To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
----------
An official review of the third chapter follows. My first comment was a little
too generic - "Nice work!"
Upon further review, here are my comments about the third chapter of this book.
Third chapter starts by giving some good overview and details about the main
form of C&C - IRC. The author describes why IRC was originally selected, what
purpose it served and it's pros and cons. The information then moves to the
history of C&C, what the botherders need, what they have available and the
constant "one upmanship" of botherders and bothunters.
As I read this chapter certain thoughts started in the back of my mind. After
the first two sections, I started thinking about why aren't the botherders
using DNS? Well, the next section in this chapter moves directly to that very
topic.
After prepping the reader with this necessary background data, you are then
presented with the meat of the chapter - Alternative Control Channels.
Two different web based C&C servers are discussed and as before, the reader is
given both the pros and cons of each and at times, which bots used which
technology.
Each technology is discussed without getting too detailed and while staying on
the topic - which was very comforting.
Overall, I learned a lot about alternative C&C technology - what's possible and
what we have to look forward to.
Certain web references were used and I found them to provide the detailed
information that I thought was missing from the book. The web references worked
(not outdated dead web links) and were to sites I feel confident with.
I found the entire book worth putting on my shelf. I don't crunch the numbers
to determine if they all add up. I read to add to my knowledge base and this
book fulfilled my need.
________________________________
From: Gadi Evron [mailto:[EMAIL PROTECTED]
Sent: Thu 7/26/2007 12:09 AM
To: Craig Holmes
Cc: botnets@whitestar.linuxbox.org
Subject: Re: [botnets] Alternative Botnet C&Cs - free chapter from Botnets:The
Killer Web App
To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
----------
On Thu, 26 Jul 2007, Craig Holmes wrote:
> To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
> ----------
> As promised, I bought the book and finally received it (thanks for the slow
> turn around Amazon).
>
> I have begun reading it, and although I am only starting the third chapter I
> am wholly unimpressed.
>
> Before I discuss the text of the book, I am curious to know. Is it a print
> problem or do many of the graphics in the book look overly blurry or
> excessively jagged? Some of the pictures look like they were compressed to a
> monochrome bitmap of about 2k in size (see page 47).
>
> My experience with botnets seem to differ in many ways from the text in the
> book:
>
> The book begins by describing what SDBot, Agobot, GTBot, etc do. They include
> lists of ports and vulnerabilities that the given bot exploits, actions it
> may perform etc. The book doesn't make the point strong enough that a lot of
> code (especially SDBot code) started off as simply a public offering and
> evolved through many different trees by people with no organization. These
> trees criss-crossed without any knowledge of many of the contributors. In
> fact, as I recall SDBot (at least a couple of versions from sd) was released
> to the public without a single attack vector. It is my belief that this
> version is responsible for the most variants due to it's availability.
>
> The book seems to be making a point that bots are being used by organized
> crime. I think this point has been pushed on my fronts of this issue by many
> people, however I remain doubtful. In my experience with farmers (or bot
> herders as the book calls them) is that they're packet kiddies out to DoS
> their moronic buddies or enemies. The botnet was just a natural evaluation
> from Trinoo/TFN/Trinity/Kaiten or if they're even lamer then Backorifice,
> etc. Though I do certainly accept that some lone individuals use botnets for
> monitary gain (avert scams), I wouldn't classify it as organized. Look at the
> numbers given in the book:
> -4.5 Million active botnet computers
> -A small botnet is 10,000 computers
> That means that there are about 500 botnets active. The book states only a
> handful of cases that involved organized crime, possibly 5 cases. That means
> that they've identified at least 0.01% of the 500 botnets are being run by
> the big evil organized crime people. Not to say that proves them wrong, but
> it isn't enough evidence for me. I believe they are sensationalizing this
> fact quite a bit.
>
> The book paints a pretty diagram showing how people with their cam corders run
> from the movie theatre directly to their dorm and upload their bootlegs to
> topsites which are actually botnets. This is a silly notion. A great deal
> movies that are available on the internet today (and much software) are
> released by organized (though not by for profit) piracy groups (the 'scene').
> These groups do use topsites, but they are FTP servers running on legitmate
> hardware (a member of the group may be a sysadmin at MIT for example). These
> topsites and groups are not even remotely affiliated with botnets (or at
> least weren't in 2002 which is when my experience dates to). The offenders
> identified (from Drink or Die, Razor1911, etc) wouldn't be caught dead
> touching a botnet, as it would do great damage to their reputation.
> Furthermore, these elite groups have very little use for clickthrough scams,
> distributed storage, or dos attacks.
>
> I feel like the authors are making a far too liberal attempt at connecting the
> dots on many issues. I am also slightly disappointed as it seemed much of the
> book will be focused on general intrusion detection techniques, sandboxing,
> reporting etc and less on practical cases, motivation, C&C methods,
> encryption and more technical aspects of the bot itself.
>
> I will report my final thoughts when I complete the book.
>
> Craig
Got any comments on the third chapter?
>
>
> On Sunday 08 July 2007 21:53, Thomas Raef wrote:
>> To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
>> ----------
>> Gadi,
>>
>> It's easier for people to just buy the book. I bought it about a month
>> ago and have read it a few time already. Nice work!
> _______________________________________________
> To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
> All list and server information are public and available to law enforcement
> upon request.
> http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
>
_______________________________________________
To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
All list and server information are public and available to law enforcement
upon request.
http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
_______________________________________________
To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
All list and server information are public and available to law enforcement
upon request.
http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
