Full Disclosure mailing list archives
Re: Oh Yeah, botnet communications
From: Kurt Buff <kurt.buff () gmail com>
Date: Sun, 22 Feb 2009 09:43:30 -0800
On Thu, Feb 19, 2009 at 21:21, <Valdis.Kletnieks () vt edu> wrote:
On Thu, 19 Feb 2009 23:38:37 EST, T Biehn said:God Valdis, Dont concentrate on the mundane, the core issue is the unpredictable nature of it. You have them all coordinate reading the news at 12:00 AM GMT. You build some silly algorithm that ensures they pick the right article.Right, so now you need this insanely complicated system to make sure that you get the right article at midnight, even if you have a race condition or you're getting an old copy because of a caching proxy in the path or if they hit different boxes on a load balancer and the articles update a few seconds apart, and then make sure they all pick the "right" article - which means they need to *agree* on the right article without knowing for sure what article the *other* bots are looking at. And that also means that the botnet owner (or at least a system they have) has to *also* be online so it can also check CNN and figure out what domain to register - which sucks if Godaddy just put up the "Down for 3 hours due to unexpected system problem" sign or any of a zillion other failure modes in trying to register that next domain in real time. You can't register the next 3-4 day's worth of domains ahead of time and make sure they went live. Lots of failure modes there. Or you can just hash the damned clock once an hour, which seems to be quite sufficient to keep the average botnet running. *THAT* is why they don't base it off a news RSS feed - all these mundane issues make it *harder*. You wanna do it the hard way that has more ways to fail and sprout bugs, be my guest. Most of the coders out there prefer something just a bit simpler.
Not necessarily as insanely complicated as you might think - an RSS feed can include some interesting numbers, such as stock quotes, etc., where the non-integer portion of the number(s) are pretty random, and reporting on them is pretty standardized. And, I don't think, for the purposes of discussion, it *has* to be an RSS feed. It could be any publicly available, regularly updated text, including www.wsj.com. Kurt _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Oh Yeah, botnet communications T Biehn (Feb 19)
- Re: Oh Yeah, botnet communications Valdis . Kletnieks (Feb 19)
- Re: Oh Yeah, botnet communications T Biehn (Feb 19)
- Re: Oh Yeah, botnet communications Valdis . Kletnieks (Feb 19)
- Re: Oh Yeah, botnet communications T Biehn (Feb 20)
- Re: Oh Yeah, botnet communications Kurt Buff (Feb 22)
- Re: Oh Yeah, botnet communications John C. A. Bambenek, GCIH, CISSP (Feb 23)
- Re: Oh Yeah, botnet communications James Matthews (Feb 23)
- Re: Oh Yeah, botnet communications T Biehn (Feb 23)
- Re: Oh Yeah, botnet communications T Biehn (Feb 19)
- Re: Oh Yeah, botnet communications Valdis . Kletnieks (Feb 19)
- Re: Oh Yeah, botnet communications T Biehn (Feb 20)
- Re: Oh Yeah, botnet communications Valdis . Kletnieks (Feb 21)
- Re: Oh Yeah, botnet communications T Biehn (Feb 22)
- Re: Oh Yeah, botnet communications Siim Põder (Feb 23)
- <Possible follow-ups>
- Re: Oh Yeah, botnet communications Elazar Broad (Feb 19)
- Re: Oh Yeah, botnet communications Jordan Bray (Feb 20)