To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ----------Title: Re: [botnets] botnet C&C complexity [was: Skype - the next vector?]
I am coming late into this one, but what about HTTP/S for C&C ?We are seeing this more frequently being used and not only is a nice alternative to IRC and a better way to control infected clients in the enterprise.Its debateable how many enterprises manage IRC (most I suspect block it), but I don't know of many companies that don't have the port 80 / 443 rule enabled.Graphical interface also allows the bot master to collect stats and even rent out pieces of the botnet with a nice easy interface for non-technical types.
From: Gadi Evron [mailto:[EMAIL PROTECTED]
Sent: Thu 3/16/2006 8:24 AM
To: Georg Wicherski
Cc: [email protected]
Subject: Re: [botnets] botnet C&C complexity [was: Skype - the next vector?]To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
----------
On Thu, 16 Mar 2006, Georg Wicherski wrote:
> Gadi Evron wrote:
> > The issue is, the Bad Guys don't often need it as IRC works well. If we
> > limit our fight to what-a-mole though, continually KILLING The problem
> > when it becomes annoying enough after ignoring it so it became annoying
> > in the first place, we will push the Bad Guys to evolve once again in a
> > broader fashion than previously... much like with terrorism,
> > spam, etc. through history.
>
> Just waiting for the rhetorical question, whether USA should not have fought
> terrorism... ;) Basically, we cannot just wait and hope as long as we don't
> provoke them, they will not do worse things. Fighting botnets has always been an
> arms race and will always be, unless each packet is digitally signed.
Some types of botnets, as David Dagon also mentioned, operate in a
terrosit-cell fashion.
The terrorism/political debate - NO.
> > More complex (or simple) control channels are here for a long time now,
> > IRC is still the most used one, though.
>
> Right, peer-to-peer control channels are already emerging.
>
> > Botnets are interesting in that whenever you make the control channel more
> > complicated, your equally raise the difficulty of maintaining them and
> > make them easier to find.
>
> Once a peer-to-peer based bot is publically available, people will probably
> shift even if IRC still works, as soon as one botnet proofed peer-to-peer to
> work. Peer-to-peer botnets are not neccisarily hard to maintain, you just need
> the script kiddie compatible GUI and all is fine. They are not easy to find
> either, if deployed well.
I disagree. Some do. Some did 3 years ago. Some never will. No matter how
complex or cool it is.. IRC still works and does it amazingly well and in
high scalability.
The "not thumb rule" I provided proves itself right each and every time I
tried something against it. Control is the least of the problems
though. Detection becoming easier isn't.
This is why in my opinion IRC will still be here for a while.
"The avalanche has already started. It is too late for the pebbles to
vote." - Ambassador Kosh, "Believers", Babylon 5.
Just "killing" (reporting suspected hpsts top the respected authority for
their investigation, confirmation and proceeding according to their
acceptable use policy) botnet C&C's has proven to be a mistake.
Holding back the tide and making life difficult by whack-a-mole is
critical. Doing just that is not only counter-productive, it makes the Bad
Guys evolve and do better next time.
That's yesterday's news.. and as C&C data can help the public considerably
as well as in my opinion is already public, we created botnets@ as a proof
of concept to see if this "public" thingie works.
Despite all this, there will be and there IS evolvement to higher
protocols. Most just don't find it necessary yet. I can see why.
The Bad Guys' POC's though have been very interesting, dating back to the
previous century. :)
> > This is less of a thumb rule and more of yet another difficulty to
> > over-come.
>
> Right, it is good to see a community emerging around these difficulties, though.
> Most of research on this topic has been done behind closed doors (except for
> some exceptions of course, like our botnet KYE paper). Researchers need to join
> forces (as we recently did with mwcollect and nepenthes), still it's all about
> busines. ;)
It's an economic problem. ROI and risk. Cost vs. Benfit.
100% behind you.
>
> Georg 'oxff' Wicherski
>
Gadi.
_______________________________________________
To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
All list and server information are public and available to law enforcement upon request.
http://www.whitestar.linuxbox.org/mailman/listinfo/botnets_______________________________________________ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
