To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ---------- Im thinking making an available list, let the admins decide wether they want to block or mitigate.
Along with listing the C&C's, list any other evidence per address giving important date information etc. so that network owners can verify and/or take care of those ranges effectively. Just my two cents. I agree also to move the private botnet email ;p -JB -----Original Message----- From: Bill Nash [mailto:[EMAIL PROTECTED] Sent: Saturday, March 04, 2006 2:24 PM To: Jeff Kell Cc: [email protected] Subject: Re: [botnets] is there a list of botnet hostnames somewhere ? To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ---------- Getting into the habit of publishing C&C's submitted to the public list carries the risk of poisoning. I'm sorry to be a naysayer on this, but it's viable and as the timeline approaches infinity, it's going to happen. This is going to be a circle of trust issue, at some point. I'd have a hard time accepting a /32 blacklist from someone I don't know. At best, the only use I'd put those IPs to is tagging them in my netflow analyzers with a slightly higher threat score to make traffic to them stick out a bit to see what they're talking to. Also, while I'm posting, Gadi? Is there a better place for that private reporting banner on the top of all list emails? It's annoying. - billn On Sat, 4 Mar 2006, Jeff Kell wrote: > To report a botnet PRIVATELY please email: [EMAIL PROTECTED] > ---------- > There is a balance here somewhere between public disclosure and active > enforcement investigation. If a "live botnet" is discovered that we > *can* get ISP/registrar/legal investigation activated, you don't want > it shutdown as the botnet is followed, binaries/ratware samples are > obtained for analysis, and the bot herder[s] tracked.. I can > understand the need for limited disclosure. However... > > Identifying C&C sources (IPs and/or DNS names) that could be used to > *quietly* blackhole them and protect your > customers/organization/enterprise would be invaluable, and could be > released in a timely manner. I'm hoping this list can achieve that > goal, either on-list or by other means such as a repository file that > could be archived/rsynced, CVS, or for those in a position to make use > of it, a BGP feed. The former can be processed into suitable blocking > input (ACLs, null routes, snortsam, iptables/ipf, etc). The latter > can be as secure as the source host wishes to permit peers, and it is > extremely neutral in it's disclosure, being nothing more than IPs or > CIDRs. It would not work for DNS (unless someone wants to run a root > :-) ) but it would otherwise work. > > A secondary list of interest may be sources where binaries are being > downloaded. Some ratware uses centralized repositories, such as URLs > advertised via IM, spam, drive-bys, etc. Others play traditional worm > "leap frog" where the infected host becomes the repository for any > subsequent host it can compromise. The first are valuable on a global > scale, the latter are somewhat localized, especially when the bot is > scanning the local /8 or /16 as is often the case. > > If we provide a thorough and timely list[s] as above, the remaining > question of "what to do with the drones" becomes a bit more > straightforward. If you are in a position to make use of the block > list, you should be able to track any downstream sources trying to > establish connections to those IPs. This is *much* more timely than > any notifications you might send out to abuse desks, as observing the > connection attempts is a real-time feed of infected hosts, as opposed > to potentially stale reports of what was infected at some earlier > point in time. > > In short... > * Get the net information to investigators, > * Get the C&C information to the general list, > * Downplay the drones. Anyone that has the time/resources/will to > clean them up can do it from the block list. > > Jeff > _______________________________________________ > botnets mailing list > To report a botnet PRIVATELY please email: [EMAIL PROTECTED] > http://www.whitestar.linuxbox.org/mailman/listinfo/botnets > _______________________________________________ botnets mailing list To report a botnet PRIVATELY please email: [EMAIL PROTECTED] http://www.whitestar.linuxbox.org/mailman/listinfo/botnets _______________________________________________ botnets mailing list To report a botnet PRIVATELY please email: [EMAIL PROTECTED] http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
