lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <57583.1235104472@turing-police.cc.vt.edu>
Date: Thu, 19 Feb 2009 23:34:32 -0500
From: Valdis.Kletnieks@...edu
To: T Biehn <tbiehn@...il.com>
Cc: full-disclosure <Full-Disclosure@...ts.grok.org.uk>
Subject: Re: Oh Yeah, botnet communications

On Thu, 19 Feb 2009 23:13:38 EST, T Biehn said:

> You know how the current amateur botnet offerings are basing domain lists
> off the current time to allow the 'good guys' to prepare?
> 
> Why not base the seed off something like a news RSS feed? I asked some
> whitehats when I was ruined in Washington DC and they couldn't tell me.

If you're the botnet owner, you need to have some way to know what domain
name your botnet will be looking for, so you can register it.

If you look at 11:06AM, see the top news story is something about Obama
flipping the Republican party the bird, and computes the domain name to
register based on that, but then at 11:07AM some editor at CNN pulls that
headline and replaces it with "Obama sends obscene gesture to Republicans"
before your bots wake up at 11:08AM and check what domain to use, you're
screwed.



Content of type "application/pgp-signature" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ