[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <a9f4a3860902220943t6b1d5232nab1f4baed3bd5ace@mail.gmail.com>
Date: Sun, 22 Feb 2009 09:43:30 -0800
From: Kurt Buff <kurt.buff@...il.com>
To: Valdis.Kletnieks@...edu
Cc: full-disclosure <Full-Disclosure@...ts.grok.org.uk>
Subject: Re: Oh Yeah, botnet communications
On Thu, Feb 19, 2009 at 21:21, <Valdis.Kletnieks@...edu> wrote:
> On Thu, 19 Feb 2009 23:38:37 EST, T Biehn said:
>
>> God Valdis,
>> Dont concentrate on the mundane, the core issue is the unpredictable nature
>> of it.
>> You have them all coordinate reading the news at 12:00 AM GMT.
>> You build some silly algorithm that ensures they pick the right article.
>
> Right, so now you need this insanely complicated system to make sure that you
> get the right article at midnight, even if you have a race condition or you're
> getting an old copy because of a caching proxy in the path or if they hit
> different boxes on a load balancer and the articles update a few seconds apart,
> and then make sure they all pick the "right" article - which means they need to
> *agree* on the right article without knowing for sure what article the *other*
> bots are looking at. And that also means that the botnet owner (or at least
> a system they have) has to *also* be online so it can also check CNN and figure
> out what domain to register - which sucks if Godaddy just put up the "Down for
> 3 hours due to unexpected system problem" sign or any of a zillion other failure
> modes in trying to register that next domain in real time. You can't register
> the next 3-4 day's worth of domains ahead of time and make sure they went
> live.
>
> Lots of failure modes there.
>
> Or you can just hash the damned clock once an hour, which seems to be quite
> sufficient to keep the average botnet running.
>
> *THAT* is why they don't base it off a news RSS feed - all these mundane issues
> make it *harder*. You wanna do it the hard way that has more ways to fail and
> sprout bugs, be my guest. Most of the coders out there prefer something
> just a bit simpler.
Not necessarily as insanely complicated as you might think - an RSS
feed can include some interesting numbers, such as stock quotes, etc.,
where the non-integer portion of the number(s) are pretty random, and
reporting on them is pretty standardized.
And, I don't think, for the purposes of discussion, it *has* to be an
RSS feed. It could be any publicly available, regularly updated text,
including www.wsj.com.
Kurt
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists