Full Disclosure mailing list archives
Re: Oh Yeah, botnet communications
From: "John C. A. Bambenek, GCIH, CISSP" <bambenek.infosec () gmail com>
Date: Mon, 23 Feb 2009 06:56:00 -0600
Yes, its possible, I mapped out something on a high level that would use rss/xml and would evade most detection methods on the network... Problem comes in is that stuff gets detected at infection-time and gets reverse engineered. Stealthy botnets is easy, stealthy infection is trickier. On 2/19/09, T Biehn <tbiehn () gmail com> wrote:
God Valdis, Dont concentrate on the mundane, the core issue is the unpredictable nature of it. You have them all coordinate reading the news at 12:00 AM GMT. You build some silly algorithm that ensures they pick the right article. -Travis On Thu, Feb 19, 2009 at 11:34 PM, <Valdis.Kletnieks () vt edu> wrote:On Thu, 19 Feb 2009 23:13:38 EST, T Biehn said:You know how the current amateur botnet offerings are basing domain lists off the current time to allow the 'good guys' to prepare? Why not base the seed off something like a news RSS feed? I asked some whitehats when I was ruined in Washington DC and they couldn't tell me.If you're the botnet owner, you need to have some way to know what domain name your botnet will be looking for, so you can register it. If you look at 11:06AM, see the top news story is something about Obama flipping the Republican party the bird, and computes the domain name to register based on that, but then at 11:07AM some editor at CNN pulls that headline and replaces it with "Obama sends obscene gesture to Republicans" before your bots wake up at 11:08AM and check what domain to use, you're screwed.
-- Sent from my mobile device _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Oh Yeah, botnet communications T Biehn (Feb 19)
- Re: Oh Yeah, botnet communications Valdis . Kletnieks (Feb 19)
- Re: Oh Yeah, botnet communications T Biehn (Feb 19)
- Re: Oh Yeah, botnet communications Valdis . Kletnieks (Feb 19)
- Re: Oh Yeah, botnet communications T Biehn (Feb 20)
- Re: Oh Yeah, botnet communications Kurt Buff (Feb 22)
- Re: Oh Yeah, botnet communications John C. A. Bambenek, GCIH, CISSP (Feb 23)
- Re: Oh Yeah, botnet communications James Matthews (Feb 23)
- Re: Oh Yeah, botnet communications T Biehn (Feb 23)
- Re: Oh Yeah, botnet communications T Biehn (Feb 19)
- Re: Oh Yeah, botnet communications Valdis . Kletnieks (Feb 19)
- Re: Oh Yeah, botnet communications T Biehn (Feb 20)
- Re: Oh Yeah, botnet communications Valdis . Kletnieks (Feb 21)
- Re: Oh Yeah, botnet communications T Biehn (Feb 22)
- Re: Oh Yeah, botnet communications Siim Põder (Feb 23)
- <Possible follow-ups>
- Re: Oh Yeah, botnet communications Elazar Broad (Feb 19)
- Re: Oh Yeah, botnet communications Jordan Bray (Feb 20)
- Re: Oh Yeah, botnet communications Elazar Broad (Feb 23)