lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <49A26AF5.9010800@p6drad-teel.net>
Date: Mon, 23 Feb 2009 11:23:01 +0200
From: Siim Põder <windo@...rad-teel.net>
To: T Biehn <tbiehn@...il.com>
Cc: full-disclosure <Full-Disclosure@...ts.grok.org.uk>,
	Valdis.Kletnieks@...edu
Subject: Re: Oh Yeah, botnet communications

Hi

T Biehn wrote:
> The point really wasnt this trick (which was about eliminating LEAD-TIME) it
> was more so to prompt a discussion around various trivial tricks to write a
> more 'reliable botnet'.

Shortly: use coupious numbers of normal-looking domain names instead of
a single obviously random one.

Instead of dsfhefadsafkj.cn (pseudo-random-typing string) domain name,
output of the HASH(time) should be passed through a humanize() function
that would build generate domain names made of words, punctuation, parts
of words, etc. Something along the lines of big-mountain-taco.com or
yetimanhome.org or whatever. And instead of generating a single domain
name for a day, generate more. Either a fixed number (like 25 or so) or
generate new ones until you find one that has a CC server set up.

The effect would be that you can't blacklist all the domains ahead of
time as many of them could be very valid names someone will want to use.
You can't blacklist them on the same day either, as the algorithm would
generate so many valid domains even for the same day. And you can't pull
the plug on the generated domains that we're registered beforehand
either, as the algorithm would generate stuff like windows-server.com
and computer-repair-shop.com among others, some of which are probably
existing sites.

Siim

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ