[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <33325.1235269610@turing-police.cc.vt.edu>
Date: Sat, 21 Feb 2009 21:26:50 -0500
From: Valdis.Kletnieks@...edu
To: "Gary E. Miller" <gem@...lim.com>
Cc: full-disclosure <Full-Disclosure@...ts.grok.org.uk>
Subject: Re: Oh Yeah, botnet communications
On Fri, 20 Feb 2009 10:48:17 PST, "Gary E. Miller" said:
> Or how about yesterday's close of the S&P 500 or Cisco stock? Or
> maybe yesterday's Lotto numbers. Maybe a hash of all the above.
>
> This would drive bot hunters nuts. Until they reverse engineer the
> new scheme. Since the scheme is in every bot it would just take
> some reverse engineering.
Thank you for noticing that detail. ;)
And since *some* people need it spelled out for them in excruciating detail:
Currently, hashing the current time is "good enough", because it works just
fine until the bot hunters capture a copy and reverse engineer it to find
out *what* hash function you're using.
If you make a botnet that instead looks at the news articles at 12:01AM,
or the S&P500, or anything like that, it's more complicated code, so it will
take longer to reverse engineer. But once that happens, the bot hunters
can *also* look at the 12:01AM news, and submit the "nuke a domain" request
at 12:03AM, or look at the S&P500 at the close and submit the nuke a domain
request, or whatever is needed.
In other words, the *only* thing all this code does is buy you an extra few
days (tops) while the bot hunters reverse engineer your more complicated code.
Once they do that, it's *no better at all* than something simple like hashing
the time. And unless you're *really* a superstar coder (rather than just
somebody who *thinks* they are), there's a really good chance that the bot
hunters (who have access to some *real* superstar RE guys) will actually
be able to RE your code faster than you wrote it. Taking 3 days to write
and test code that gets broken in 2 days is a losing proposition.
You want to make it more difficult for the bot hunters, spend more time
devising ways to make the code harder to reverse engineer - that will buy
you benefits *across the board*, as not only the hash function gets harder
to reverse engineer, but all the *rest* of the code (little details like
how your C&C works, or what payloads/attacks you have onboard, etc) also
gets harder to do.
Content of type "application/pgp-signature" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists