<article>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#article10_02_01_232231</id>
	<title>Botnet Targets Web Sites With Junk SSL Connections</title>
	<author>kdawson</author>
	<datestamp>1265035860000</datestamp>
	<htmltext><a href="http://www.goodgearguide.com.au/" rel="nofollow">angry tapir</a> writes <i>"More than 300 Web sites are being pestered by infected computers that are part of the Pushdo botnet. The FBI, Twitter, and PayPal are among the sites being hit, although it doesn't appear the attacks are designed to knock the sites offline. Pushdo appears to have been recently updated to cause computers infected with it to <a href="http://news.cnet.com/8301-27080\_3-10445337-245.html">make SSL connections to various Web sites</a> &mdash; the bots start to create an SSL connection, disconnect,  and then repeat."</i> SecureWorks's Joe Stewart theorizes that this behavior is designed to obscure Pushdo's command and control in a flurry of bogus SSL traffic.</htmltext>
<tokenext>angry tapir writes " More than 300 Web sites are being pestered by infected computers that are part of the Pushdo botnet .
The FBI , Twitter , and PayPal are among the sites being hit , although it does n't appear the attacks are designed to knock the sites offline .
Pushdo appears to have been recently updated to cause computers infected with it to make SSL connections to various Web sites    the bots start to create an SSL connection , disconnect , and then repeat .
" SecureWorks 's Joe Stewart theorizes that this behavior is designed to obscure Pushdo 's command and control in a flurry of bogus SSL traffic .</tokentext>
<sentencetext>angry tapir writes "More than 300 Web sites are being pestered by infected computers that are part of the Pushdo botnet.
The FBI, Twitter, and PayPal are among the sites being hit, although it doesn't appear the attacks are designed to knock the sites offline.
Pushdo appears to have been recently updated to cause computers infected with it to make SSL connections to various Web sites — the bots start to create an SSL connection, disconnect,  and then repeat.
" SecureWorks's Joe Stewart theorizes that this behavior is designed to obscure Pushdo's command and control in a flurry of bogus SSL traffic.</sentencetext>
</article>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_01_232231.30991134</id>
	<title>SSL traffic</title>
	<author>shird</author>
	<datestamp>1265040780000</datestamp>
	<modclass>Interestin</modclass>
	<modscore>2</modscore>
	<htmltext><p>Do they realise that SSL traffic causes a higher load on the server than a regular request? This would be an indication it is trying to bring the site down.</p><p>I don't see how sending packets to 'major websites' disguises the real communications in any way. Just filter those requests. The more 'major' the web site for the garbaage packets, the easier it is to distinguish them from the real packets.</p></htmltext>
<tokenext>Do they realise that SSL traffic causes a higher load on the server than a regular request ?
This would be an indication it is trying to bring the site down.I do n't see how sending packets to 'major websites ' disguises the real communications in any way .
Just filter those requests .
The more 'major ' the web site for the garbaage packets , the easier it is to distinguish them from the real packets .</tokentext>
<sentencetext>Do they realise that SSL traffic causes a higher load on the server than a regular request?
This would be an indication it is trying to bring the site down.I don't see how sending packets to 'major websites' disguises the real communications in any way.
Just filter those requests.
The more 'major' the web site for the garbaage packets, the easier it is to distinguish them from the real packets.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_01_232231.30993238</id>
	<title>time for a bayesian protocol filter?</title>
	<author>StripedCow</author>
	<datestamp>1265112840000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Roughly the same techniques used to identify spam can be used to identify abuse of a protocol. For example, there exist bayesian intrusion detection algorithms.</p><p>Maybe it is time for people to start using those techniques and figure out that something is wrong almost from the getgo.</p></htmltext>
<tokenext>Roughly the same techniques used to identify spam can be used to identify abuse of a protocol .
For example , there exist bayesian intrusion detection algorithms.Maybe it is time for people to start using those techniques and figure out that something is wrong almost from the getgo .</tokentext>
<sentencetext>Roughly the same techniques used to identify spam can be used to identify abuse of a protocol.
For example, there exist bayesian intrusion detection algorithms.Maybe it is time for people to start using those techniques and figure out that something is wrong almost from the getgo.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_01_232231.30993296</id>
	<title>infected computers</title>
	<author>viralMeme</author>
	<datestamp>1265113320000</datestamp>
	<modclass>Informativ</modclass>
	<modscore>2</modscore>
	<htmltext>What desktop Operating System does this Pushdo botnet require to operate ?<br> <br>

"Once executed the malware first tests to see if it's currently running as the hardcoded value "rs32net.exe" in the system folder (<a href="http://us.trendmicro.com/imperia/md/content/us/pdf/threats/securitylibrary/study\_of\_pushdo.pdf" title="trendmicro.com">C:\Windows\System32</a> [trendmicro.com] by default)"</htmltext>
<tokenext>What desktop Operating System does this Pushdo botnet require to operate ?
" Once executed the malware first tests to see if it 's currently running as the hardcoded value " rs32net.exe " in the system folder ( C : \ Windows \ System32 [ trendmicro.com ] by default ) "</tokentext>
<sentencetext>What desktop Operating System does this Pushdo botnet require to operate ?
"Once executed the malware first tests to see if it's currently running as the hardcoded value "rs32net.exe" in the system folder (C:\Windows\System32 [trendmicro.com] by default)"</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_01_232231.30992790</id>
	<title>Re:From TFA</title>
	<author>Anonymous</author>
	<datestamp>1265106360000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>2</modscore>
	<htmltext><p>Dude, like maybe it doesn't NEED to send anything.<br>Maybe like, the connections themselves ARE the data.<br>Whoooaaa.</p></htmltext>
<tokenext>Dude , like maybe it does n't NEED to send anything.Maybe like , the connections themselves ARE the data.Whoooaaa .</tokentext>
<sentencetext>Dude, like maybe it doesn't NEED to send anything.Maybe like, the connections themselves ARE the data.Whoooaaa.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_01_232231.30991558</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_01_232231.30992164</id>
	<title>Adblock to the Rescue</title>
	<author>Anonymous</author>
	<datestamp>1265053020000</datestamp>
	<modclass>None</modclass>
	<modscore>-1</modscore>
	<htmltext>i know, right!  i mean shit, if only there was a twitter button, and maybe a facebook button too.  Got to be trendy after all!  I need those fast too.  Oh shit, that's right, I Adblocked them!!
<br> <br>
"we don't really like the PAINFUL FUCKING TRUTH, so you must wait a little bit before using this resource; please try again later."</htmltext>
<tokenext>i know , right !
i mean shit , if only there was a twitter button , and maybe a facebook button too .
Got to be trendy after all !
I need those fast too .
Oh shit , that 's right , I Adblocked them ! !
" we do n't really like the PAINFUL FUCKING TRUTH , so you must wait a little bit before using this resource ; please try again later .
"</tokentext>
<sentencetext>i know, right!
i mean shit, if only there was a twitter button, and maybe a facebook button too.
Got to be trendy after all!
I need those fast too.
Oh shit, that's right, I Adblocked them!!
"we don't really like the PAINFUL FUCKING TRUTH, so you must wait a little bit before using this resource; please try again later.
"</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_01_232231.30991010</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_01_232231.30995586</id>
	<title>Re:Entropy depletion</title>
	<author>crypticwun</author>
	<datestamp>1265127540000</datestamp>
	<modclass>Interestin</modclass>
	<modscore>3</modscore>
	<htmltext><br>

1) The code function does NOTHING with any data returned by the server.<br>
2) This version of pushdo is using SSLv3 to phone home (HTTP over SSL) to its C2 (Command &amp; Control).<br>
3) When looking purely at netflow records or using tcpdump/wireshark, you will see 30+ SSL connections taking place at once.  Only 1-2 of those connections is to the C2.<br>
3.5) Many admins don't set up matching PTR records in DNS, so you won't easily be able to map back the IPs to the "common"/well-known hostnames.<br>
4)<nobr> <wbr></nobr>... ? <br>
5) profit! <br>

 The idea is to make it HARD, not impossible to identify the C2 systems.  Note well that the C2's might never connect back to the botnet client systems.  Instead another tier of slightly more disposable hosts are likely to perform that function.</htmltext>
<tokenext>1 ) The code function does NOTHING with any data returned by the server .
2 ) This version of pushdo is using SSLv3 to phone home ( HTTP over SSL ) to its C2 ( Command &amp; Control ) .
3 ) When looking purely at netflow records or using tcpdump/wireshark , you will see 30 + SSL connections taking place at once .
Only 1-2 of those connections is to the C2 .
3.5 ) Many admins do n't set up matching PTR records in DNS , so you wo n't easily be able to map back the IPs to the " common " /well-known hostnames .
4 ) ... ? 5 ) profit !
The idea is to make it HARD , not impossible to identify the C2 systems .
Note well that the C2 's might never connect back to the botnet client systems .
Instead another tier of slightly more disposable hosts are likely to perform that function .</tokentext>
<sentencetext>

1) The code function does NOTHING with any data returned by the server.
2) This version of pushdo is using SSLv3 to phone home (HTTP over SSL) to its C2 (Command &amp; Control).
3) When looking purely at netflow records or using tcpdump/wireshark, you will see 30+ SSL connections taking place at once.
Only 1-2 of those connections is to the C2.
3.5) Many admins don't set up matching PTR records in DNS, so you won't easily be able to map back the IPs to the "common"/well-known hostnames.
4) ... ? 
5) profit!
The idea is to make it HARD, not impossible to identify the C2 systems.
Note well that the C2's might never connect back to the botnet client systems.
Instead another tier of slightly more disposable hosts are likely to perform that function.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_01_232231.30991664</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_01_232231.30991010</id>
	<title>oh shit!</title>
	<author>Anonymous</author>
	<datestamp>1265039760000</datestamp>
	<modclass>Offtopic</modclass>
	<modscore>-1</modscore>
	<htmltext>I need to digg this fast!  If only there was a digg button!!!!</htmltext>
<tokenext>I need to digg this fast !
If only there was a digg button ! ! !
!</tokentext>
<sentencetext>I need to digg this fast!
If only there was a digg button!!!
!</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_01_232231.30995250</id>
	<title>Re:SSL traffic</title>
	<author>Rich0</author>
	<datestamp>1265126220000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>I dunno - what strategy could they possibly employ?  They seem rather clever with their attacks IMHO.</p><p>Until we have DRM-enabled hardware in everybody's home, they have to work with conventional PCs.  That means that an inspection of a PC will turn up the binary code to the virus, and its operation can be fully studied.  Anybody attacking a bot can evesdrop on every aspect of its activity client-side, and can probably trace the network traffic pretty far (with government assistance all the way to the endpoint).  In such an environment, the only thing you can do is make the job of tracking down the control node harder - you can't ever obscure it completely (at best you can just make every endpoint a control node of some kind and mixmaster all your traffic, which is only a delaying tactic in itself).</p><p>Now, once ordinary citizens no longer own their PCs, that might be a botnet's dream.  Just imagine trusted code running over trusted network connections protected by trusted routers!  DRM suffers from fundamental limitations, but the next gen of bot hunters might find themselves having to tear apart CPUs and examining them with SEMs to try to figure out what they're doing...</p></htmltext>
<tokenext>I dunno - what strategy could they possibly employ ?
They seem rather clever with their attacks IMHO.Until we have DRM-enabled hardware in everybody 's home , they have to work with conventional PCs .
That means that an inspection of a PC will turn up the binary code to the virus , and its operation can be fully studied .
Anybody attacking a bot can evesdrop on every aspect of its activity client-side , and can probably trace the network traffic pretty far ( with government assistance all the way to the endpoint ) .
In such an environment , the only thing you can do is make the job of tracking down the control node harder - you ca n't ever obscure it completely ( at best you can just make every endpoint a control node of some kind and mixmaster all your traffic , which is only a delaying tactic in itself ) .Now , once ordinary citizens no longer own their PCs , that might be a botnet 's dream .
Just imagine trusted code running over trusted network connections protected by trusted routers !
DRM suffers from fundamental limitations , but the next gen of bot hunters might find themselves having to tear apart CPUs and examining them with SEMs to try to figure out what they 're doing.. .</tokentext>
<sentencetext>I dunno - what strategy could they possibly employ?
They seem rather clever with their attacks IMHO.Until we have DRM-enabled hardware in everybody's home, they have to work with conventional PCs.
That means that an inspection of a PC will turn up the binary code to the virus, and its operation can be fully studied.
Anybody attacking a bot can evesdrop on every aspect of its activity client-side, and can probably trace the network traffic pretty far (with government assistance all the way to the endpoint).
In such an environment, the only thing you can do is make the job of tracking down the control node harder - you can't ever obscure it completely (at best you can just make every endpoint a control node of some kind and mixmaster all your traffic, which is only a delaying tactic in itself).Now, once ordinary citizens no longer own their PCs, that might be a botnet's dream.
Just imagine trusted code running over trusted network connections protected by trusted routers!
DRM suffers from fundamental limitations, but the next gen of bot hunters might find themselves having to tear apart CPUs and examining them with SEMs to try to figure out what they're doing...</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_01_232231.30991408</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_01_232231.30991664</id>
	<title>Entropy depletion</title>
	<author>Anonymous</author>
	<datestamp>1265046600000</datestamp>
	<modclass>Interestin</modclass>
	<modscore>5</modscore>
	<htmltext><p>SSL/TLS at it's core generates "session keys" for communication; a string of random characters. It's possible they're trying to deplete the SSL servers of true entropy for some undisclosed attack; PRNG, for example.</p></htmltext>
<tokenext>SSL/TLS at it 's core generates " session keys " for communication ; a string of random characters .
It 's possible they 're trying to deplete the SSL servers of true entropy for some undisclosed attack ; PRNG , for example .</tokentext>
<sentencetext>SSL/TLS at it's core generates "session keys" for communication; a string of random characters.
It's possible they're trying to deplete the SSL servers of true entropy for some undisclosed attack; PRNG, for example.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_01_232231.30993430</id>
	<title>Huh?</title>
	<author>guyminuslife</author>
	<datestamp>1265114580000</datestamp>
	<modclass>Interestin</modclass>
	<modscore>3</modscore>
	<htmltext><p>I don't get it. Could someone please explain this to me?</p><p>If they're trying to disguise their traffic to the command-and-control center, how does this help? If you get a lot of malformed requests from a particular host, then if you're an investigator, it's like the infected computers are advertising themselves as zombies. And if they're sending these requests to major web sites, how does this disguise the requests they're making to the (presumably non-major website) control center? Couldn't you just say, "Well, this computer made 300 malformed SSL requests to Facebook, Twitter, et cetera, and one malformed request to , let's find that guy!"</p><p>I'm seriously confused.</p></htmltext>
<tokenext>I do n't get it .
Could someone please explain this to me ? If they 're trying to disguise their traffic to the command-and-control center , how does this help ?
If you get a lot of malformed requests from a particular host , then if you 're an investigator , it 's like the infected computers are advertising themselves as zombies .
And if they 're sending these requests to major web sites , how does this disguise the requests they 're making to the ( presumably non-major website ) control center ?
Could n't you just say , " Well , this computer made 300 malformed SSL requests to Facebook , Twitter , et cetera , and one malformed request to , let 's find that guy !
" I 'm seriously confused .</tokentext>
<sentencetext>I don't get it.
Could someone please explain this to me?If they're trying to disguise their traffic to the command-and-control center, how does this help?
If you get a lot of malformed requests from a particular host, then if you're an investigator, it's like the infected computers are advertising themselves as zombies.
And if they're sending these requests to major web sites, how does this disguise the requests they're making to the (presumably non-major website) control center?
Couldn't you just say, "Well, this computer made 300 malformed SSL requests to Facebook, Twitter, et cetera, and one malformed request to , let's find that guy!
"I'm seriously confused.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_01_232231.30991104</id>
	<title>What it probably is?</title>
	<author>Anonymous</author>
	<datestamp>1265040540000</datestamp>
	<modclass>Interestin</modclass>
	<modscore>3</modscore>
	<htmltext><p>Probably one of a few things<br>1) They are looking for a particular vuln to make their bot bigger.<br>2) They are just testing a DOS.<br>3) They are actually conducting a DOS.<br>4) They are trying to make some sort of name for themselves.<br>5) Combination of the above.</p><p>My money is mostly on 1, and some sort of bug in the program causing it to spam the same boxes over and over.</p></htmltext>
<tokenext>Probably one of a few things1 ) They are looking for a particular vuln to make their bot bigger.2 ) They are just testing a DOS.3 ) They are actually conducting a DOS.4 ) They are trying to make some sort of name for themselves.5 ) Combination of the above.My money is mostly on 1 , and some sort of bug in the program causing it to spam the same boxes over and over .</tokentext>
<sentencetext>Probably one of a few things1) They are looking for a particular vuln to make their bot bigger.2) They are just testing a DOS.3) They are actually conducting a DOS.4) They are trying to make some sort of name for themselves.5) Combination of the above.My money is mostly on 1, and some sort of bug in the program causing it to spam the same boxes over and over.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_01_232231.30991408</id>
	<title>Re:SSL traffic</title>
	<author>Anonymous</author>
	<datestamp>1265043540000</datestamp>
	<modclass>Interestin</modclass>
	<modscore>5</modscore>
	<htmltext><p><div class="quote"><p>Do they realise that SSL traffic causes a higher load on the server than a regular request? This would be an indication it is trying to bring the site down.</p></div><p>Yes, they do. They also don't care. Most botnet authors are self-taught, or only college educated, and are not experienced developers. They don't know how to obscure their creation's activity, because they lack a full understanding of network security. Which is understandable: That isn't in the SDK documentation and example code. Because they lack the skillset necessary to create a protocol resistant to traffic analysis, they go the other way: Flood all the connections and hope those analyzing the logs decide it's not worth the effort to find the needle in the haystack. They know it can be tracked -- they just don't feel its worth the effort to learn how to do it right, when doing it wrong gets them to payday faster and with only a minute amount of additional risk.</p></div>
	</htmltext>
<tokenext>Do they realise that SSL traffic causes a higher load on the server than a regular request ?
This would be an indication it is trying to bring the site down.Yes , they do .
They also do n't care .
Most botnet authors are self-taught , or only college educated , and are not experienced developers .
They do n't know how to obscure their creation 's activity , because they lack a full understanding of network security .
Which is understandable : That is n't in the SDK documentation and example code .
Because they lack the skillset necessary to create a protocol resistant to traffic analysis , they go the other way : Flood all the connections and hope those analyzing the logs decide it 's not worth the effort to find the needle in the haystack .
They know it can be tracked -- they just do n't feel its worth the effort to learn how to do it right , when doing it wrong gets them to payday faster and with only a minute amount of additional risk .</tokentext>
<sentencetext>Do they realise that SSL traffic causes a higher load on the server than a regular request?
This would be an indication it is trying to bring the site down.Yes, they do.
They also don't care.
Most botnet authors are self-taught, or only college educated, and are not experienced developers.
They don't know how to obscure their creation's activity, because they lack a full understanding of network security.
Which is understandable: That isn't in the SDK documentation and example code.
Because they lack the skillset necessary to create a protocol resistant to traffic analysis, they go the other way: Flood all the connections and hope those analyzing the logs decide it's not worth the effort to find the needle in the haystack.
They know it can be tracked -- they just don't feel its worth the effort to learn how to do it right, when doing it wrong gets them to payday faster and with only a minute amount of additional risk.
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_01_232231.30991134</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_01_232231.30991042</id>
	<title>nginx to the rescue?</title>
	<author>Anonymous</author>
	<datestamp>1265040000000</datestamp>
	<modclass>Troll</modclass>
	<modscore>-1</modscore>
	<htmltext><p>Sounds like they need to use a web server that can easily handle such a load, even if they're junk requests. What is that web server? Why, it's <a href="http://nginx.org/" title="nginx.org" rel="nofollow">nginx</a> [nginx.org] of course!</p></htmltext>
<tokenext>Sounds like they need to use a web server that can easily handle such a load , even if they 're junk requests .
What is that web server ?
Why , it 's nginx [ nginx.org ] of course !</tokentext>
<sentencetext>Sounds like they need to use a web server that can easily handle such a load, even if they're junk requests.
What is that web server?
Why, it's nginx [nginx.org] of course!</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_01_232231.30991388</id>
	<title>who wants</title>
	<author>Anonymous</author>
	<datestamp>1265043240000</datestamp>
	<modclass>Offtopic</modclass>
	<modscore>-1</modscore>
	<htmltext><p>a FAT dick in their THROAT!!~?</p></htmltext>
<tokenext>a FAT dick in their THROAT !
! ~ ?</tokentext>
<sentencetext>a FAT dick in their THROAT!
!~?</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_01_232231.30991532</id>
	<title>And they say obfuscation isn't a good defense</title>
	<author>SlappyBastard</author>
	<datestamp>1265045040000</datestamp>
	<modclass>Interestin</modclass>
	<modscore>1</modscore>
	<htmltext>But, it does apparently make a very good smoke screen for a good offense.</htmltext>
<tokenext>But , it does apparently make a very good smoke screen for a good offense .</tokentext>
<sentencetext>But, it does apparently make a very good smoke screen for a good offense.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_01_232231.30991346</id>
	<title>Up to something?</title>
	<author>toleshei</author>
	<datestamp>1265042760000</datestamp>
	<modclass>Interestin</modclass>
	<modscore>4</modscore>
	<htmltext>"Site owners "would just see weird connections that don't seem to make sense," he said. "They look like they're trying to start an SSL handshake, but it comes in malformed and doesn't ever send anything after that first handshake attempt.""

Is it possible that they've found a flaw in a specific Systems handling of SSL and are trying to see if the flaw exists elsewhere in an attempt to produce an exploit?  I'm not really a security guy, but it seems like they're up to something specific.  Otherwise why use SSL exclusively?  wouldn't they want to diversify their requests?</htmltext>
<tokenext>" Site owners " would just see weird connections that do n't seem to make sense , " he said .
" They look like they 're trying to start an SSL handshake , but it comes in malformed and does n't ever send anything after that first handshake attempt .
" " Is it possible that they 've found a flaw in a specific Systems handling of SSL and are trying to see if the flaw exists elsewhere in an attempt to produce an exploit ?
I 'm not really a security guy , but it seems like they 're up to something specific .
Otherwise why use SSL exclusively ?
would n't they want to diversify their requests ?</tokentext>
<sentencetext>"Site owners "would just see weird connections that don't seem to make sense," he said.
"They look like they're trying to start an SSL handshake, but it comes in malformed and doesn't ever send anything after that first handshake attempt.
""

Is it possible that they've found a flaw in a specific Systems handling of SSL and are trying to see if the flaw exists elsewhere in an attempt to produce an exploit?
I'm not really a security guy, but it seems like they're up to something specific.
Otherwise why use SSL exclusively?
wouldn't they want to diversify their requests?</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_01_232231.30991374</id>
	<title>Is it an attempt to break in?</title>
	<author>joeyadams</author>
	<datestamp>1265043060000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>I wonder if it's an attempt to hack into the servers to steal private keys and whatnot (that is, to torture-test the SSL implementations on those servers).</htmltext>
<tokenext>I wonder if it 's an attempt to hack into the servers to steal private keys and whatnot ( that is , to torture-test the SSL implementations on those servers ) .</tokentext>
<sentencetext>I wonder if it's an attempt to hack into the servers to steal private keys and whatnot (that is, to torture-test the SSL implementations on those servers).</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_01_232231.30991092</id>
	<title>From TFA</title>
	<author>JoshuaZ</author>
	<datestamp>1265040420000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p><div class="quote"><p>The strange traffic targeting the Web sites--including sites for the CIA, FBI, PayPal, Yahoo, and Twitter, according to a list at the Shadow Server Foundation--was not enough to cause any outages or slowdowns, said Joe Stewart, director of malware research at SecureWorks.</p> </div><p>So this isn't a really big deal. I'm almost tempted to praise the botnet creators for coming up with a good solution to obscuring the command and control issue. It is a good solution to a difficult problem. (Good here being used in the sense of good solution to a puzzle or engineering problem)</p></div>
	</htmltext>
<tokenext>The strange traffic targeting the Web sites--including sites for the CIA , FBI , PayPal , Yahoo , and Twitter , according to a list at the Shadow Server Foundation--was not enough to cause any outages or slowdowns , said Joe Stewart , director of malware research at SecureWorks .
So this is n't a really big deal .
I 'm almost tempted to praise the botnet creators for coming up with a good solution to obscuring the command and control issue .
It is a good solution to a difficult problem .
( Good here being used in the sense of good solution to a puzzle or engineering problem )</tokentext>
<sentencetext>The strange traffic targeting the Web sites--including sites for the CIA, FBI, PayPal, Yahoo, and Twitter, according to a list at the Shadow Server Foundation--was not enough to cause any outages or slowdowns, said Joe Stewart, director of malware research at SecureWorks.
So this isn't a really big deal.
I'm almost tempted to praise the botnet creators for coming up with a good solution to obscuring the command and control issue.
It is a good solution to a difficult problem.
(Good here being used in the sense of good solution to a puzzle or engineering problem)
	</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_01_232231.30991550</id>
	<title>Junk SSL Connection</title>
	<author>cormander</author>
	<datestamp>1265045220000</datestamp>
	<modclass>Troll</modclass>
	<modscore>-1</modscore>
	<htmltext>What exactly is a "Junk SSL Connection"? Please tell me it has nothing to do with the slang for a man's "area". The thoughts of "the goods" being attacked... oof.</htmltext>
<tokenext>What exactly is a " Junk SSL Connection " ?
Please tell me it has nothing to do with the slang for a man 's " area " .
The thoughts of " the goods " being attacked... oof .</tokentext>
<sentencetext>What exactly is a "Junk SSL Connection"?
Please tell me it has nothing to do with the slang for a man's "area".
The thoughts of "the goods" being attacked... oof.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_01_232231.30991812</id>
	<title>Re:From TFA</title>
	<author>fm6</author>
	<datestamp>1265048340000</datestamp>
	<modclass>Interestin</modclass>
	<modscore>4</modscore>
	<htmltext><p>Some of the malware I've encountered lately (I've got one system unusable until I get around to reinstalling the OS) is very sophisticated indeed. I would admire the designers, if I didn't so badly want them dead.</p><p>Does anybody else miss script kiddies?</p></htmltext>
<tokenext>Some of the malware I 've encountered lately ( I 've got one system unusable until I get around to reinstalling the OS ) is very sophisticated indeed .
I would admire the designers , if I did n't so badly want them dead.Does anybody else miss script kiddies ?</tokentext>
<sentencetext>Some of the malware I've encountered lately (I've got one system unusable until I get around to reinstalling the OS) is very sophisticated indeed.
I would admire the designers, if I didn't so badly want them dead.Does anybody else miss script kiddies?</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_01_232231.30991092</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_01_232231.30991792</id>
	<title>#irc.trolltalk.com</title>
	<author>Anonymous</author>
	<datestamp>1265048160000</datestamp>
	<modclass>Troll</modclass>
	<modscore>-1</modscore>
	<htmltext><A HREF="http://goat.cx/" title="goat.cx" rel="nofollow">My resi(6nation OpenBSD guys. They</a> [goat.cx]</htmltext>
<tokenext>My resi ( 6nation OpenBSD guys .
They [ goat.cx ]</tokentext>
<sentencetext>My resi(6nation OpenBSD guys.
They [goat.cx]</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_01_232231.30991870</id>
	<title>Re:Entropy depletion</title>
	<author>bobstreo</author>
	<datestamp>1265048940000</datestamp>
	<modclass>Interestin</modclass>
	<modscore>5</modscore>
	<htmltext><p>Don't think it's that complex. From June 2009:<br><a href="http://isc.sans.org/diary.html?storyid=6601" title="sans.org" rel="nofollow">http://isc.sans.org/diary.html?storyid=6601</a> [sans.org]</p><p>Yesterday an interesting HTTP DoS tool has been released. The tool performs a Denial of Service attack on Apache (and some other, see below) servers by exhausting available connections. While there are a lot of DoS tools available today, this one is particularly interesting because it holds the connection open while sending incomplete HTTP requests to the server.</p><p>In this case, the server will open the connection and wait for the complete header to be received. However, the client (the DoS tool) will not send it and will instead keep sending bogus header lines which will keep the connection allocated.<br>The initial part of the HTTP request is completely legitimate:</p><p>GET / HTTP/1.1\r\n<br>Host: host\r\n<br>User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0;<nobr> <wbr></nobr>.NET CLR 1.1.4322;<nobr> <wbr></nobr>.NET CLR 2.0.503l3;<nobr> <wbr></nobr>.NET CLR 3.0.4506.2152;<nobr> <wbr></nobr>.NET CLR 3.5.30729; MSOffice 12)\r\n<br>Content-Length: 42\r\n</p><p>After sending this the client waits for certain time &ndash; notice that it is missing one CRLF to finish the header which is otherwise completely legitimate. The bogus header line the tools sends is currently:</p><p>X-a: b\r\n</p><p>Which obviously doesn't mean anything to the server so it keeps waiting for the rest of the header to arrive. Of course, this all can be changed so if you plan to create IDS signatures keep that in mind.</p><p>According to the web site where the tool was posted, Apache 1.x and 2.x are affected as well as Squid, so the potential impact of this tool could be quite high considering that it doesn't need to send a lot of traffic to exhaust available connections on a server (meaning, even a user on a slower line could possibly attack a fast server). Good news for Microsoft users is that IIS 6.0 or 7.0 are not affected.</p><p>At the moment I'm not sure what can be done in Apache's configuration to prevent this attack &ndash; increasing MaxClients will just increase requirements for the attacker as well but will not protect the server completely. One of our readers, Tomasz Miklas said that he was able to prevent the attack by using a reverse proxy called Perlbal in front of an Apache server.</p><p>We'll keep an eye on this, of course, and will post future diaries or update this one depending on what's happening. It will be interesting to see how/if other web servers as well as load balancers are resistant to this attack.</p></htmltext>
<tokenext>Do n't think it 's that complex .
From June 2009 : http : //isc.sans.org/diary.html ? storyid = 6601 [ sans.org ] Yesterday an interesting HTTP DoS tool has been released .
The tool performs a Denial of Service attack on Apache ( and some other , see below ) servers by exhausting available connections .
While there are a lot of DoS tools available today , this one is particularly interesting because it holds the connection open while sending incomplete HTTP requests to the server.In this case , the server will open the connection and wait for the complete header to be received .
However , the client ( the DoS tool ) will not send it and will instead keep sending bogus header lines which will keep the connection allocated.The initial part of the HTTP request is completely legitimate : GET / HTTP/1.1 \ r \ nHost : host \ r \ nUser-Agent : Mozilla/4.0 ( compatible ; MSIE 7.0 ; Windows NT 5.1 ; Trident/4.0 ; .NET CLR 1.1.4322 ; .NET CLR 2.0.503l3 ; .NET CLR 3.0.4506.2152 ; .NET CLR 3.5.30729 ; MSOffice 12 ) \ r \ nContent-Length : 42 \ r \ nAfter sending this the client waits for certain time    notice that it is missing one CRLF to finish the header which is otherwise completely legitimate .
The bogus header line the tools sends is currently : X-a : b \ r \ nWhich obviously does n't mean anything to the server so it keeps waiting for the rest of the header to arrive .
Of course , this all can be changed so if you plan to create IDS signatures keep that in mind.According to the web site where the tool was posted , Apache 1.x and 2.x are affected as well as Squid , so the potential impact of this tool could be quite high considering that it does n't need to send a lot of traffic to exhaust available connections on a server ( meaning , even a user on a slower line could possibly attack a fast server ) .
Good news for Microsoft users is that IIS 6.0 or 7.0 are not affected.At the moment I 'm not sure what can be done in Apache 's configuration to prevent this attack    increasing MaxClients will just increase requirements for the attacker as well but will not protect the server completely .
One of our readers , Tomasz Miklas said that he was able to prevent the attack by using a reverse proxy called Perlbal in front of an Apache server.We 'll keep an eye on this , of course , and will post future diaries or update this one depending on what 's happening .
It will be interesting to see how/if other web servers as well as load balancers are resistant to this attack .</tokentext>
<sentencetext>Don't think it's that complex.
From June 2009:http://isc.sans.org/diary.html?storyid=6601 [sans.org]Yesterday an interesting HTTP DoS tool has been released.
The tool performs a Denial of Service attack on Apache (and some other, see below) servers by exhausting available connections.
While there are a lot of DoS tools available today, this one is particularly interesting because it holds the connection open while sending incomplete HTTP requests to the server.In this case, the server will open the connection and wait for the complete header to be received.
However, the client (the DoS tool) will not send it and will instead keep sending bogus header lines which will keep the connection allocated.The initial part of the HTTP request is completely legitimate:GET / HTTP/1.1\r\nHost: host\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.503l3; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MSOffice 12)\r\nContent-Length: 42\r\nAfter sending this the client waits for certain time – notice that it is missing one CRLF to finish the header which is otherwise completely legitimate.
The bogus header line the tools sends is currently:X-a: b\r\nWhich obviously doesn't mean anything to the server so it keeps waiting for the rest of the header to arrive.
Of course, this all can be changed so if you plan to create IDS signatures keep that in mind.According to the web site where the tool was posted, Apache 1.x and 2.x are affected as well as Squid, so the potential impact of this tool could be quite high considering that it doesn't need to send a lot of traffic to exhaust available connections on a server (meaning, even a user on a slower line could possibly attack a fast server).
Good news for Microsoft users is that IIS 6.0 or 7.0 are not affected.At the moment I'm not sure what can be done in Apache's configuration to prevent this attack – increasing MaxClients will just increase requirements for the attacker as well but will not protect the server completely.
One of our readers, Tomasz Miklas said that he was able to prevent the attack by using a reverse proxy called Perlbal in front of an Apache server.We'll keep an eye on this, of course, and will post future diaries or update this one depending on what's happening.
It will be interesting to see how/if other web servers as well as load balancers are resistant to this attack.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_01_232231.30991664</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_01_232231.31006890</id>
	<title>Over the last 24 hours add more to the list!</title>
	<author>NSN A392-99-964-5927</author>
	<datestamp>1264969800000</datestamp>
	<modclass>Informativ</modclass>
	<modscore>2</modscore>
	<htmltext>Apple, Customs and Excise UK Inland Revenue. Greater Manchester Police.  My friend is a dev and net admin at PayPal/Ebay and although he shall remain nameless for his privacy. In his own words bunch of lazy fat cat bastards. Sorry for swearing, but he has been a guru in IT for the past 30 years and a top programmer. He said he is trying to undo and secure systems where security is very lax indeed and said it is like banging his head against a brick wall with some very senior management.</htmltext>
<tokenext>Apple , Customs and Excise UK Inland Revenue .
Greater Manchester Police .
My friend is a dev and net admin at PayPal/Ebay and although he shall remain nameless for his privacy .
In his own words bunch of lazy fat cat bastards .
Sorry for swearing , but he has been a guru in IT for the past 30 years and a top programmer .
He said he is trying to undo and secure systems where security is very lax indeed and said it is like banging his head against a brick wall with some very senior management .</tokentext>
<sentencetext>Apple, Customs and Excise UK Inland Revenue.
Greater Manchester Police.
My friend is a dev and net admin at PayPal/Ebay and although he shall remain nameless for his privacy.
In his own words bunch of lazy fat cat bastards.
Sorry for swearing, but he has been a guru in IT for the past 30 years and a top programmer.
He said he is trying to undo and secure systems where security is very lax indeed and said it is like banging his head against a brick wall with some very senior management.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_01_232231.30993190</id>
	<title>Re:Entropy depletion</title>
	<author>Anonymous</author>
	<datestamp>1265112480000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>Don't the packets send/received make up for the lost entropy?</p></htmltext>
<tokenext>Do n't the packets send/received make up for the lost entropy ?</tokentext>
<sentencetext>Don't the packets send/received make up for the lost entropy?</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_01_232231.30991664</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_01_232231.30991228</id>
	<title>FAGGOTS!</title>
	<author>Anonymous</author>
	<datestamp>1265041740000</datestamp>
	<modclass>Flamebait</modclass>
	<modscore>-1</modscore>
	<htmltext>you die of aids.</htmltext>
<tokenext>you die of aids .</tokentext>
<sentencetext>you die of aids.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_01_232231.30991558</id>
	<title>Re:From TFA</title>
	<author>Mr. Freeman</author>
	<datestamp>1265045340000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>3</modscore>
	<htmltext>Why is this such a good solution?  Have people forgotten how to parse logs?  Shouldn't be that difficult to differentiate a connect/disconnect from a connect, send real data, disconnect.</htmltext>
<tokenext>Why is this such a good solution ?
Have people forgotten how to parse logs ?
Should n't be that difficult to differentiate a connect/disconnect from a connect , send real data , disconnect .</tokentext>
<sentencetext>Why is this such a good solution?
Have people forgotten how to parse logs?
Shouldn't be that difficult to differentiate a connect/disconnect from a connect, send real data, disconnect.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_01_232231.30991092</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_01_232231.30991580</id>
	<title>Re:SSL traffic</title>
	<author>asifyoucare</author>
	<datestamp>1265045520000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p><div class="quote"><p><nobr> <wbr></nobr>.. I don't see how sending packets to 'major websites' disguises the real communications in any way. Just filter those requests. The more 'major' the web site for the garbaage packets, the easier it is to distinguish them from the real packets<nobr> <wbr></nobr>..</p></div><p>I agree.  There's no entry in Stewart's blog, but <a href="http://www.darkreading.com/insiderthreat/security/attacks/showArticle.jhtml?articleID=222600679&amp;cid=RSSfeed\_DR\_News" title="darkreading.com">darkreading.com</a> [darkreading.com] quotes him as follows:</p><p>'By adding the initial header of an SSL conversation, they may be attempting to avoid closer scrutiny by less vigilant inspection devices," Stewart says. "And by sending a flurry of these connections to a number of legit 'decoy' sites, it helps the Pushdo C&amp;C [command and control] traffic blend in and remain undetected in some cases," he says.'</p><p>So, he isn't saying it helps except in less well scrutinised networks.  Still, it seems pretty weak to me.</p></div>
	</htmltext>
<tokenext>.. I do n't see how sending packets to 'major websites ' disguises the real communications in any way .
Just filter those requests .
The more 'major ' the web site for the garbaage packets , the easier it is to distinguish them from the real packets ..I agree .
There 's no entry in Stewart 's blog , but darkreading.com [ darkreading.com ] quotes him as follows : 'By adding the initial header of an SSL conversation , they may be attempting to avoid closer scrutiny by less vigilant inspection devices , " Stewart says .
" And by sending a flurry of these connections to a number of legit 'decoy ' sites , it helps the Pushdo C&amp;C [ command and control ] traffic blend in and remain undetected in some cases , " he says .
'So , he is n't saying it helps except in less well scrutinised networks .
Still , it seems pretty weak to me .</tokentext>
<sentencetext> .. I don't see how sending packets to 'major websites' disguises the real communications in any way.
Just filter those requests.
The more 'major' the web site for the garbaage packets, the easier it is to distinguish them from the real packets ..I agree.
There's no entry in Stewart's blog, but darkreading.com [darkreading.com] quotes him as follows:'By adding the initial header of an SSL conversation, they may be attempting to avoid closer scrutiny by less vigilant inspection devices," Stewart says.
"And by sending a flurry of these connections to a number of legit 'decoy' sites, it helps the Pushdo C&amp;C [command and control] traffic blend in and remain undetected in some cases," he says.
'So, he isn't saying it helps except in less well scrutinised networks.
Still, it seems pretty weak to me.
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_01_232231.30991134</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_01_232231.30998640</id>
	<title>Re:SSL traffic</title>
	<author>Anonymous</author>
	<datestamp>1265137680000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext>Please mod parent Troll. Self-taught + college educated + job is actually far better than someone who just goes to College and gets a job because they heard CS is where the money's at.</htmltext>
<tokenext>Please mod parent Troll .
Self-taught + college educated + job is actually far better than someone who just goes to College and gets a job because they heard CS is where the money 's at .</tokentext>
<sentencetext>Please mod parent Troll.
Self-taught + college educated + job is actually far better than someone who just goes to College and gets a job because they heard CS is where the money's at.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_01_232231.30991408</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_01_232231.30995464</id>
	<title>$employer is on the target list of pushdo drones</title>
	<author>nfsilkey</author>
	<datestamp>1265127060000</datestamp>
	<modclass>Informativ</modclass>
	<modscore>2</modscore>
	<htmltext><p>According to our graphs, our targeted frontend is taking the drone's trashy SSL requests like a champ (reverse-proxies are humming as expected, no inordinate load, etc).</p><p>You too can see if you are on the hitlist:  <a href="http://www.shadowserver.org/wiki/pmwiki.php/Calendar/20100129" title="shadowserver.org">http://www.shadowserver.org/wiki/pmwiki.php/Calendar/20100129</a> [shadowserver.org]</p></htmltext>
<tokenext>According to our graphs , our targeted frontend is taking the drone 's trashy SSL requests like a champ ( reverse-proxies are humming as expected , no inordinate load , etc ) .You too can see if you are on the hitlist : http : //www.shadowserver.org/wiki/pmwiki.php/Calendar/20100129 [ shadowserver.org ]</tokentext>
<sentencetext>According to our graphs, our targeted frontend is taking the drone's trashy SSL requests like a champ (reverse-proxies are humming as expected, no inordinate load, etc).You too can see if you are on the hitlist:  http://www.shadowserver.org/wiki/pmwiki.php/Calendar/20100129 [shadowserver.org]</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_01_232231.30991392</id>
	<title>How to stop bot nets</title>
	<author>Anonymous</author>
	<datestamp>1265043300000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>All it takes is to install an anti-virus and make a full scan you mom's and dad's PC next time.</p></htmltext>
<tokenext>All it takes is to install an anti-virus and make a full scan you mom 's and dad 's PC next time .</tokentext>
<sentencetext>All it takes is to install an anti-virus and make a full scan you mom's and dad's PC next time.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_01_232231.31009922</id>
	<title>Re:Entropy depletion</title>
	<author>httptech</author>
	<datestamp>1264953900000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>They're not. The connections are far too infrequent (15 connections, then sleep for 30 hours).</p></htmltext>
<tokenext>They 're not .
The connections are far too infrequent ( 15 connections , then sleep for 30 hours ) .</tokentext>
<sentencetext>They're not.
The connections are far too infrequent (15 connections, then sleep for 30 hours).</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_01_232231.30991664</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_01_232231.30996126</id>
	<title>Re:SSL traffic</title>
	<author>Lord Ender</author>
	<datestamp>1265129220000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>There's a lot of half-truth in your post. Botnet authors have wide ranges of experience and education. Sure, there are self-taught teenagers. But there are also professionals running botnets (on the payroll of the Ukrainian mafia, for example). Cybercrime is not a kid's game. Now that there's real money to be made, real money is being invested.</p><p>Any statement you make about all botnet authors is wrong.</p></htmltext>
<tokenext>There 's a lot of half-truth in your post .
Botnet authors have wide ranges of experience and education .
Sure , there are self-taught teenagers .
But there are also professionals running botnets ( on the payroll of the Ukrainian mafia , for example ) .
Cybercrime is not a kid 's game .
Now that there 's real money to be made , real money is being invested.Any statement you make about all botnet authors is wrong .</tokentext>
<sentencetext>There's a lot of half-truth in your post.
Botnet authors have wide ranges of experience and education.
Sure, there are self-taught teenagers.
But there are also professionals running botnets (on the payroll of the Ukrainian mafia, for example).
Cybercrime is not a kid's game.
Now that there's real money to be made, real money is being invested.Any statement you make about all botnet authors is wrong.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_01_232231.30991408</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_01_232231.30991430</id>
	<title>The FBI has already apprehended the culprits</title>
	<author>The FBI</author>
	<datestamp>1265043780000</datestamp>
	<modclass>Funny</modclass>
	<modscore>1</modscore>
	<htmltext><p>The FBI has apprehended the individuals responsible for the Pushdo botnet, but because the said individuals are minors, we have decided to file no charges if the said individuals apologized to everyone who had been negatively affected by the Pushdo botnet. Unfortunately, due to a typo, the said individuals issued a botnet command that is causing the botnet computers to keep trying to POST the following apology to the SSL port:</p><p>POST / HTTP/1.0<br>Referer: <a href="http://ir902.detention.fbi.gov/" title="fbi.gov" rel="nofollow">http://ir902.detention.fbi.gov/</a> [fbi.gov]<br>User-Agent: PushDo/1.0.1<br>Accept: */*<br>Content-type: application/x-www-form-urlencoded<br>Content-length: 1337</p><p>apology=We+apologize+for+any+inconvenience+our+childish+Pushdo+botnet+experiment+may+have+caused you.+Sincerely,+Billy+Pushman+and+Jimmy+Doe.</p></htmltext>
<tokenext>The FBI has apprehended the individuals responsible for the Pushdo botnet , but because the said individuals are minors , we have decided to file no charges if the said individuals apologized to everyone who had been negatively affected by the Pushdo botnet .
Unfortunately , due to a typo , the said individuals issued a botnet command that is causing the botnet computers to keep trying to POST the following apology to the SSL port : POST / HTTP/1.0Referer : http : //ir902.detention.fbi.gov/ [ fbi.gov ] User-Agent : PushDo/1.0.1Accept : * / * Content-type : application/x-www-form-urlencodedContent-length : 1337apology = We + apologize + for + any + inconvenience + our + childish + Pushdo + botnet + experiment + may + have + caused you. + Sincerely , + Billy + Pushman + and + Jimmy + Doe .</tokentext>
<sentencetext>The FBI has apprehended the individuals responsible for the Pushdo botnet, but because the said individuals are minors, we have decided to file no charges if the said individuals apologized to everyone who had been negatively affected by the Pushdo botnet.
Unfortunately, due to a typo, the said individuals issued a botnet command that is causing the botnet computers to keep trying to POST the following apology to the SSL port:POST / HTTP/1.0Referer: http://ir902.detention.fbi.gov/ [fbi.gov]User-Agent: PushDo/1.0.1Accept: */*Content-type: application/x-www-form-urlencodedContent-length: 1337apology=We+apologize+for+any+inconvenience+our+childish+Pushdo+botnet+experiment+may+have+caused you.+Sincerely,+Billy+Pushman+and+Jimmy+Doe.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_01_232231.30991458</id>
	<title>Re:SSL traffic</title>
	<author>JWSmythe</author>
	<datestamp>1265044260000</datestamp>
	<modclass>Interestin</modclass>
	<modscore>3</modscore>
	<htmltext><p>
&nbsp; &nbsp; I can honestly say, with experience, that https only takes a trivial amount more CPU time than a http request.</p><p>
&nbsp; &nbsp; The honest references you will find showing that https was so much heavier than http, was when the blazing fast webservers were 133Mhz.</p><p>
&nbsp; &nbsp; You're in more danger of the DDoS filling up your pipe than bringing a server to it's knees.  The bringing the server down could be accomplished just as easily as a http server.  That is unless some genius decided that they needed an entire server farm for http, but only one or two machines for https, which would definately qualify it as "weak"</p><p>
&nbsp; &nbsp; The folks running the servers should be able to deploy countermeasures of some sort.  If a number over some acceptable threshold are illegitimate requests, automatically block them.  It's easy enough on a *nix box.  I'm not talking about anything in the webserver itself either.  The webserver should be able to initiate something as simple as an iptables/ipfilter rule.  It's amazing how useful those can be, and if the threshold is calculated appropriately, it won't even bother legitimate traffic.</p><p>
&nbsp; &nbsp; You are right though, I don't see how these would disguise anything.  If you have a list of places that are targets, that makes it more noticeable, not less, even if it is the CnC machine, or a drone.</p></htmltext>
<tokenext>    I can honestly say , with experience , that https only takes a trivial amount more CPU time than a http request .
    The honest references you will find showing that https was so much heavier than http , was when the blazing fast webservers were 133Mhz .
    You 're in more danger of the DDoS filling up your pipe than bringing a server to it 's knees .
The bringing the server down could be accomplished just as easily as a http server .
That is unless some genius decided that they needed an entire server farm for http , but only one or two machines for https , which would definately qualify it as " weak "     The folks running the servers should be able to deploy countermeasures of some sort .
If a number over some acceptable threshold are illegitimate requests , automatically block them .
It 's easy enough on a * nix box .
I 'm not talking about anything in the webserver itself either .
The webserver should be able to initiate something as simple as an iptables/ipfilter rule .
It 's amazing how useful those can be , and if the threshold is calculated appropriately , it wo n't even bother legitimate traffic .
    You are right though , I do n't see how these would disguise anything .
If you have a list of places that are targets , that makes it more noticeable , not less , even if it is the CnC machine , or a drone .</tokentext>
<sentencetext>
    I can honestly say, with experience, that https only takes a trivial amount more CPU time than a http request.
    The honest references you will find showing that https was so much heavier than http, was when the blazing fast webservers were 133Mhz.
    You're in more danger of the DDoS filling up your pipe than bringing a server to it's knees.
The bringing the server down could be accomplished just as easily as a http server.
That is unless some genius decided that they needed an entire server farm for http, but only one or two machines for https, which would definately qualify it as "weak"
    The folks running the servers should be able to deploy countermeasures of some sort.
If a number over some acceptable threshold are illegitimate requests, automatically block them.
It's easy enough on a *nix box.
I'm not talking about anything in the webserver itself either.
The webserver should be able to initiate something as simple as an iptables/ipfilter rule.
It's amazing how useful those can be, and if the threshold is calculated appropriately, it won't even bother legitimate traffic.
    You are right though, I don't see how these would disguise anything.
If you have a list of places that are targets, that makes it more noticeable, not less, even if it is the CnC machine, or a drone.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_01_232231.30991134</parent>
</comment>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_01_232231_1</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_01_232231.30992164
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_01_232231.30991010
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_01_232231_11</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_01_232231.30992790
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_01_232231.30991558
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_01_232231.30991092
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_01_232231_5</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_01_232231.30993190
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_01_232231.30991664
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_01_232231_9</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_01_232231.30996126
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_01_232231.30991408
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_01_232231.30991134
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_01_232231_2</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_01_232231.31009922
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_01_232231.30991664
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_01_232231_8</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_01_232231.30991458
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_01_232231.30991134
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_01_232231_6</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_01_232231.30998640
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_01_232231.30991408
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_01_232231.30991134
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_01_232231_10</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_01_232231.30991870
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_01_232231.30991664
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_01_232231_3</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_01_232231.30995586
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_01_232231.30991664
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_01_232231_0</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_01_232231.30991812
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_01_232231.30991092
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_01_232231_7</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_01_232231.30995250
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_01_232231.30991408
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_01_232231.30991134
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_01_232231_4</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_01_232231.30991580
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_01_232231.30991134
</commentlist>
</thread>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_02_01_232231.9</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_01_232231.30991092
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_01_232231.30991558
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_01_232231.30992790
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_01_232231.30991812
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_02_01_232231.3</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_01_232231.30993430
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_02_01_232231.1</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_01_232231.30991374
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_02_01_232231.4</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_01_232231.30991042
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_02_01_232231.2</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_01_232231.30993238
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_02_01_232231.0</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_01_232231.30991134
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_01_232231.30991580
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_01_232231.30991458
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_01_232231.30991408
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_01_232231.30996126
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_01_232231.30995250
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_01_232231.30998640
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_02_01_232231.7</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_01_232231.30991392
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_02_01_232231.5</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_01_232231.30991664
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_01_232231.30993190
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_01_232231.31009922
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_01_232231.30995586
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_01_232231.30991870
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_02_01_232231.8</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_01_232231.30991010
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_01_232231.30992164
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_02_01_232231.6</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_01_232231.30991532
</commentlist>
</conversation>
