Full Disclosure mailing list archives
Re: Oh Yeah, botnet communications
From: "Elazar Broad" <elazar () hushmail com>
Date: Mon, 23 Feb 2009 13:49:46 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 <snip> ...stealthy infection is trickier. </snip> but not impossible, checkout Symantec/F-Secure joint analysis of mebroot: https://forums.symantec.com/t5/blogs/blogprintpage/blog- id/malicious_code/article- id/244;jsessionid=A4811540934368155A4B0BEE4D0B0615. Now that's tricky... On Mon, 23 Feb 2009 07:56:00 -0500 "John C. A. Bambenek, GCIH, CISSP" <bambenek.infosec () gmail com> wrote:
Yes, its possible, I mapped out something on a high level that would use rss/xml and would evade most detection methods on the network... Problem comes in is that stuff gets detected at infection-time and gets reverse engineered. Stealthy botnets is easy, stealthy infection is trickier. On 2/19/09, T Biehn <tbiehn () gmail com> wrote:God Valdis, Dont concentrate on the mundane, the core issue is theunpredictable natureof it. You have them all coordinate reading the news at 12:00 AM GMT. You build some silly algorithm that ensures they pick the rightarticle.-Travis On Thu, Feb 19, 2009 at 11:34 PM, <Valdis.Kletnieks () vt edu>wrote:On Thu, 19 Feb 2009 23:13:38 EST, T Biehn said:You know how the current amateur botnet offerings are basingdomainlists off the current time to allow the 'good guys' to prepare? Why not base the seed off something like a news RSS feed? Iasked somewhitehats when I was ruined in Washington DC and theycouldn't tell me.If you're the botnet owner, you need to have some way to knowwhat domainname your botnet will be looking for, so you can register it. If you look at 11:06AM, see the top news story is somethingabout Obamaflipping the Republican party the bird, and computes the domainname toregister based on that, but then at 11:07AM some editor at CNNpulls thatheadline and replaces it with "Obama sends obscene gesture toRepublicans"before your bots wake up at 11:08AM and check what domain touse, you'rescrewed.-- Sent from my mobile device _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
-----BEGIN PGP SIGNATURE----- Charset: UTF8 Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 3.0 wpwEAQECAAYFAkmi77AACgkQi04xwClgpZhpSAP/QaZAxqbMdtYnXr9wWeIA3LGW7HYS W47lUExf8UJdLeqFOA3n+LanXZhdaqpeX6vxnVYoinMEaqD1GU4WDd7f8Kwp0oFHjEMY x/oGaULnIbSp05SDIRdBo7lfl2iEiqzvrXTwGjc01sWRzLfTtjnb+Map/l+0+IanvkUh 7+PzOLQ= =xUVb -----END PGP SIGNATURE----- -- Click here to save cash and find low rates on auto loans. http://tagline.hushmail.com/fc/BLSrjkqhD124nV6YyCybw0EfnbPXFfMGwqpyMGkKED7rMOrsr1lVKA1kmA4/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Oh Yeah, botnet communications, (continued)
- Re: Oh Yeah, botnet communications John C. A. Bambenek, GCIH, CISSP (Feb 23)
- Re: Oh Yeah, botnet communications James Matthews (Feb 23)
- Re: Oh Yeah, botnet communications T Biehn (Feb 23)
- Re: Oh Yeah, botnet communications T Biehn (Feb 20)
- Re: Oh Yeah, botnet communications Valdis . Kletnieks (Feb 21)
- Re: Oh Yeah, botnet communications T Biehn (Feb 22)
- Re: Oh Yeah, botnet communications Siim Põder (Feb 23)
- Re: Oh Yeah, botnet communications Jordan Bray (Feb 20)