Re: [Full-disclosure] Vulnerability automation and Botnet "solutions" I expect to see this year

*. Gadi Intelligence (very limited)

On 10/26/06, cdejrhymeswithgay@xxxxxxxx <cdejrhymeswithgay@xxxxxxxx> wrote:

Hash: SHA1

On Tue, 24 Oct 2006 10:52:58 -0500 Gadi Evron <ge@xxxxxxxxxxxx>
>So, what I am going to talk about... A tad bit of history on
>vulnerabilities and their use on the Internet, and then, what we
>are going
>to see on corporate, ISP and Internet security relating to botnets

>coming year.
>Vulnerabilities don't exist for the sake of vulnerabilities. They
>are used
>for something, they are a tool. Botnets are much the same, using
>vulnerabilities on the next layer.
>This past year we have seen how disclosed vulnerabilities, patched
>vulnerabilities and 0days have been utilized by automated kits. An
>inter-linked system of websites which download malicious code
>(update the
>kits), try to infect millions of users from just a couple dozen
>main hubs,
>and react to the environment.
>If a certain vulnerability is seen to be more successful on
>certain OS
>types or if one is found to not work, the kit will be fixed
>and distributed. Often immediately after a patch Tuesday, likely
>that same
>Friday evening.
>This way, income can be maximized with the number of infections,
>stolen and thus ROI. Both from the expected response time of the
>as well as how many victims can be reached in that window.
>One such kit is Webattacker, which has recently been getting more
>known in
>public circles.
>Where we are
>That does it, botnets are mainstream. People did not yet
>understand the
>idea that software vulnerabilities facilitate an attack (=are not
>attack) and botnets facilitate much the same, only on a different
>level. I
>will discuss that further after what interests everybody.
>Solutions in the coming year!
>First, many products in the industry have been implemented
>successfully in
>the past, just as solutions of necessity, not "products". Some
>successful, some failed. Some (services) have been supplied to the

>and connected, some haven't.
>Botnets are now main-stream, which means other lesser beings and
>corporations want these services. They want to be protected in a
>world. They realize the Internet is not a safe place, and plan
>Services we will see more and more of:
>*. Intelligence (very limited), showing IP addresses for botnet
>and control (C&C) servers, which your computers may be connecting
>(i.e. compromised).
>*. Intelligence (very limited), showing IP addresses that you
>which show in spam (meaning compromised hosts) or show in other
>ways in
>botnet data being collected. Mostly, this is spam-oriented and the

>rest of
>the intelligence is barely noticeable as of yet.
>*. Intelligence (very limited) on the millions on millions of
>(for sites, credit cards, banks, eCommerce systems, etc.) and
>being stolen every single day by massive phishing man-in-the-
>middle trojan
>*. Intelligence (very limited) other black listing services.
>In the past, a limited version of these services was provided, but

>secretly, and at a very high cost.
>Botnet products on the network can either detect internal problems

>as bots on the corporate or ISP network or the spreading of
>infections) or
>external problems (such as C&C servers or attacks from the world).

>can be based on behavior or intelligence.
>Solutions, which we discussed in the past and are now going to
>Intelligence-based (until now only supplied by select groups to
>groups) -
>*. Known bad IPs. Etc. Much like in spam, only for other realms.
>*. Known bad URLs or domain names. Etc. Much like in spam, only
>for other
>Detection -
>*. IDS approach (decent but not even close to cutting it),
>*. DNS monitoring approach (very cool, but is just one approach in

>layered solution).
>*. Netflow approach (proven for years now, only one approach,
>useful, which is growing more limited every day).
>Respond and quarantine -
>*. Walled garden approach (close off/limit suspicious or confirmed
>compromised computers until they clean themselves. NOt successful
>current solutions, shows promise).
>*. Try to fix the situation remotely (solve the vulnerabilities,
>etc. ahead of time or remove after the fact).
>There are several others, but these are the main ones describing
>the 10 or
>so products we are about to see (all of which are already
>publicly as open source, privately developed tools or unsuccessful
>solutions due to lack of client awareness and interest).
>QoS, virtualization and half decent intelligence gathering will
>next. Other solutions I will not waste breath speaking of right
>now, they
>will appear for public consumption once the effectiveness of the
>above (or the better ones there) is done to dust.
>What's next?
>Decent, real decent, intelligence, and support response tools to
>what you find in conjunction with a response team trained to deal
>thousands of real incidents rather than mark check-lists on a
>couple an
>hour to a couple a month. That's simply not being aware of what's
>happening in your network.
>Many of the CERTs and SOCs are very trained and high quality, they

>are not
>equipped or don't see what they need to react to nor in most cases

>built to deal with this threat.
>What's never going to happen?
>With security done right, on a wide-scale, with a decent systems
>network, policy, monitoring and responce - a lot can be done and
>0days can
>also be avoided, even (and especially) with business concerns
>being put
>Gadi Evron,
>Full-Disclosure - We believe in it.
>Hosted and sponsored by Secunia -

If Hitler was alive and a hacker, do you think your box would be
working, Gadi?
Note: This signature can be verified at
Version: Hush 2.5


Concerned about your privacy? Instantly send FREE secure email, no account

Get the best prices on SSL certificates from Hushmail

Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -

smile tomorrow will be worse
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -

Relevant Pages