Full Disclosure mailing list archives
Re: Oh Yeah, botnet communications
From: T Biehn <tbiehn () gmail com>
Date: Mon, 23 Feb 2009 11:13:23 -0500
"Look at me all smiles like a proud papa." -Jesus On Mon, Feb 23, 2009 at 8:31 AM, James Matthews <nytrokiss () gmail com> wrote:
II would use something like UDP or IGMP and modify the packets slightly. I know that most routers will just pass them on and not worry about a few weird things. On Mon, Feb 23, 2009 at 2:56 PM, John C. A. Bambenek, GCIH, CISSP < bambenek.infosec () gmail com> wrote:Yes, its possible, I mapped out something on a high level that would use rss/xml and would evade most detection methods on the network... Problem comes in is that stuff gets detected at infection-time and gets reverse engineered. Stealthy botnets is easy, stealthy infection is trickier. On 2/19/09, T Biehn <tbiehn () gmail com> wrote:God Valdis, Dont concentrate on the mundane, the core issue is the unpredictablenatureof it. You have them all coordinate reading the news at 12:00 AM GMT. You build some silly algorithm that ensures they pick the right article. -Travis On Thu, Feb 19, 2009 at 11:34 PM, <Valdis.Kletnieks () vt edu> wrote:On Thu, 19 Feb 2009 23:13:38 EST, T Biehn said:You know how the current amateur botnet offerings are basing domain lists off the current time to allow the 'good guys' to prepare? Why not base the seed off something like a news RSS feed? I askedsomewhitehats when I was ruined in Washington DC and they couldn't tellme.If you're the botnet owner, you need to have some way to know whatdomainname your botnet will be looking for, so you can register it. If you look at 11:06AM, see the top news story is something about Obama flipping the Republican party the bird, and computes the domain name to register based on that, but then at 11:07AM some editor at CNN pullsthatheadline and replaces it with "Obama sends obscene gesture toRepublicans"before your bots wake up at 11:08AM and check what domain to use,you'rescrewed.-- Sent from my mobile device _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/-- http://www.astorandblack.com/ http://www.jewelerslounge.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Oh Yeah, botnet communications T Biehn (Feb 19)
- Re: Oh Yeah, botnet communications Valdis . Kletnieks (Feb 19)
- Re: Oh Yeah, botnet communications T Biehn (Feb 19)
- Re: Oh Yeah, botnet communications Valdis . Kletnieks (Feb 19)
- Re: Oh Yeah, botnet communications T Biehn (Feb 20)
- Re: Oh Yeah, botnet communications Kurt Buff (Feb 22)
- Re: Oh Yeah, botnet communications John C. A. Bambenek, GCIH, CISSP (Feb 23)
- Re: Oh Yeah, botnet communications James Matthews (Feb 23)
- Re: Oh Yeah, botnet communications T Biehn (Feb 23)
- Re: Oh Yeah, botnet communications T Biehn (Feb 19)
- Re: Oh Yeah, botnet communications Valdis . Kletnieks (Feb 19)
- Re: Oh Yeah, botnet communications T Biehn (Feb 20)
- Re: Oh Yeah, botnet communications Valdis . Kletnieks (Feb 21)
- Re: Oh Yeah, botnet communications T Biehn (Feb 22)
- Re: Oh Yeah, botnet communications Siim Põder (Feb 23)
- <Possible follow-ups>
- Re: Oh Yeah, botnet communications Elazar Broad (Feb 19)
- Re: Oh Yeah, botnet communications Jordan Bray (Feb 20)
- Re: Oh Yeah, botnet communications Elazar Broad (Feb 23)