Questions about the MDL raison d'être.

[log0]

Hi all, I've been thinking a bit, and I appreciate enlightening opinions on this thought.

First, I really appreciate very much the community's contribution. What I ask below is what I do not understand only. Please do not take the following as offensive that I take the community lightly.

===

MDL provides a valuable source of data to malware studies and also allows using the data for good being, this goes the same for other sources such as botnet trackers (rogue networks, etc).

With respect to MDL, it provides sources of malware study and exposes infected domains for blacklisting and tracking, provides sources for automated signature generation, etc.

With respect to pushing internet well-being forward, MDL itself looks passive, perhaps some people in this forum actually made great use of it ( which I do not know as I didn't read every bits here. Appreciate the sharing. ). Posting malware links doesn't seem to give too much stress for the bad guys, or are there any goals for inspiring a new advance for the white hats.

My questions :
1. What are the things done with these data that can help internet well-being? What could have been done if it is not achieved yet?
2. What are the (target/achieved) goals of MDL?
3. What other things could be added?

I could be wrong due to my understanding and my little history in here. I hope to see someone can put some answer or opinions to the above questions.

And yes, I'm new around here so, nice to meet you all.

Thanks

[RS-232]

...i can only answer for myself (obviously...),and even such,the "answer" might not really cover much.
Regarding history...when MDL started back in late July 2007,there simply was almost no public place at that time,
where people could submit direct links to malware,and discuss about them...
doing so was a prohibited action in most security-related forums (mainly in order to protect inexperienced end-users).
Thereby,since advanced users/researchers didn't had the ability to do so...MDL came in to fill this "gap":
a site where advanced/technically-aware people can freely submit direct links and discuss malware,without censorship...
So,at least for that part of the story,this goal has been achieved...

As to the current goals,well,up to a certain degree,it's a community effort that is based on spare time...
so my guess is that most of us around are open to new ideas/suggestions etc.
Eg.for myself,the main goal is to keep alive the community spirit to say so...
by helping newer reversers/researchers to get involved in malware hunting/fighting etc.
To put it in the most simple terms - i prefer a community where people learn to hunt,analyze and blacklist malware,
thereby making eventually the net a safer place,instead of wasting their time and resources,
say in order to crack the billions of useless 30$ shareware apps out there...  
Not all info should be public obviously - but no sharing of info at all,eventually means no knowledge at all...

[log0]

Thanks for the time RS-232 ( aka sowhat, right? ). That does give some insight. It is great to see such a place for researchers to enjoy themselves. I remember I find it a joy to have found this site =) I guess my question centers at "how does more people hunting malware can stress the bad guys enough"? Of course, the possible answers are we are hoping to breed the talents and possibly have new ideas from these people, in the future. I am seeing if there are any revolutionaries like honeypots, like that... you get it.

Oh, btw, I have had fun with your "Attacking the Antivirus" paper, read it long ago and enjoyed. =)

[RS-232]

Oh, btw, I have had fun with your "Attacking the Antivirus" paper, read it long ago and enjoyed. =)

Different 'sowhat-x' there...still though,it was an interesting reading when it was published...  

[cleanmx]

hi log0 and friends...

from my point of view, I do this job since Oct. 2006 and my goal is to keep the net "clean" by activly notifiying networks owners abuse contacts.
We only thing I miss are contributions of other managed anti-spam Services back to the community.
They all hide their data, also Organisations like APWG, or google safebrowsing are not open to the public...

my reputation @ all helpdesks worldwide is good, and I use mdl data and i feedback data to mdl since now 1 Month.

would be nice to get some qualified data from your site too ! I have not seen much from log0 so far....

I suppose I cover with my databases >95% of all infected sites worldwide, this is hard to estimate, because no one knows all...


-- gerhard

[RS-232]

...the "raison d'être" described in merely 10 words -> © gerhard 2007:   

Das Internet ist krank, und die großen Provider reagieren nicht.

So,at least until the big providers react....

[log0]

>>RS-232
My apologies to mix up the two names.

"The internet is sick, and the big providers do not react."

Perhaps it's all because costs and so. Consider the problem of malware, I have never gone to calculate the costs and gains of tackling the problem, nevermind the difficulty and other factors such as difficulty and lack of lawful support. Perhaps that would gain some insight?

>>cleanmx
You won't find anything as of now. And no worries, I am working to build some production-ready scripts and tools to aid people in bootstrapping, and the like.

I am actually interested to setup some data feed to share ( and more ). Rather than pure raw logs, I prefer to share some more structured and meaningful data. Of course, it's still in storming stage, let me know if there are some areas not covered in the internet. Perhaps it's a good direction. There are some technical difficulties during sharing such as I have only 1 honeypot and I play with the config, it seems suboptimal to post data in broken feeds and with different config. Any ideas to do it better? ( Unfortunately, resources are personal and limited. I hope to devote more, but only as time goes. )

Anyway, how did the 95% come up? I am pretty interested in how you did the estimate. Did you take into account of local malware ( that never went outside of certain countries, etc. )?