Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Oh Yeah, botnet communications
From: Siim Põder <windo () p6drad-teel net>
Date: Mon, 23 Feb 2009 11:23:01 +0200


T Biehn wrote:
The point really wasnt this trick (which was about eliminating LEAD-TIME) it
was more so to prompt a discussion around various trivial tricks to write a
more 'reliable botnet'.

Shortly: use coupious numbers of normal-looking domain names instead of
a single obviously random one.

Instead of dsfhefadsafkj.cn (pseudo-random-typing string) domain name,
output of the HASH(time) should be passed through a humanize() function
that would build generate domain names made of words, punctuation, parts
of words, etc. Something along the lines of big-mountain-taco.com or
yetimanhome.org or whatever. And instead of generating a single domain
name for a day, generate more. Either a fixed number (like 25 or so) or
generate new ones until you find one that has a CC server set up.

The effect would be that you can't blacklist all the domains ahead of
time as many of them could be very valid names someone will want to use.
You can't blacklist them on the same day either, as the algorithm would
generate so many valid domains even for the same day. And you can't pull
the plug on the generated domains that we're registered beforehand
either, as the algorithm would generate stuff like windows-server.com
and computer-repair-shop.com among others, some of which are probably
existing sites.


Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]