Full Disclosure mailing list archives

Re: Oh Yeah, botnet communications

From: Valdis.Kletnieks () vt edu
Date: Sat, 21 Feb 2009 21:26:50 -0500

On Fri, 20 Feb 2009 10:48:17 PST, "Gary E. Miller" said:

Or how about yesterday's close of the S&P 500 or Cisco stock?  Or
maybe yesterday's Lotto numbers.  Maybe a hash of all the above.

This would drive bot hunters nuts.  Until they reverse engineer the
new scheme.  Since the scheme is in every bot it would just take
some reverse engineering.


Thank you for noticing that detail. ;)

And since *some* people need it spelled out for them in excruciating detail:

Currently, hashing the current time is "good enough", because it works just
fine until the bot hunters capture a copy and reverse engineer it to find
out *what* hash function you're using.

If you make a botnet that instead looks at the news articles at 12:01AM,
or the S&P500, or anything like that, it's more complicated code, so it will
take longer to reverse engineer.  But once that happens, the bot hunters
can *also* look at the 12:01AM news, and submit the "nuke a domain" request
at 12:03AM, or look at the S&P500 at the close and submit the nuke a domain
request, or whatever is needed.

In other words, the *only* thing all this code does is buy you an extra few
days (tops) while the bot hunters reverse engineer your more complicated code.
Once they do that, it's *no better at all* than something simple like hashing
the time.  And unless you're *really* a superstar coder (rather than just
somebody who *thinks* they are), there's a really good chance that the bot
hunters (who have access to some *real* superstar RE guys) will actually
be able to RE your code faster than you wrote it.  Taking 3 days to write
and test code that gets broken in 2 days is a losing proposition.

You want to make it more difficult for the bot hunters, spend more time
devising ways to make the code harder to reverse engineer - that will buy
you benefits *across the board*, as not only the hash function gets harder
to reverse engineer, but all the *rest* of the code (little details like
how your C&C works, or what payloads/attacks you have onboard, etc) also
gets harder to do.

Attachment: _bin
Description:

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Re: Oh Yeah, botnet communications, (continued)
- Re: Oh Yeah, botnet communications Valdis . Kletnieks (Feb 19)
  - Re: Oh Yeah, botnet communications T Biehn (Feb 19)
    - Re: Oh Yeah, botnet communications Valdis . Kletnieks (Feb 19)
    - Re: Oh Yeah, botnet communications T Biehn (Feb 20)
    - Re: Oh Yeah, botnet communications Kurt Buff (Feb 22)
    - Re: Oh Yeah, botnet communications John C. A. Bambenek, GCIH, CISSP (Feb 23)
    - Re: Oh Yeah, botnet communications James Matthews (Feb 23)
    - Re: Oh Yeah, botnet communications T Biehn (Feb 23)
- Re: Oh Yeah, botnet communications Gary E. Miller (Feb 20)
  - Re: Oh Yeah, botnet communications T Biehn (Feb 20)
  - Re: Oh Yeah, botnet communications Valdis . Kletnieks (Feb 21)
    - Re: Oh Yeah, botnet communications T Biehn (Feb 22)
    - Re: Oh Yeah, botnet communications Siim Põder (Feb 23)
- Re: Oh Yeah, botnet communications Elazar Broad (Feb 19)
  - Re: Oh Yeah, botnet communications Jordan Bray (Feb 20)
- Re: Oh Yeah, botnet communications Elazar Broad (Feb 23)