To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ---------- Getting into the habit of publishing C&C's submitted to the public list carries the risk of poisoning. I'm sorry to be a naysayer on this, but it's viable and as the timeline approaches infinity, it's going to happen. This is going to be a circle of trust issue, at some point. I'd have a hard time accepting a /32 blacklist from someone I don't know. At best, the only use I'd put those IPs to is tagging them in my netflow analyzers with a slightly higher threat score to make traffic to them stick out a bit to see what they're talking to.
Also, while I'm posting, Gadi? Is there a better place for that private reporting banner on the top of all list emails? It's annoying. - billn On Sat, 4 Mar 2006, Jeff Kell wrote: > To report a botnet PRIVATELY please email: [EMAIL PROTECTED] > ---------- > There is a balance here somewhere between public disclosure and active > enforcement investigation. If a "live botnet" is discovered that we > *can* get ISP/registrar/legal investigation activated, you don't want it > shutdown as the botnet is followed, binaries/ratware samples are > obtained for analysis, and the bot herder[s] tracked.. I can understand > the need for limited disclosure. However... > > Identifying C&C sources (IPs and/or DNS names) that could be used to > *quietly* blackhole them and protect your > customers/organization/enterprise would be invaluable, and could be > released in a timely manner. I'm hoping this list can achieve that > goal, either on-list or by other means such as a repository file that > could be archived/rsynced, CVS, or for those in a position to make use > of it, a BGP feed. The former can be processed into suitable blocking > input (ACLs, null routes, snortsam, iptables/ipf, etc). The latter can > be as secure as the source host wishes to permit peers, and it is > extremely neutral in it's disclosure, being nothing more than IPs or > CIDRs. It would not work for DNS (unless someone wants to run a root > :-) ) but it would otherwise work. > > A secondary list of interest may be sources where binaries are being > downloaded. Some ratware uses centralized repositories, such as URLs > advertised via IM, spam, drive-bys, etc. Others play traditional worm > "leap frog" where the infected host becomes the repository for any > subsequent host it can compromise. The first are valuable on a global > scale, the latter are somewhat localized, especially when the bot is > scanning the local /8 or /16 as is often the case. > > If we provide a thorough and timely list[s] as above, the remaining > question of "what to do with the drones" becomes a bit more > straightforward. If you are in a position to make use of the block > list, you should be able to track any downstream sources trying to > establish connections to those IPs. This is *much* more timely than any > notifications you might send out to abuse desks, as observing the > connection attempts is a real-time feed of infected hosts, as opposed to > potentially stale reports of what was infected at some earlier point in > time. > > In short... > * Get the net information to investigators, > * Get the C&C information to the general list, > * Downplay the drones. Anyone that has the time/resources/will to clean > them up can do it from the block list. > > Jeff > _______________________________________________ > botnets mailing list > To report a botnet PRIVATELY please email: [EMAIL PROTECTED] > http://www.whitestar.linuxbox.org/mailman/listinfo/botnets > _______________________________________________ botnets mailing list To report a botnet PRIVATELY please email: [EMAIL PROTECTED] http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
