PaulDotCom mailing list archives

Previous By Date Next
Previous By Thread Next

Steganographic Command and Control

From: wesleymcgrew at gmail.com (Robert McGrew)
Date: Tue, 4 May 2010 16:35:16 -0500
On Tue, May 4, 2010 at 3:18 PM, Adrian Crenshaw <irongeek at irongeek.com> wrote:

Hi all,
??? I'm working on a class final paper, and would like your feed back on the
ideas I have. Attached is a paper in PDF format (no embedded exploits, trust
me) on Steganographic Command and Control for Botnets and Darknets. Please
let me have your comments.


Cool idea.  Have you considered the possibility of setting a bot up as
a transparent proxy for web traffic on the user's system, and
on-the-fly rewriting the user's actual content in order to hide the
data (and processing the data the user views for incoming hidden
data).  This way, you would be using the user's actual facebook posts,
twitpics, etc. as your carrier.  Bots/nodes would "discover" each
other through processing the traffic the user normally browses on
social networking sites, and relay instructions back out by modifying
the user's posts.

Latency would be higher and less predictable than if you were to
generate content yourself, but it would be much more stealthy.  Your
bot could hang out for a while and generate metrics such as: how many
friends the user of the infected system has, how active are they, and
how often they post things that can hide lots of data (images, for
example).  Infected systems with favorable metrics could form
backbones for communications between other less-active systems.

It wouldn't have the instant gratification of connecting to an IRC C&C
and having your horde respond immediately, but I think that there are
a lot of applications of botnets where this would be acceptable.

-- 
Wesley McGrew
http://mcgrewsecurity.com
Previous By Date Next
Previous By Thread Next

Current thread: