the number we mentioned in the article. We were being conservative due to that reason, but the number is higher. > > I don't know what others may be seeing, but this is our best estimate > > as to what's going on with the number of unique samples released > > every month. > > > > Jose Nazarijo from Arbor replied on the botnets list that he sees > > similar numbers. > > > > I hope this helps... what are you looking to hear? > > Some kind of explanation for the huge disjunction between these numbers > and our instinctive ideas about what's possible. Of course, being I followed you this far, but to be honest, your ideas (what are they?) are indeed very far from reality... :) > un-worked-out intuitive estimates, such ideas are of course entirely likely > to be off the mark, but off the mark by two orders of magnitude? Hence the > request for more methodological details. No problem, I quite understand. There is not that much science into it really: "Yo, how many unique samples do you see?" as a lone dataset if they won't share. "Yo, how many unique samples do we all see?" if they share. "Yo, how many unique samples do others see?" AVG is 15K, I can prove *on my own* 12K... counting banking/phishing trojan horses, general purpose trojans, dialers, etc (from the large bot families). Gadi. > > cheers, > DaveK > -- > Can't think of a witty .sigline today > > > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ > To report a botnet PRIVATELY please email: [EMAIL PROTECTED] > All list and server information are public and available to law enforcement > upon request. > http://www.whitestar.linuxbox.org/mailman/listinfo/botnets > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/