Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Vulnerability automation and Botnet "solutions" I expect to see this year
From: poo <skodliv () gmail com>
Date: Fri, 27 Oct 2006 09:57:02 +0200

*. Gadi Intelligence (very limited)


On 10/26/06, cdejrhymeswithgay () hush com <cdejrhymeswithgay () hush com> wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



On Tue, 24 Oct 2006 10:52:58 -0500 Gadi Evron <ge () linuxbox org>
wrote:
>So, what I am going to talk about... A tad bit of history on
>vulnerabilities and their use on the Internet, and then, what we
>are going
>to see on corporate, ISP and Internet security relating to botnets

>this
>coming year.
>
>Vulnerabilities don't exist for the sake of vulnerabilities. They
>are used
>for something, they are a tool. Botnets are much the same, using
>vulnerabilities on the next layer.
>
>This past year we have seen how disclosed vulnerabilities, patched
>vulnerabilities and 0days have been utilized by automated kits. An
>inter-linked system of websites which download malicious code
>(update the
>kits), try to infect millions of users from just a couple dozen
>main hubs,
>and react to the environment.
>If a certain vulnerability is seen to be more successful on
>certain OS
>types or if one is found to not work, the kit will be fixed
>accordingly
>and distributed. Often immediately after a patch Tuesday, likely
>that same
>Friday evening.
>
>This way, income can be maximized with the number of infections,
>data
>stolen and thus ROI. Both from the expected response time of the
>vendors
>as well as how many victims can be reached in that window.
>
>One such kit is Webattacker, which has recently been getting more
>known in
>public circles.
>
>Where we are
>
>That does it, botnets are mainstream. People did not yet
>understand the
>idea that software vulnerabilities facilitate an attack (=are not
>the
>attack) and botnets facilitate much the same, only on a different
>level. I
>will discuss that further after what interests everybody.
>
>Solutions in the coming year!
>
>First, many products in the industry have been implemented
>successfully in
>the past, just as solutions of necessity, not "products". Some
>were
>successful, some failed. Some (services) have been supplied to the

>rich
>and connected, some haven't.
>Botnets are now main-stream, which means other lesser beings and
>corporations want these services. They want to be protected in a
>hostile
>world. They realize the Internet is not a safe place, and plan
>accordingly.
>
>Services we will see more and more of:
>*. Intelligence (very limited), showing IP addresses for botnet
>command
>and control (C&C) servers, which your computers may be connecting
>to
>(i.e. compromised).
>*. Intelligence (very limited), showing IP addresses that you
>control
>which show in spam (meaning compromised hosts) or show in other
>ways in
>botnet data being collected. Mostly, this is spam-oriented and the

>rest of
>the intelligence is barely noticeable as of yet.
>*. Intelligence (very limited) on the millions on millions of
>credentials
>(for sites, credit cards, banks, eCommerce systems, etc.) and
>identities
>being stolen every single day by massive phishing man-in-the-
>middle trojan
>horses.
>*. Intelligence (very limited) other black listing services.
>
>In the past, a limited version of these services was provided, but

>very
>secretly, and at a very high cost.
>
>Products:
>
>Botnet products on the network can either detect internal problems

>(such
>as bots on the corporate or ISP network or the spreading of
>infections) or
>external problems (such as C&C servers or attacks from the world).

>These
>can be based on behavior or intelligence.
>
>Solutions, which we discussed in the past and are now going to
>manifest:
>
>Intelligence-based (until now only supplied by select groups to
>select
>groups) -
>*. Known bad IPs. Etc. Much like in spam, only for other realms.
>*. Known bad URLs or domain names. Etc. Much like in spam, only
>for other
>realms.
>
>Detection -
>*. IDS approach (decent but not even close to cutting it),
>*. DNS monitoring approach (very cool, but is just one approach in

>a
>layered solution).
>*. Netflow approach (proven for years now, only one approach,
>however
>useful, which is growing more limited every day).
>
>Respond and quarantine -
>*. Walled garden approach (close off/limit suspicious or confirmed
>compromised computers until they clean themselves. NOt successful
>in
>current solutions, shows promise).
>*. Try to fix the situation remotely (solve the vulnerabilities,
>etc. ahead of time or remove after the fact).
>
>There are several others, but these are the main ones describing
>the 10 or
>so products we are about to see (all of which are already
>available
>publicly as open source, privately developed tools or unsuccessful
>solutions due to lack of client awareness and interest).
>
>QoS, virtualization and half decent intelligence gathering will
>come
>next. Other solutions I will not waste breath speaking of right
>now, they
>will appear for public consumption once the effectiveness of the
>solutions
>above (or the better ones there) is done to dust.
>
>What's next?
>
>Decent, real decent, intelligence, and support response tools to
>mitigate
>what you find in conjunction with a response team trained to deal
>with
>thousands of real incidents rather than mark check-lists on a
>couple an
>hour to a couple a month. That's simply not being aware of what's
>happening in your network.
>Many of the CERTs and SOCs are very trained and high quality, they

>are not
>equipped or don't see what they need to react to nor in most cases

>are
>built to deal with this threat.
>
>What's never going to happen?
>
>With security done right, on a wide-scale, with a decent systems
>design,
>network, policy, monitoring and responce - a lot can be done and
>0days can
>also be avoided, even (and especially) with business concerns
>being put
>first.
>
>Gadi Evron,
>ge () linuxbox org >
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/

If Hitler was alive and a hacker, do you think your box would be
working, Gadi?
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.5

wpwEAQECAAYFAkVAxgAACgkQsGS6s78KOsXp5gP8CIlcHIyTcYj8wDx+LMRuHnrIsCO2
N6ELTIQfGdwLBR+o57u41PHmurUdwcwiXChZ4W2Qz/p1NO+Js7rXETMYHRUW/hwv0Aos
KZN7RpCFH3PsS9fnPKljBEaWTDG6q+IoBvKI/+6V6M+s0jftHsPp6I6w9eiWf9TQ9tp7
tF9QnSg=
=WL6I
-----END PGP SIGNATURE-----




Concerned about your privacy? Instantly send FREE secure email, no account
required
http://www.hushmail.com/send?l=480

Get the best prices on SSL certificates from Hushmail
https://www.hushssl.com?l=485

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/




--
smile tomorrow will be worse
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]