Yes, its possible, I mapped out something on a high level that would use rss/xml and would evade most detection methods on the network... Problem comes in is that stuff gets detected at infection-time and gets reverse engineered. Stealthy botnets is easy, stealthy infection is trickier.
On 2/19/09, T Biehn <[email protected]> wrote: > God Valdis, > Dont concentrate on the mundane, the core issue is the unpredictable nature > of it. > You have them all coordinate reading the news at 12:00 AM GMT. > You build some silly algorithm that ensures they pick the right article. > > -Travis > > On Thu, Feb 19, 2009 at 11:34 PM, <[email protected]> wrote: > >> On Thu, 19 Feb 2009 23:13:38 EST, T Biehn said: >> >> > You know how the current amateur botnet offerings are basing domain >> > lists >> > off the current time to allow the 'good guys' to prepare? >> > >> > Why not base the seed off something like a news RSS feed? I asked some >> > whitehats when I was ruined in Washington DC and they couldn't tell me. >> >> If you're the botnet owner, you need to have some way to know what domain >> name your botnet will be looking for, so you can register it. >> >> If you look at 11:06AM, see the top news story is something about Obama >> flipping the Republican party the bird, and computes the domain name to >> register based on that, but then at 11:07AM some editor at CNN pulls that >> headline and replaces it with "Obama sends obscene gesture to Republicans" >> before your bots wake up at 11:08AM and check what domain to use, you're >> screwed. >> >> >> > -- Sent from my mobile device _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
