To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
----------
What I have seen is that a good majority of the C&C's are running
on dedicated hosts that might have been set up fraudulently, or that
have been compromised. As far as the clients of these C&C's it
really depends on what the attacker is targeting... If he is targeting
the new windows vulnerability, then there will be lots of end users
that are on the botnet, which are directly connected to the Internet.
Some of the bots that come from major businesses appear to be from
accidental downloads of malware.
Running a C&C on a major businesses network is more hassle than it
is worth for the attacker, as you would have to compromise the host,
deal with firewalls, and the C&C would be shut down fairly
quickly(hours, instead of days or weeks).
Just my 2 cents.
Adriel T. Desuatels wrote:
To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
----------
List,
I have a team that has been performing research against information
collected from shadowserver. So far I'm seeing that bots are not
compromising major businesses, but do have a significant indirect negative
impact on those businesses.
Has anyone seen bot coming from IP addresses registered to major
businesses? Has anyone seen C&C servers installed on networks run by major
businesses? Or, are these compromises mostly smaller businesses and home
users?
On 2/16/07 6:43 PM, "Tom" <[EMAIL PROTECTED]> wrote:
To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
----------
On Wed, 14 Feb 2007, Jeremy Epstein wrote:
There was also a really entertaining presentation from Patrick Petersen of
IronPort at RSA, in which he mentioned use of defaced web sites as proxy
forwarders for spammers. According to the presentation, the spammers have
a
fairly sophisticated toolkit that takes over the site and turns it into a
pharmacy (or whatever) redirect site. A different goal from the Websense
presentation, but still a purpose other than simple defacement.
Indeed. I can post some screenshots of some of these tools if you are
interested in them.
Anon remailers, spam tools, etc. More and more spam is being sent using
web servers.
I am looking for someone to volunteer to create spam assasin rules based
on how these tools send mail.
Rules are easy when either you don't have it installed or you are
proactive and installed it in a non default location which is what we
do.
I have a couple of rules based upon log analysis and can probably
generate more but can't you just use:
http://bleedingthreats.net/bleeding-web.rules
http://bleedingthreats.net/bleeding-exploit.rules
http://bleedingthreats.net/bleeding-attack_response.rules
Tom
|
_______________________________________________
To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
All list and server information are public and available to law enforcement
upon request.
http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
