On Fri, 20 Feb 2009 10:48:17 PST, "Gary E. Miller" said: > Or how about yesterday's close of the S&P 500 or Cisco stock? Or > maybe yesterday's Lotto numbers. Maybe a hash of all the above. > > This would drive bot hunters nuts. Until they reverse engineer the > new scheme. Since the scheme is in every bot it would just take > some reverse engineering. Thank you for noticing that detail. ;) And since *some* people need it spelled out for them in excruciating detail: Currently, hashing the current time is "good enough", because it works just fine until the bot hunters capture a copy and reverse engineer it to find out *what* hash function you're using. If you make a botnet that instead looks at the news articles at 12:01AM, or the S&P500, or anything like that, it's more complicated code, so it will take longer to reverse engineer. But once that happens, the bot hunters can *also* look at the 12:01AM news, and submit the "nuke a domain" request at 12:03AM, or look at the S&P500 at the close and submit the nuke a domain request, or whatever is needed. In other words, the *only* thing all this code does is buy you an extra few days (tops) while the bot hunters reverse engineer your more complicated code. Once they do that, it's *no better at all* than something simple like hashing the time. And unless you're *really* a superstar coder (rather than just somebody who *thinks* they are), there's a really good chance that the bot hunters (who have access to some *real* superstar RE guys) will actually be able to RE your code faster than you wrote it. Taking 3 days to write and test code that gets broken in 2 days is a losing proposition. You want to make it more difficult for the bot hunters, spend more time devising ways to make the code harder to reverse engineer - that will buy you benefits *across the board*, as not only the hash function gets harder to reverse engineer, but all the *rest* of the code (little details like how your C&C works, or what payloads/attacks you have onboard, etc) also gets harder to do.
Attachment:
pgpU7TV7p_k38.pgp
Description: PGP signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/