To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ----------
Marco Gruss wrote:
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ---------- While we're on the subject of alternative C&Cs, a thought just crossed my mind: Suppose a bot herder started packaging Tor with his malware in order to host the C&C on a .onion web site/irc server. Any idea what could be done to mitigate those?!As long as the secret key to the onion ID isn't lost, any tor node could be turned into the C&C without the "danger" of losing its name like a DNS name. Marco _______________________________________________ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Regardless if something is running on Tor you could filter that part on a port level with your routers, firewalls, etc. A scarier/deadlier combo would be covert channeling (TCP via ICMP) with some type of false DNS server information running. (http://www.phrack.org/issues.html?issue=51&id=6#article) E.g.: InfectedHost --> (TCP||UDP(tunneled in ICMP)) --> ControllingServer Where the InfectedHost and ControllingServer had mechanisms to keep ICMP packets under the radar. E.g.2 ControllingServer receives say 1000 ICMP messages, recompiles the TCP||UDP info buffers it and dishes it out on a "go as needed" basis. Would be difficult to contain and discern from legitimate traffic if done correctly. While I don't really tinker with understanding botnets, I'd like to think/pretend ;) I know enough about networking. I can think of a lot worse mechanisms to go undetected, but I'd rather not. Gadi, others who I've had the pleasure to correspond to via lists and emails can freely email me on a multicast threat theory lurking in the shadows... Certain things I choose not to bring to public light anymore lest I become a bigger pariah. DNS server spoofing though, is a lot easier to mitigate against and contain from a netops perspective... "Wait a minute... I have a /22 and I know damn well I only have 4 DNS servers... Therefore everyone else gets blocked."
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets