[<prev] [next>] [day] [month] [year] [list]
Message-Id: <20090223185000.581C920040@smtp.hushmail.com>
Date: Mon, 23 Feb 2009 13:49:46 -0500
From: "Elazar Broad" <elazar@...hmail.com>
To: tbiehn@...il.com, valdis.kletnieks@...edu,
full-disclosure@...ts.grok.org.uk, bambenek.infosec@...il.com
Subject: Re: Oh Yeah, botnet communications
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
<snip>
...stealthy infection is trickier.
</snip>
but not impossible, checkout Symantec/F-Secure joint analysis of
mebroot: https://forums.symantec.com/t5/blogs/blogprintpage/blog-
id/malicious_code/article-
id/244;jsessionid=A4811540934368155A4B0BEE4D0B0615. Now that's
tricky...
On Mon, 23 Feb 2009 07:56:00 -0500 "John C. A. Bambenek, GCIH,
CISSP" <bambenek.infosec@...il.com> wrote:
>Yes, its possible, I mapped out something on a high level that
>would
>use rss/xml and would evade most detection methods on the
>network...
>Problem comes in is that stuff gets detected at infection-time and
>gets reverse engineered. Stealthy botnets is easy, stealthy
>infection
>is trickier.
>
>On 2/19/09, T Biehn <tbiehn@...il.com> wrote:
>> God Valdis,
>> Dont concentrate on the mundane, the core issue is the
>unpredictable nature
>> of it.
>> You have them all coordinate reading the news at 12:00 AM GMT.
>> You build some silly algorithm that ensures they pick the right
>article.
>>
>> -Travis
>>
>> On Thu, Feb 19, 2009 at 11:34 PM, <Valdis.Kletnieks@...edu>
>wrote:
>>
>>> On Thu, 19 Feb 2009 23:13:38 EST, T Biehn said:
>>>
>>> > You know how the current amateur botnet offerings are basing
>domain
>>> > lists
>>> > off the current time to allow the 'good guys' to prepare?
>>> >
>>> > Why not base the seed off something like a news RSS feed? I
>asked some
>>> > whitehats when I was ruined in Washington DC and they
>couldn't tell me.
>>>
>>> If you're the botnet owner, you need to have some way to know
>what domain
>>> name your botnet will be looking for, so you can register it.
>>>
>>> If you look at 11:06AM, see the top news story is something
>about Obama
>>> flipping the Republican party the bird, and computes the domain
>name to
>>> register based on that, but then at 11:07AM some editor at CNN
>pulls that
>>> headline and replaces it with "Obama sends obscene gesture to
>Republicans"
>>> before your bots wake up at 11:08AM and check what domain to
>use, you're
>>> screwed.
>>>
>>>
>>>
>>
>
>--
>Sent from my mobile device
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/
-----BEGIN PGP SIGNATURE-----
Charset: UTF8
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 3.0
wpwEAQECAAYFAkmi77AACgkQi04xwClgpZhpSAP/QaZAxqbMdtYnXr9wWeIA3LGW7HYS
W47lUExf8UJdLeqFOA3n+LanXZhdaqpeX6vxnVYoinMEaqD1GU4WDd7f8Kwp0oFHjEMY
x/oGaULnIbSp05SDIRdBo7lfl2iEiqzvrXTwGjc01sWRzLfTtjnb+Map/l+0+IanvkUh
7+PzOLQ=
=xUVb
-----END PGP SIGNATURE-----
--
Click here to save cash and find low rates on auto loans.
http://tagline.hushmail.com/fc/BLSrjkqhD124nV6YyCybw0EfnbPXFfMGwqpyMGkKED7rMOrsr1lVKA1kmA4/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists