[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Oh Yeah, botnet communications
- To: tbiehn@xxxxxxxxx, valdis.kletnieks@xxxxxx, full-disclosure@xxxxxxxxxxxxxxxxx, bambenek.infosec@xxxxxxxxx
- Subject: Re: [Full-disclosure] Oh Yeah, botnet communications
- From: "Elazar Broad" <elazar@xxxxxxxxxxxx>
- Date: Mon, 23 Feb 2009 13:49:46 -0500
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
<snip>
...stealthy infection is trickier.
</snip>
but not impossible, checkout Symantec/F-Secure joint analysis of
mebroot: https://forums.symantec.com/t5/blogs/blogprintpage/blog-
id/malicious_code/article-
id/244;jsessionid=A4811540934368155A4B0BEE4D0B0615. Now that's
tricky...
On Mon, 23 Feb 2009 07:56:00 -0500 "John C. A. Bambenek, GCIH,
CISSP" <bambenek.infosec@xxxxxxxxx> wrote:
>Yes, its possible, I mapped out something on a high level that
>would
>use rss/xml and would evade most detection methods on the
>network...
>Problem comes in is that stuff gets detected at infection-time and
>gets reverse engineered. Stealthy botnets is easy, stealthy
>infection
>is trickier.
>
>On 2/19/09, T Biehn <tbiehn@xxxxxxxxx> wrote:
>> God Valdis,
>> Dont concentrate on the mundane, the core issue is the
>unpredictable nature
>> of it.
>> You have them all coordinate reading the news at 12:00 AM GMT.
>> You build some silly algorithm that ensures they pick the right
>article.
>>
>> -Travis
>>
>> On Thu, Feb 19, 2009 at 11:34 PM, <Valdis.Kletnieks@xxxxxx>
>wrote:
>>
>>> On Thu, 19 Feb 2009 23:13:38 EST, T Biehn said:
>>>
>>> > You know how the current amateur botnet offerings are basing
>domain
>>> > lists
>>> > off the current time to allow the 'good guys' to prepare?
>>> >
>>> > Why not base the seed off something like a news RSS feed? I
>asked some
>>> > whitehats when I was ruined in Washington DC and they
>couldn't tell me.
>>>
>>> If you're the botnet owner, you need to have some way to know
>what domain
>>> name your botnet will be looking for, so you can register it.
>>>
>>> If you look at 11:06AM, see the top news story is something
>about Obama
>>> flipping the Republican party the bird, and computes the domain
>name to
>>> register based on that, but then at 11:07AM some editor at CNN
>pulls that
>>> headline and replaces it with "Obama sends obscene gesture to
>Republicans"
>>> before your bots wake up at 11:08AM and check what domain to
>use, you're
>>> screwed.
>>>
>>>
>>>
>>
>
>--
>Sent from my mobile device
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/
-----BEGIN PGP SIGNATURE-----
Charset: UTF8
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 3.0
wpwEAQECAAYFAkmi77AACgkQi04xwClgpZhpSAP/QaZAxqbMdtYnXr9wWeIA3LGW7HYS
W47lUExf8UJdLeqFOA3n+LanXZhdaqpeX6vxnVYoinMEaqD1GU4WDd7f8Kwp0oFHjEMY
x/oGaULnIbSp05SDIRdBo7lfl2iEiqzvrXTwGjc01sWRzLfTtjnb+Map/l+0+IanvkUh
7+PzOLQ=
=xUVb
-----END PGP SIGNATURE-----
--
Click here to save cash and find low rates on auto loans.
http://tagline.hushmail.com/fc/BLSrjkqhD124nV6YyCybw0EfnbPXFfMGwqpyMGkKED7rMOrsr1lVKA1kmA4/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/