Full Disclosure mailing list archives
Re: Oh Yeah, botnet communications
From: T Biehn <tbiehn () gmail com>
Date: Sun, 22 Feb 2009 23:01:38 -0500
I was going to toss it out there in my first post that they'd could just expose an interface or load in a script to autonuke once deriving the algorithm. The point really wasnt this trick (which was about eliminating LEAD-TIME) it was more so to prompt a discussion around various trivial tricks to write a more 'reliable botnet'. Such as the idea brought up to use alternative feeds rather than news, and then the input of using the result to pick a range of ips (lead time enables whitehats to secure boxes that would be hit FIRST) as control points, the C&C ports would also be randomly chosen from this as well. combined with encryption you can't really write a signature, unless (and Valdis will point this out in between bouts of twirling his moustache) of course you have a script that alerts on any traffic on the given port. -Travis On Sat, Feb 21, 2009 at 9:26 PM, <Valdis.Kletnieks () vt edu> wrote:
On Fri, 20 Feb 2009 10:48:17 PST, "Gary E. Miller" said:Or how about yesterday's close of the S&P 500 or Cisco stock? Or maybe yesterday's Lotto numbers. Maybe a hash of all the above. This would drive bot hunters nuts. Until they reverse engineer the new scheme. Since the scheme is in every bot it would just take some reverse engineering.Thank you for noticing that detail. ;) And since *some* people need it spelled out for them in excruciating detail: Currently, hashing the current time is "good enough", because it works just fine until the bot hunters capture a copy and reverse engineer it to find out *what* hash function you're using. If you make a botnet that instead looks at the news articles at 12:01AM, or the S&P500, or anything like that, it's more complicated code, so it will take longer to reverse engineer. But once that happens, the bot hunters can *also* look at the 12:01AM news, and submit the "nuke a domain" request at 12:03AM, or look at the S&P500 at the close and submit the nuke a domain request, or whatever is needed. In other words, the *only* thing all this code does is buy you an extra few days (tops) while the bot hunters reverse engineer your more complicated code. Once they do that, it's *no better at all* than something simple like hashing the time. And unless you're *really* a superstar coder (rather than just somebody who *thinks* they are), there's a really good chance that the bot hunters (who have access to some *real* superstar RE guys) will actually be able to RE your code faster than you wrote it. Taking 3 days to write and test code that gets broken in 2 days is a losing proposition. You want to make it more difficult for the bot hunters, spend more time devising ways to make the code harder to reverse engineer - that will buy you benefits *across the board*, as not only the hash function gets harder to reverse engineer, but all the *rest* of the code (little details like how your C&C works, or what payloads/attacks you have onboard, etc) also gets harder to do.
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Oh Yeah, botnet communications, (continued)
- Re: Oh Yeah, botnet communications T Biehn (Feb 19)
- Re: Oh Yeah, botnet communications Valdis . Kletnieks (Feb 19)
- Re: Oh Yeah, botnet communications T Biehn (Feb 20)
- Re: Oh Yeah, botnet communications Kurt Buff (Feb 22)
- Re: Oh Yeah, botnet communications John C. A. Bambenek, GCIH, CISSP (Feb 23)
- Re: Oh Yeah, botnet communications James Matthews (Feb 23)
- Re: Oh Yeah, botnet communications T Biehn (Feb 23)
- Re: Oh Yeah, botnet communications T Biehn (Feb 19)
- Re: Oh Yeah, botnet communications T Biehn (Feb 20)
- Re: Oh Yeah, botnet communications Valdis . Kletnieks (Feb 21)
- Re: Oh Yeah, botnet communications T Biehn (Feb 22)
- Re: Oh Yeah, botnet communications Siim Põder (Feb 23)
- Re: Oh Yeah, botnet communications Jordan Bray (Feb 20)