To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ---------- Folks, Jose Nazario [mailto:[EMAIL PROTECTED] wrote: > it sounds like we're on the same page, but you may feel it's hyping the > problem to talk about new bots based on unique MD5 values. it's not my > favorite way of thinking about it, but it is easily underscored by a > real-world fact: many AV vendors fail to detect the same bot source simply > repackaged or re-configured (ie a new IRC server, everything else the > same). hence, each new MD5 means a new detection hit for them. so, hype > has a real-world backing, namely AV detection issues. I can second that, from a not-associated-with-anyone-POV. I get many, many slightly mutated versions of the same bot every day, on average one new version a day, on a very small honeynet. More often than not, AV fails to detect these mods. I obviously don't reach 15k/month, but in this case size does matter.
Seen that these mutations could be simply mailed around, too, and AV wouldn't detect them either, makes counting them as unique, new, bots a valid POV, methinks. Cheers, Joerg -- Joerg Weber M. A. Teamleiter Netzwerk-Sicherheit/Netzwerk-Applikationen infoServe GmbH Nell-Breuning-Allee 6 D-66115 Saarbruecken T: (0681) 8 80 08 - 59 F: (0681) 8 80 08 - 33 www.infos.de mailto: [EMAIL PROTECTED] > > it sounds like we're on the same page, but you may feel it's hyping the > problem to talk about new bots based on unique MD5 values. it's not my > favorite way of thinking about it, but it is easily underscored by a > real-world fact: many AV vendors fail to detect the same bot source simply > repackaged or re-configured (ie a new IRC server, everything else the > same). hence, each new MD5 means a new detection hit for them. so, hype > has a real-world backing, namely AV detection issues. _______________________________________________ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
