Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Oh Yeah, botnet communications
From: "John C. A. Bambenek, GCIH, CISSP" <bambenek.infosec () gmail com>
Date: Mon, 23 Feb 2009 06:56:00 -0600

Yes, its possible, I mapped out something on a high level that would
use rss/xml and would evade most detection methods on the network...
Problem comes in is that stuff gets detected at infection-time and
gets reverse engineered. Stealthy botnets is easy, stealthy infection
is trickier.

On 2/19/09, T Biehn <tbiehn () gmail com> wrote:
God Valdis,
Dont concentrate on the mundane, the core issue is the unpredictable nature
of it.
You have them all coordinate reading the news at 12:00 AM GMT.
You build some silly algorithm that ensures they pick the right article.


On Thu, Feb 19, 2009 at 11:34 PM, <Valdis.Kletnieks () vt edu> wrote:

On Thu, 19 Feb 2009 23:13:38 EST, T Biehn said:

You know how the current amateur botnet offerings are basing domain
off the current time to allow the 'good guys' to prepare?

Why not base the seed off something like a news RSS feed? I asked some
whitehats when I was ruined in Washington DC and they couldn't tell me.

If you're the botnet owner, you need to have some way to know what domain
name your botnet will be looking for, so you can register it.

If you look at 11:06AM, see the top news story is something about Obama
flipping the Republican party the bird, and computes the domain name to
register based on that, but then at 11:07AM some editor at CNN pulls that
headline and replaces it with "Obama sends obscene gesture to Republicans"
before your bots wake up at 11:08AM and check what domain to use, you're

Sent from my mobile device

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]