Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Oh Yeah, botnet communications
From: T Biehn <tbiehn () gmail com>
Date: Sun, 22 Feb 2009 23:01:38 -0500

I was going to toss it out there in my first post that they'd could just
expose an interface or load in a script to autonuke once deriving the
algorithm.
The point really wasnt this trick (which was about eliminating LEAD-TIME) it
was more so to prompt a discussion around various trivial tricks to write a
more 'reliable botnet'.
Such as the idea brought up to use alternative feeds rather than news, and
then the input of using the result to pick a range of ips (lead time enables
whitehats to secure boxes that would be hit FIRST) as control points, the
C&C ports would also be randomly chosen from this as well.
combined with encryption you can't really write a signature, unless (and
Valdis will point this out in between bouts of twirling his moustache) of
course you have a script that alerts on any traffic on the given port.

-Travis

On Sat, Feb 21, 2009 at 9:26 PM, <Valdis.Kletnieks () vt edu> wrote:

On Fri, 20 Feb 2009 10:48:17 PST, "Gary E. Miller" said:

Or how about yesterday's close of the S&P 500 or Cisco stock?  Or
maybe yesterday's Lotto numbers.  Maybe a hash of all the above.

This would drive bot hunters nuts.  Until they reverse engineer the
new scheme.  Since the scheme is in every bot it would just take
some reverse engineering.

Thank you for noticing that detail. ;)

And since *some* people need it spelled out for them in excruciating
detail:

Currently, hashing the current time is "good enough", because it works just
fine until the bot hunters capture a copy and reverse engineer it to find
out *what* hash function you're using.

If you make a botnet that instead looks at the news articles at 12:01AM,
or the S&P500, or anything like that, it's more complicated code, so it
will
take longer to reverse engineer.  But once that happens, the bot hunters
can *also* look at the 12:01AM news, and submit the "nuke a domain" request
at 12:03AM, or look at the S&P500 at the close and submit the nuke a domain
request, or whatever is needed.

In other words, the *only* thing all this code does is buy you an extra few
days (tops) while the bot hunters reverse engineer your more complicated
code.
Once they do that, it's *no better at all* than something simple like
hashing
the time.  And unless you're *really* a superstar coder (rather than just
somebody who *thinks* they are), there's a really good chance that the bot
hunters (who have access to some *real* superstar RE guys) will actually
be able to RE your code faster than you wrote it.  Taking 3 days to write
and test code that gets broken in 2 days is a losing proposition.

You want to make it more difficult for the bot hunters, spend more time
devising ways to make the code harder to reverse engineer - that will buy
you benefits *across the board*, as not only the hash function gets harder
to reverse engineer, but all the *rest* of the code (little details like
how your C&C works, or what payloads/attacks you have onboard, etc) also
gets harder to do.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]