lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 20 Feb 2009 17:35:37 -0500
From: T Biehn <tbiehn@...il.com>
To: "Gary E. Miller" <gem@...lim.com>
Cc: full-disclosure <Full-Disclosure@...ts.grok.org.uk>
Subject: Re: Oh Yeah, botnet communications

Yeah man you get the point.

Even if they do reverse it, you can digitally sign each of the commands, so
if a bot hunter even got the balls to 'break the law' and send the rm
command they'd fail.

It's about eliminating their lead time, right now they can just put controls
in with registrars to disallow these lists of domains.
Of course one could adopt such a framework to take the output of a script...
Hence the choosing a range of IPs which makes the whole process of searching
through to your bots a lot less complicated.

Or one good way to do this is have each of the bots maintain a list of
-other- bots it 'encounters' then share this list with the other bots.
This, however, leads to too easy enumeration.

-Travis

On Fri, Feb 20, 2009 at 1:48 PM, Gary E. Miller <gem@...lim.com> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Yo Travis!
>
> On Thu, 19 Feb 2009, T Biehn wrote:
>
> > You know how the current amateur botnet offerings are basing domain lists
> > off the current time to allow the 'good guys' to prepare?
> >
> > Why not base the seed off something like a news RSS feed?
>
> Or how about yesterday's close of the S&P 500 or Cisco stock?  Or
> maybe yesterday's Lotto numbers.  Maybe a hash of all the above.
>
> This would drive bot hunters nuts.  Until they reverse engineer the
> new scheme.  Since the scheme is in every bot it would just take
> some reverse engineering.
>
> RGDS
> GARY
> -
> ---------------------------------------------------------------------------
> Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97701
>        gem@...lim.com  Tel:+1(541)382-8588
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.3 (GNU/Linux)
>
> iD8DBQFJnvr0BmnRqz71OvMRAmJWAKC4kPXM0C6L6d4Tkldw4ypeQuXXmQCgyZH9
> xjMzFphho5t9UEeTj4UigE0=
> =hUXf
> -----END PGP SIGNATURE-----
>
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ