[info] fyi: Storm Worm botnet numbers, via Microsoft

Wed Oct 24 12:54:39 UTC 2007

----- Forwarded message from Brandon Enright <bmenrigh at ucsd.edu> -----

From: Brandon Enright <bmenrigh at ucsd.edu>
Date: Tue, 23 Oct 2007 21:41:53 +0000
To: ' =JeffH ' <Jeff.Hodges at KingsMountain.com>
Cc: cryptography at metzdowd.com, bmenrigh at ucsd.edu
Subject: Re: fyi: Storm Worm botnet numbers, via Microsoft
Organization: UCSD ACS/Network Operations
X-Mailer: Claws Mail 3.0.2 (GTK+ 2.10.14; i686-pc-linux-gnu)

On Mon, 22 Oct 2007 17:55:39 -0700 plus or minus some time ' =JeffH '
<Jeff.Hodges at KingsMountain.com> wrote:
...snip...
> > I will be presenting /some/ of this work at Toorcon in San Diego this
> > Saturday:  
>   
> > http://www.toorcon.org/2007/event.php?id=38  
> 
> excellent, how'd it go? Anyone else present on Storm?  

Things went pretty smooth.  Storm is a complicated and evolving beast so a
50 minute talk can't really go into the depth that is needed to really
understand how it works.  There weren't any other presentations at Toorcon
but it's a pretty hot topic so there should be more talks and papers coming
out from various researchers in the coming weeks and months.

It seems like whenever anyone says anything about Storm, the story gets
picked up by some news service and makes its way to Slashdot.

>   
> > The presentation is not academic paper quality and takes more of a
> > code-monkey approach to the network.  Real (sane and substantiated)
> > numbers, stats, and graphs will be presented.  To the best of my
> > knowledge, it will be the first publicly released estimates of the size
> > of the network with actual supporting data and evidence.   
> 
> are your slides now available?  

They are:
http://noh.ucsd.edu/~bmenrigh/exposing_storm.ppt

The link to the historical trends of the network is here:
http://noh.ucsd.edu/~bmenrigh/storm_data.tar.bz2

It can be very hard to track the size of a botnet, even in the case of
Storm where I'm crawling the network.  Technologies like NAT can
significantly complicate things.

See
http://www.usenix.org/events/hotbots07/tech/full_papers/rajab/rajab_html/
for a discussion on tracking the size of botnets.

> 
> =JeffH
>   

My slides should provide adequate detail for someone to understand how to
interpret the graphs and data.  For specific questions, feel free to email
me directly.

Brandon

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

----- End forwarded message -----
-- 
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE