Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Oh Yeah, botnet communications
From: "Elazar Broad" <elazar () hushmail com>
Date: Mon, 23 Feb 2009 13:49:46 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

<snip>
...stealthy infection is trickier.
</snip>

but not impossible, checkout Symantec/F-Secure joint analysis of
mebroot: https://forums.symantec.com/t5/blogs/blogprintpage/blog-
id/malicious_code/article-
id/244;jsessionid=A4811540934368155A4B0BEE4D0B0615. Now that's
tricky...

On Mon, 23 Feb 2009 07:56:00 -0500 "John C. A. Bambenek, GCIH,
CISSP" <bambenek.infosec () gmail com> wrote:
Yes, its possible, I mapped out something on a high level that
would
use rss/xml and would evade most detection methods on the
network...
Problem comes in is that stuff gets detected at infection-time and
gets reverse engineered. Stealthy botnets is easy, stealthy
infection
is trickier.

On 2/19/09, T Biehn <tbiehn () gmail com> wrote:
God Valdis,
Dont concentrate on the mundane, the core issue is the
unpredictable nature
of it.
You have them all coordinate reading the news at 12:00 AM GMT.
You build some silly algorithm that ensures they pick the right
article.

-Travis

On Thu, Feb 19, 2009 at 11:34 PM, <Valdis.Kletnieks () vt edu>
wrote:

On Thu, 19 Feb 2009 23:13:38 EST, T Biehn said:

You know how the current amateur botnet offerings are basing
domain
lists
off the current time to allow the 'good guys' to prepare?

Why not base the seed off something like a news RSS feed? I
asked some
whitehats when I was ruined in Washington DC and they
couldn't tell me.

If you're the botnet owner, you need to have some way to know
what domain
name your botnet will be looking for, so you can register it.

If you look at 11:06AM, see the top news story is something
about Obama
flipping the Republican party the bird, and computes the domain
name to
register based on that, but then at 11:07AM some editor at CNN
pulls that
headline and replaces it with "Obama sends obscene gesture to
Republicans"
before your bots wake up at 11:08AM and check what domain to
use, you're
screwed.





--
Sent from my mobile device

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
-----BEGIN PGP SIGNATURE-----
Charset: UTF8
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 3.0

wpwEAQECAAYFAkmi77AACgkQi04xwClgpZhpSAP/QaZAxqbMdtYnXr9wWeIA3LGW7HYS
W47lUExf8UJdLeqFOA3n+LanXZhdaqpeX6vxnVYoinMEaqD1GU4WDd7f8Kwp0oFHjEMY
x/oGaULnIbSp05SDIRdBo7lfl2iEiqzvrXTwGjc01sWRzLfTtjnb+Map/l+0+IanvkUh
7+PzOLQ=
=xUVb
-----END PGP SIGNATURE-----

--
Click here to save cash and find low rates on auto loans.
 http://tagline.hushmail.com/fc/BLSrjkqhD124nV6YyCybw0EfnbPXFfMGwqpyMGkKED7rMOrsr1lVKA1kmA4/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault