To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ---------- There is a balance here somewhere between public disclosure and active enforcement investigation. If a "live botnet" is discovered that we *can* get ISP/registrar/legal investigation activated, you don't want it shutdown as the botnet is followed, binaries/ratware samples are obtained for analysis, and the bot herder[s] tracked.. I can understand the need for limited disclosure. However...
Identifying C&C sources (IPs and/or DNS names) that could be used to *quietly* blackhole them and protect your customers/organization/enterprise would be invaluable, and could be released in a timely manner. I'm hoping this list can achieve that goal, either on-list or by other means such as a repository file that could be archived/rsynced, CVS, or for those in a position to make use of it, a BGP feed. The former can be processed into suitable blocking input (ACLs, null routes, snortsam, iptables/ipf, etc). The latter can be as secure as the source host wishes to permit peers, and it is extremely neutral in it's disclosure, being nothing more than IPs or CIDRs. It would not work for DNS (unless someone wants to run a root :-) ) but it would otherwise work. A secondary list of interest may be sources where binaries are being downloaded. Some ratware uses centralized repositories, such as URLs advertised via IM, spam, drive-bys, etc. Others play traditional worm "leap frog" where the infected host becomes the repository for any subsequent host it can compromise. The first are valuable on a global scale, the latter are somewhat localized, especially when the bot is scanning the local /8 or /16 as is often the case. If we provide a thorough and timely list[s] as above, the remaining question of "what to do with the drones" becomes a bit more straightforward. If you are in a position to make use of the block list, you should be able to track any downstream sources trying to establish connections to those IPs. This is *much* more timely than any notifications you might send out to abuse desks, as observing the connection attempts is a real-time feed of infected hosts, as opposed to potentially stale reports of what was infected at some earlier point in time. In short... * Get the net information to investigators, * Get the C&C information to the general list, * Downplay the drones. Anyone that has the time/resources/will to clean them up can do it from the block list. Jeff _______________________________________________ botnets mailing list To report a botnet PRIVATELY please email: [EMAIL PROTECTED] http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
