I was going to toss it out there in my first post that they'd could just expose an interface or load in a script to autonuke once deriving the algorithm. The point really wasnt this trick (which was about eliminating LEAD-TIME) it was more so to prompt a discussion around various trivial tricks to write a more 'reliable botnet'. Such as the idea brought up to use alternative feeds rather than news, and then the input of using the result to pick a range of ips (lead time enables whitehats to secure boxes that would be hit FIRST) as control points, the C&C ports would also be randomly chosen from this as well. combined with encryption you can't really write a signature, unless (and Valdis will point this out in between bouts of twirling his moustache) of course you have a script that alerts on any traffic on the given port.
-Travis On Sat, Feb 21, 2009 at 9:26 PM, <[email protected]> wrote: > On Fri, 20 Feb 2009 10:48:17 PST, "Gary E. Miller" said: > > > Or how about yesterday's close of the S&P 500 or Cisco stock? Or > > maybe yesterday's Lotto numbers. Maybe a hash of all the above. > > > > This would drive bot hunters nuts. Until they reverse engineer the > > new scheme. Since the scheme is in every bot it would just take > > some reverse engineering. > > Thank you for noticing that detail. ;) > > And since *some* people need it spelled out for them in excruciating > detail: > > Currently, hashing the current time is "good enough", because it works just > fine until the bot hunters capture a copy and reverse engineer it to find > out *what* hash function you're using. > > If you make a botnet that instead looks at the news articles at 12:01AM, > or the S&P500, or anything like that, it's more complicated code, so it > will > take longer to reverse engineer. But once that happens, the bot hunters > can *also* look at the 12:01AM news, and submit the "nuke a domain" request > at 12:03AM, or look at the S&P500 at the close and submit the nuke a domain > request, or whatever is needed. > > In other words, the *only* thing all this code does is buy you an extra few > days (tops) while the bot hunters reverse engineer your more complicated > code. > Once they do that, it's *no better at all* than something simple like > hashing > the time. And unless you're *really* a superstar coder (rather than just > somebody who *thinks* they are), there's a really good chance that the bot > hunters (who have access to some *real* superstar RE guys) will actually > be able to RE your code faster than you wrote it. Taking 3 days to write > and test code that gets broken in 2 days is a losing proposition. > > You want to make it more difficult for the bot hunters, spend more time > devising ways to make the code harder to reverse engineer - that will buy > you benefits *across the board*, as not only the hash function gets harder > to reverse engineer, but all the *rest* of the code (little details like > how your C&C works, or what payloads/attacks you have onboard, etc) also > gets harder to do. >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
