[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Oh Yeah, botnet communications
- To: Valdis.Kletnieks@xxxxxx
- Subject: Re: [Full-disclosure] Oh Yeah, botnet communications
- From: Kurt Buff <kurt.buff@xxxxxxxxx>
- Date: Sun, 22 Feb 2009 09:43:30 -0800
On Thu, Feb 19, 2009 at 21:21, <Valdis.Kletnieks@xxxxxx> wrote:
> On Thu, 19 Feb 2009 23:38:37 EST, T Biehn said:
>
>> God Valdis,
>> Dont concentrate on the mundane, the core issue is the unpredictable nature
>> of it.
>> You have them all coordinate reading the news at 12:00 AM GMT.
>> You build some silly algorithm that ensures they pick the right article.
>
> Right, so now you need this insanely complicated system to make sure that you
> get the right article at midnight, even if you have a race condition or you're
> getting an old copy because of a caching proxy in the path or if they hit
> different boxes on a load balancer and the articles update a few seconds
> apart,
> and then make sure they all pick the "right" article - which means they need
> to
> *agree* on the right article without knowing for sure what article the *other*
> bots are looking at. And that also means that the botnet owner (or at least
> a system they have) has to *also* be online so it can also check CNN and
> figure
> out what domain to register - which sucks if Godaddy just put up the "Down for
> 3 hours due to unexpected system problem" sign or any of a zillion other
> failure
> modes in trying to register that next domain in real time. You can't register
> the next 3-4 day's worth of domains ahead of time and make sure they went
> live.
>
> Lots of failure modes there.
>
> Or you can just hash the damned clock once an hour, which seems to be quite
> sufficient to keep the average botnet running.
>
> *THAT* is why they don't base it off a news RSS feed - all these mundane
> issues
> make it *harder*. You wanna do it the hard way that has more ways to fail and
> sprout bugs, be my guest. Most of the coders out there prefer something
> just a bit simpler.
Not necessarily as insanely complicated as you might think - an RSS
feed can include some interesting numbers, such as stock quotes, etc.,
where the non-integer portion of the number(s) are pretty random, and
reporting on them is pretty standardized.
And, I don't think, for the purposes of discussion, it *has* to be an
RSS feed. It could be any publicly available, regularly updated text,
including www.wsj.com.
Kurt
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/