Full Disclosure mailing list archives
Re: Oh Yeah, botnet communications
From: T Biehn <tbiehn () gmail com>
Date: Fri, 20 Feb 2009 17:35:37 -0500
Yeah man you get the point. Even if they do reverse it, you can digitally sign each of the commands, so if a bot hunter even got the balls to 'break the law' and send the rm command they'd fail. It's about eliminating their lead time, right now they can just put controls in with registrars to disallow these lists of domains. Of course one could adopt such a framework to take the output of a script... Hence the choosing a range of IPs which makes the whole process of searching through to your bots a lot less complicated. Or one good way to do this is have each of the bots maintain a list of -other- bots it 'encounters' then share this list with the other bots. This, however, leads to too easy enumeration. -Travis On Fri, Feb 20, 2009 at 1:48 PM, Gary E. Miller <gem () rellim com> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Yo Travis! On Thu, 19 Feb 2009, T Biehn wrote:You know how the current amateur botnet offerings are basing domain lists off the current time to allow the 'good guys' to prepare? Why not base the seed off something like a news RSS feed?Or how about yesterday's close of the S&P 500 or Cisco stock? Or maybe yesterday's Lotto numbers. Maybe a hash of all the above. This would drive bot hunters nuts. Until they reverse engineer the new scheme. Since the scheme is in every bot it would just take some reverse engineering. RGDS GARY - --------------------------------------------------------------------------- Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97701 gem () rellim com Tel:+1(541)382-8588 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFJnvr0BmnRqz71OvMRAmJWAKC4kPXM0C6L6d4Tkldw4ypeQuXXmQCgyZH9 xjMzFphho5t9UEeTj4UigE0= =hUXf -----END PGP SIGNATURE-----
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Oh Yeah, botnet communications T Biehn (Feb 19)
- Re: Oh Yeah, botnet communications Valdis . Kletnieks (Feb 19)
- Re: Oh Yeah, botnet communications T Biehn (Feb 19)
- Re: Oh Yeah, botnet communications Valdis . Kletnieks (Feb 19)
- Re: Oh Yeah, botnet communications T Biehn (Feb 20)
- Re: Oh Yeah, botnet communications Kurt Buff (Feb 22)
- Re: Oh Yeah, botnet communications John C. A. Bambenek, GCIH, CISSP (Feb 23)
- Re: Oh Yeah, botnet communications James Matthews (Feb 23)
- Re: Oh Yeah, botnet communications T Biehn (Feb 23)
- Re: Oh Yeah, botnet communications T Biehn (Feb 19)
- Re: Oh Yeah, botnet communications Valdis . Kletnieks (Feb 19)
- Re: Oh Yeah, botnet communications T Biehn (Feb 20)
- Re: Oh Yeah, botnet communications Valdis . Kletnieks (Feb 21)
- Re: Oh Yeah, botnet communications T Biehn (Feb 22)
- Re: Oh Yeah, botnet communications Siim Põder (Feb 23)
- <Possible follow-ups>
- Re: Oh Yeah, botnet communications Elazar Broad (Feb 19)
- Re: Oh Yeah, botnet communications Jordan Bray (Feb 20)
- Re: Oh Yeah, botnet communications Elazar Broad (Feb 23)
