<div>I cant' present data, but I'll opinion that Gadi is pretty much on track with figures and numbers. In fact his stat's are on the lower side</div>
<div> </div>
<div>our current intel reports indicates overall incidents by " <span style="FONT-SIZE: 9.5pt; FONT-FAMILY: Helvetica; mso-bidi-font-family: Arial">Zombie machines on organization's network/ bots/use of network by BotNets" = 20%. which is ANY NET based data sets for incident mngt.
</span></div>
<div><span style="FONT-SIZE: 9.5pt; FONT-FAMILY: Helvetica; mso-bidi-font-family: Arial"></span><span style="FONT-SIZE: 9.5pt; FONT-FAMILY: Helvetica; mso-bidi-font-family: Arial"></span> </div>
<div><span style="FONT-SIZE: 9.5pt; FONT-FAMILY: Helvetica; mso-bidi-font-family: Arial"><font face="Helvetica" size="2">this indiates a 36% increase from July 2004 - June 2005 with a mean "unknown base" being equated to
<font size="2"><font face="Helvetica">15.1%. This pecent implies the rate of fresh nodes being propagated, or rather the rate of growth for Botnets!! </font></font></font></span></div>
<div><span style="FONT-SIZE: 9.5pt; FONT-FAMILY: Helvetica; mso-bidi-font-family: Arial"></span> </div>
<div><span style="FONT-SIZE: 9.5pt; FONT-FAMILY: Helvetica; mso-bidi-font-family: Arial">hypothecially, you can if flatline these stats against whatever date sets you have ...I'll leave you all to you better judgements :)-
</span></div>
<div><span style="FONT-SIZE: 9.5pt; FONT-FAMILY: Helvetica; mso-bidi-font-family: Arial"></span> </div>
<div><span style="FONT-SIZE: 9.5pt; FONT-FAMILY: Helvetica; mso-bidi-font-family: Arial">/pd</span></div><br><br>
<div><span class="gmail_quote">On 9/14/06, <b class="gmail_sendername">Gadi Evron</b> <<a href="mailto:ge@linuxbox.org">ge@linuxbox.org</a>> wrote:</span>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">On Thu, 14 Sep 2006, Dude VanWinkle wrote:<br>> On 9/14/06, Gadi Evron <<a href="mailto:ge@linuxbox.org">
ge@linuxbox.org</a>> wrote:<br>> > This counts bot samples. Whether they are variants (changed) or<br>> > insignificant changes such as only the IP address to the C&C, they are<br>> > counted as unique.
<br>><br>> So if you have multiple machines NAT'ed under one IP, that is one pot.<br>> err bot eh? OK.<br><br>And if I see 10 bots usingthe same address on a dynamic range.. ever heard<br>of DHCP? The number crunching schemes arenever perfect but they are pretty
<br>good.<br><br>I count, much like many others, unique IPs. A bot is defined as an<br>instance of an installed Trojan horse. One machine mayhave (and probably<br>does have) several. We can count IPs and we do.<br><br>3.5
Million hosts, note, for spam alone. The total population count is<br>mind-boggling. I believe spamhaus has it pinned at 3.2 millions, other<br>have higher numbers. That's about where it is for EMAIL based spam, per<br>day.
<br><br>><br>> ><br>> > This is why we now run different sharing projects between established<br>> > honey nets.<br>><br>> So you dont count botnets that detect honeynets eh?<br>><br><br>Honey pot detection is an interesting field, I am familiar with it and
<br>even consider myself somewhat of a knowledgable person on it, but there<br>are those who research it actively.<br><br>As interesting as it may be, it's not much of a field yet, sorry to<br>say. Honey pots of different kinds work marvelously.
<br><br>Not all our sources for samples are the same. It would be silly of me to<br>divulge them all (especially as personally I have no use for samples these<br>days and others do). Still, we can only report what we see, what do you
<br>see?<br><br>> > > or other trivial changes? Do you attempt to correct for complex polymorphic<br>> > > variants?<br>><br>> Nah, just contributors who dont all have publicly routable IP's and<br>
> this herders that know about VMware/Honeywall<br>><br>><br>> > There aren't many of those.. really. :)<br>><br>> Really? Ok.<br>><br>> > > > Further, the anti virus world sees about the same numbers.
<br>><br>> Using the same methods?<br>><br><br>And their reporting user-base, alliances and sharing artners, and what<br>not. Yes. D o you think all bots are extremely smart rootkits? I am<br>quite happy to say most botnets are nothing if not the re-use of old code,
<br>which is freely available, using the same old methods.<br><br>There are other types of malware out there.<br><br>> > > > The Microsoft anti malware team (and Ziv Mador specifically) spoke of<br>> > > > 15K avg bot samples a month, as well.
<br>><br>> Gotcha, you MS and Symantec share numbers based of who doesnt know how<br>> to disable your detection methods<br><br>You assume too much Dude.<br>Still, you are right, 100%. I can only detect what I know how to
<br>detect. But samples are not the only way to follow botnets, and there are<br>many ends on how to approach one problems.<br><br>Cryptic? I suppose, but hey, Google for methods, see what you find, and<br>tell me what you think. I believe we have pretty good coverage, but I also
<br>need to admit most anti viruses do not cover bot detection very well.<br><br>> I am just saying, the larger the organization, the sharper the focus<br>> from the other side. Maybe a loose coalition of known non-bullshitters
<br>> would have a more accurate picture.<br><br>The picture you got is pretty accurate. Don't take my word for it<br>though. I am happy to examine and share (as much as I can, which is more<br>than enough to show the numbers (lower numbers) we chose to show in the
<br>article.<br><br>What numbers do you need? What makes you doubt what we have given? I'd be<br>more than happy to answer any question you have or counter-numbers you<br>have, but your love for me is as irrelevant as you calling me a
<br>*********** when you don't show your own data or challange mine with<br>actual questions like Dave (the other dave) did.<br><br>Thanks,<br><br> Gadi.<br><br>> still love ja tho Gadi,<br>><br>> -JP<the douchebg>
<br>><br>> > ><br>> > > Got a link/quote/reference to that? Does Ziv explain the methodology that<br>> > > they are using?<br>> ><br>> > Nope, but I will ask. Most of the numbers I get are at 15K. I can only
<br>> > prove *on my own* without relying on other sources, as reliable as they<br>> > may be, 12K, which is the number we mentioned in the article. We were<br>> > being conservative due to that reason, but the number is higher.
<br>> ><br>> > > > I don't know what others may be seeing, but this is our best estimate<br>> > > > as to what's going on with the number of unique samples released<br>> > > > every month.
<br>> > > ><br>> > > > Jose Nazarijo from Arbor replied on the botnets list that he sees<br>> > > > similar numbers.<br>> > > ><br>> > > > I hope this helps... what are you looking to hear?
<br>> > ><br>> > > Some kind of explanation for the huge disjunction between these numbers<br>> > > and our instinctive ideas about what's possible. Of course, being<br>> ><br>> > I followed you this far, but to be honest, your ideas (what are
<br>> > they?) are indeed very far from reality... :)<br>> ><br>> > > un-worked-out intuitive estimates, such ideas are of course entirely likely<br>> > > to be off the mark, but off the mark by two orders of magnitude? Hence the
<br>> > > request for more methodological details.<br>> ><br>> > No problem, I quite understand. There is not that much science into it<br>> > really:<br>> > "Yo, how many unique samples do you see?" as a lone dataset if they won't
<br>> > share.<br>> > "Yo, how many unique samples do we all see?" if they share.<br>> > "Yo, how many unique samples do others see?"<br>> ><br>> > AVG is 15K, I can prove *on my own* 12K... counting banking/phishing
<br>> > trojan horses, general purpose trojans, dialers, etc (from the large bot<br>> > families).<br>> ><br>> > Gadi.<br>> ><br>> ><br>> > ><br>> > > cheers,
<br>> > > DaveK<br>> > > --<br>> > > Can't think of a witty .sigline today....<br>> > ><br>> > ><br>> > ><br>> > > _______________________________________________
<br>> > > Full-Disclosure - We believe in it.<br>> > > Charter: <a href="http://lists.grok.org.uk/full-disclosure-charter.html">http://lists.grok.org.uk/full-disclosure-charter.html</a><br>> > > Hosted and sponsored by Secunia -
<a href="http://secunia.com/">http://secunia.com/</a><br>> > > _______________________________________________<br>> > > To report a botnet PRIVATELY please email: <a href="mailto:c2report@isotf.org">c2report@isotf.org
</a><br>> > > All list and server information are public and available to law enforcement upon request.<br>> > > <a href="http://www.whitestar.linuxbox.org/mailman/listinfo/botnets">http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
</a><br>> > ><br>> ><br>> > _______________________________________________<br>> > Full-Disclosure - We believe in it.<br>> > Charter: <a href="http://lists.grok.org.uk/full-disclosure-charter.html">
http://lists.grok.org.uk/full-disclosure-charter.html</a><br>> > Hosted and sponsored by Secunia - <a href="http://secunia.com/">http://secunia.com/</a><br>> ><br>><br><br>_______________________________________________
<br>Full-Disclosure - We believe in it.<br>Charter: <a href="http://lists.grok.org.uk/full-disclosure-charter.html">http://lists.grok.org.uk/full-disclosure-charter.html</a><br>Hosted and sponsored by Secunia - <a href="http://secunia.com/">
http://secunia.com/</a><br></blockquote></div>