.

Vunerability Watch

<<

delusion

User avatar

Newbie
Newbie

Posts: 49

Joined: Thu Mar 18, 2010 6:04 pm

Location: London

Post Mon Aug 02, 2010 7:17 am

Vunerability Watch

Hey Guys,

Your regular scene whore here, just kidding hehe, bad joke, i hope to give back as soon as I have harboured more knowledge and have gained more experience in the industry.

Anyway, onto my question.  I have been reading around articles, which in short talk of security experts knowing which exploits are being used in the wild.  From my assuption, one would assume that they are reading various news articles, understanding the severity and the ease of the hack and then making assumptions on what is being used the most in the wild.

Now I have googled around for various resouces and ultimately what I am looking for is a site which collectes statics on what is actually being exploited in the wild.  This is something I havent been able to find.

Does anyone know if such resources exist.  I guess it would be hard to gauge as there isnt a true way to measure what exactly is being exploited, without hearing feedback from the unlucky folk who are being attacked.

So now I have typed this it sounds a little silly and I guess its more to do with understanding the nature of the exploit, but if anyone is aware of a stats site, I would be more than interested in hearing about them.  8)
You Cant Resolve Problems Whilst At WAR!
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Mon Aug 02, 2010 8:04 am

Re: Vunerability Watch

The answer to this is sort of complicated and overblown... Complicated in the sense that usually, there are about a dozen reliable sites with hundreds butchering what the dozens are saying. Make sense?

There are sites like Malwarebytes (http://forums.malwarebytes.org/index.php?showforum=30) which try very hard but you have to understand the mechanisms of this for a moment:

1) It is mainly malware - however, most malware deployment exploit SOMETHING to get on the machine and continue on
2) The sampling is low in comparison to the actual amount of malware/exploits running around

Now... Sites like Arbor Networks, Shadowserver, groups like MAAWG and a few others have a lot more visibility via way of trending traffic. For example, if all of the sudden there is a spike in traffic to say port 888 right, there is no indicator of any new application using that port, this would be an indicator that something is obviously going on. Many groups have honeypots that will take that data, configure their honeypots to "conform" to become attackable, study what occurred and there you now have it... An instant write up of an "exploit in the wild."

Sometimes people just stumble upon them as well. Rewind to six years ago... I was cleaning up two seriously infected laptops and swore up and down they were each infecting each other via IRFTP. I posted it to a list, spoke with people offlist and dealt with it.  (http://osdir.com/ml/security.vulnerabil ... 00002.html) Long ago were the days when disclosure meant appreciation from vendors to a degree. Nowadays, its turning more and more into "exploits in the wild" because researchers are fed up with companies taking forever and a day to post fixes, conclusion, less reporting, more serious "exploits in the wild."

Want to catch them on your own, set up some honeypots and make them believable. I suggest if you do, search for terms like "Fred Cohen" +deception +honeypot, etc., to find seriously detailed writeups on how to create effective honeypots. I guarantee you that the amount of "exploits in the wild" you can ever dream about will launched against your honeypot. The problem is... Now what? So you have this rogue software that exploited your machine, you need to understand what it does and why, for that, you could check out and tinker with Lenny Zeltser's REMnux or Zerowine. As for specific sites, I tend to follow the noise via the groups I'm on (Shadowserver, NANOG, UNISOG, MAAWG, etc) coupled with network analysis. SANS storm center is somewhat useful as well.
<<

delusion

User avatar

Newbie
Newbie

Posts: 49

Joined: Thu Mar 18, 2010 6:04 pm

Location: London

Post Sat Aug 07, 2010 3:55 pm

Re: Vunerability Watch

Hi sil, that was informative, Honeypots facinate me, its definetly on my to do list.  8) 
You Cant Resolve Problems Whilst At WAR!

Return to Malware

Who is online

Users browsing this forum: No registered users and 0 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software