funsec mailing list archives
Re: The Criminal Underground: A Walk on the Dark Side
From: Jim Murray <jim () digitaldaemons co uk>
Date: Thu, 06 Sep 2007 16:35:49 +0100
Valdis.Kletnieks () vt edu wrote:
You want a *real* headache, contemplate the fun we'll have if the bad guys ever release something that takes advantage of the emergent-systems properties of self-assembling networks (basically, imagine a Storm worm, except it's able to re-find other copies of itself dynamically if the C&C gets nuked. http://www.trnmag.com/Stories/2003/032603/Network_builds_itself_from_scratch_032603.html http://www.washingtonpost.com/wp-srv/style/longterm/books/chap1/emergence.htm Now imagine trying to get something like *that* out of your Internet. ;)
I fear something like this either already exists or is well into it's
development cycle. The hard part is the initial discovery protocol - ie.
how a node finds it's first 'neighbour'. Getting that right is the most
critical part to the overall success of the scheme. It needs to be
something that's not going to be easy to filter since it will,
inevitably, be picked apart byte by byte within days.
Model it on a peer to peer network with no centralised control
(gnutella?) and all you really need to bolt on is the discovery
protocol. The larger the network grows the harder it will become to
break it, the number of alternate 'paths' increases much faster then the
host count.
Even better, if the data is all encrypted (with constant noise to thwart
pattern analysis) there's no way to identify a bot-herder at network
level, he simply joins the network as a regular client and sends his
commands over the bot network. All you will see is the same type of
encrypted traffic that's passing between all the other bots so even if,
by some fluke, you identify the 'control' machine there's no way to
*prove* it's a control machine.
A fully self-healing peer to peer botnet just too juicy a goal for the
criminals not to be working towards it.
Jim.
--
DigitalDaemons IT Services.
---------------------------------------
E-Mail : jim () digitaldaemons co uk
PGP Key ID : 0xB7066495
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
Current thread:
- Re: The Criminal Underground: A Walk on the Dark Side, (continued)
- Re: The Criminal Underground: A Walk on the Dark Side Dude VanWinkle (Sep 05)
- Re: The Criminal Underground: A Walk on the Dark Side Valdis . Kletnieks (Sep 05)
- High Concept Comedy: Security is Economic! Bruce Ediger (Sep 05)
- Re: The Criminal Underground: A Walk on the Dark Side Dude VanWinkle (Sep 05)
- Re: The Criminal Underground: A Walk on the Dark Side Valdis . Kletnieks (Sep 05)
- Re: The Criminal Underground: A Walk on the Dark Side coderman (Sep 05)
- Re: The Criminal Underground: A Walk on the Dark Side Dude VanWinkle (Sep 05)
- Re: The Criminal Underground: A Walk on the Dark Side coderman (Sep 05)
- Re: The Criminal Underground: A Walk on the Dark Side Dude VanWinkle (Sep 06)
- Re: The Criminal Underground: A Walk on the Dark Side Valdis . Kletnieks (Sep 06)
- Re: The Criminal Underground: A Walk on the Dark Side Jim Murray (Sep 06)
- Re: The Criminal Underground: A Walk on the Dark Side Rob, grandpa of Ryan, Trevor, Devon & Hannah (Sep 06)