Re: [Full-disclosure] [botnets] the world of botnets article and wrong numbers



On Thu, 14 Sep 2006, Dude VanWinkle wrote:
On 9/14/06, Gadi Evron <ge@xxxxxxxxxxxx> wrote:
This counts bot samples. Whether they are variants (changed) or
insignificant changes such as only the IP address to the C&C, they are
counted as unique.

So if you have multiple machines NAT'ed under one IP, that is one pot.
err bot eh? OK.

And if I see 10 bots usingthe same address on a dynamic range.. ever heard
of DHCP? The number crunching schemes arenever perfect but they are pretty
good.

I count, much like many others, unique IPs. A bot is defined as an
instance of an installed Trojan horse. One machine mayhave (and probably
does have) several. We can count IPs and we do.

3.5 Million hosts, note, for spam alone. The total population count is
mind-boggling. I believe spamhaus has it pinned at 3.2 millions, other
have higher numbers. That's about where it is for EMAIL based spam, per
day.



This is why we now run different sharing projects between established
honey nets.

So you dont count botnets that detect honeynets eh?


Honey pot detection is an interesting field, I am familiar with it and
even consider myself somewhat of a knowledgable person on it, but there
are those who research it actively.

As interesting as it may be, it's not much of a field yet, sorry to
say. Honey pots of different kinds work marvelously.

Not all our sources for samples are the same. It would be silly of me to
divulge them all (especially as personally I have no use for samples these
days and others do). Still, we can only report what we see, what do you
see?

or other trivial changes? Do you attempt to correct for complex polymorphic
variants?

Nah, just contributors who dont all have publicly routable IP's and
this herders that know about VMware/Honeywall


There aren't many of those.. really. :)

Really? Ok.

Further, the anti virus world sees about the same numbers.

Using the same methods?


And their reporting user-base, alliances and sharing artners, and what
not. Yes. D o you think all bots are extremely smart rootkits? I am
quite happy to say most botnets are nothing if not the re-use of old code,
which is freely available, using the same old methods.

There are other types of malware out there.

The Microsoft anti malware team (and Ziv Mador specifically) spoke of
15K avg bot samples a month, as well.

Gotcha, you MS and Symantec share numbers based of who doesnt know how
to disable your detection methods

You assume too much Dude.
Still, you are right, 100%. I can only detect what I know how to
detect. But samples are not the only way to follow botnets, and there are
many ends on how to approach one problems.

Cryptic? I suppose, but hey, Google for methods, see what you find, and
tell me what you think. I believe we have pretty good coverage, but I also
need to admit most anti viruses do not cover bot detection very well.

I am just saying, the larger the organization, the sharper the focus
from the other side. Maybe a loose coalition of known non-bullshitters
would have a more accurate picture.

The picture you got is pretty accurate. Don't take my word for it
though. I am happy to examine and share (as much as I can, which is more
than enough to show the numbers (lower numbers) we chose to show in the
article.

What numbers do you need? What makes you doubt what we have given? I'd be
more than happy to answer any question you have or counter-numbers you
have, but your love for me is as irrelevant as you calling me a
*********** when you don't show your own data or challange mine with
actual questions like Dave (the other dave) did.

Thanks,

Gadi.

still love ja tho Gadi,

-JP<the douchebg>


Got a link/quote/reference to that? Does Ziv explain the methodology that
they are using?

Nope, but I will ask. Most of the numbers I get are at 15K. I can only
prove *on my own* without relying on other sources, as reliable as they
may be, 12K, which is the number we mentioned in the article. We were
being conservative due to that reason, but the number is higher.

I don't know what others may be seeing, but this is our best estimate
as to what's going on with the number of unique samples released
every month.

Jose Nazarijo from Arbor replied on the botnets list that he sees
similar numbers.

I hope this helps... what are you looking to hear?

Some kind of explanation for the huge disjunction between these numbers
and our instinctive ideas about what's possible. Of course, being

I followed you this far, but to be honest, your ideas (what are
they?) are indeed very far from reality... :)

un-worked-out intuitive estimates, such ideas are of course entirely likely
to be off the mark, but off the mark by two orders of magnitude? Hence the
request for more methodological details.

No problem, I quite understand. There is not that much science into it
really:
"Yo, how many unique samples do you see?" as a lone dataset if they won't
share.
"Yo, how many unique samples do we all see?" if they share.
"Yo, how many unique samples do others see?"

AVG is 15K, I can prove *on my own* 12K... counting banking/phishing
trojan horses, general purpose trojans, dialers, etc (from the large bot
families).

Gadi.



cheers,
DaveK
--
Can't think of a witty .sigline today....



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
To report a botnet PRIVATELY please email: c2report@xxxxxxxxx
All list and server information are public and available to law enforcement upon request.
http://www.whitestar.linuxbox.org/mailman/listinfo/botnets


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/