To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ---------- On 9/14/06, Gadi Evron <[EMAIL PROTECTED]> wrote: > This counts bot samples. Whether they are variants (changed) or > insignificant changes such as only the IP address to the C&C, they are > counted as unique.
So if you have multiple machines NAT'ed under one IP, that is one pot. err bot eh? OK. > > This is why we now run different sharing projects between established > honey nets. So you dont count botnets that detect honeynets eh? > > or other trivial changes? Do you attempt to correct for complex polymorphic > > variants? Nah, just contributors who dont all have publicly routable IP's and this herders that know about VMware/Honeywall > There aren't many of those.. really. :) Really? Ok. > > > Further, the anti virus world sees about the same numbers. Using the same methods? > > > The Microsoft anti malware team (and Ziv Mador specifically) spoke of > > > 15K avg bot samples a month, as well. Gotcha, you MS and Symantec share numbers based of who doesnt know how to disable your detection methods I am just saying, the larger the organization, the sharper the focus from the other side. Maybe a loose coalition of known non-bullshitters would have a more accurate picture. still love ja tho Gadi, -JP<the douchebg> > > > > Got a link/quote/reference to that? Does Ziv explain the methodology that > > they are using? > > Nope, but I will ask. Most of the numbers I get are at 15K. I can only > prove *on my own* without relying on other sources, as reliable as they > may be, 12K, which is the number we mentioned in the article. We were > being conservative due to that reason, but the number is higher. > > > > I don't know what others may be seeing, but this is our best estimate > > > as to what's going on with the number of unique samples released > > > every month. > > > > > > Jose Nazarijo from Arbor replied on the botnets list that he sees > > > similar numbers. > > > > > > I hope this helps... what are you looking to hear? > > > > Some kind of explanation for the huge disjunction between these numbers > > and our instinctive ideas about what's possible. Of course, being > > I followed you this far, but to be honest, your ideas (what are > they?) are indeed very far from reality... :) > > > un-worked-out intuitive estimates, such ideas are of course entirely likely > > to be off the mark, but off the mark by two orders of magnitude? Hence the > > request for more methodological details. > > No problem, I quite understand. There is not that much science into it > really: > "Yo, how many unique samples do you see?" as a lone dataset if they won't > share. > "Yo, how many unique samples do we all see?" if they share. > "Yo, how many unique samples do others see?" > > AVG is 15K, I can prove *on my own* 12K... counting banking/phishing > trojan horses, general purpose trojans, dialers, etc (from the large bot > families). > > Gadi. > > > > > > cheers, > > DaveK > > -- > > Can't think of a witty .sigline today.... > > > > > > > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/ > > _______________________________________________ > > To report a botnet PRIVATELY please email: [EMAIL PROTECTED] > > All list and server information are public and available to law enforcement > > upon request. > > http://www.whitestar.linuxbox.org/mailman/listinfo/botnets > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > _______________________________________________ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
