lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 21 Feb 2009 21:26:50 -0500
From: Valdis.Kletnieks@...edu
To: "Gary E. Miller" <gem@...lim.com>
Cc: full-disclosure <Full-Disclosure@...ts.grok.org.uk>
Subject: Re: Oh Yeah, botnet communications

On Fri, 20 Feb 2009 10:48:17 PST, "Gary E. Miller" said:

> Or how about yesterday's close of the S&P 500 or Cisco stock?  Or
> maybe yesterday's Lotto numbers.  Maybe a hash of all the above.
> 
> This would drive bot hunters nuts.  Until they reverse engineer the
> new scheme.  Since the scheme is in every bot it would just take
> some reverse engineering.

Thank you for noticing that detail. ;)

And since *some* people need it spelled out for them in excruciating detail:

Currently, hashing the current time is "good enough", because it works just
fine until the bot hunters capture a copy and reverse engineer it to find
out *what* hash function you're using.

If you make a botnet that instead looks at the news articles at 12:01AM,
or the S&P500, or anything like that, it's more complicated code, so it will
take longer to reverse engineer.  But once that happens, the bot hunters
can *also* look at the 12:01AM news, and submit the "nuke a domain" request
at 12:03AM, or look at the S&P500 at the close and submit the nuke a domain
request, or whatever is needed.

In other words, the *only* thing all this code does is buy you an extra few
days (tops) while the bot hunters reverse engineer your more complicated code.
Once they do that, it's *no better at all* than something simple like hashing
the time.  And unless you're *really* a superstar coder (rather than just
somebody who *thinks* they are), there's a really good chance that the bot
hunters (who have access to some *real* superstar RE guys) will actually
be able to RE your code faster than you wrote it.  Taking 3 days to write
and test code that gets broken in 2 days is a losing proposition.

You want to make it more difficult for the bot hunters, spend more time
devising ways to make the code harder to reverse engineer - that will buy
you benefits *across the board*, as not only the hash function gets harder
to reverse engineer, but all the *rest* of the code (little details like
how your C&C works, or what payloads/attacks you have onboard, etc) also
gets harder to do.

Content of type "application/pgp-signature" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists