II would use something like UDP or IGMP and modify the packets slightly. I know that most routers will just pass them on and not worry about a few weird things.
On Mon, Feb 23, 2009 at 2:56 PM, John C. A. Bambenek, GCIH, CISSP < [email protected]> wrote: > Yes, its possible, I mapped out something on a high level that would > use rss/xml and would evade most detection methods on the network... > Problem comes in is that stuff gets detected at infection-time and > gets reverse engineered. Stealthy botnets is easy, stealthy infection > is trickier. > > On 2/19/09, T Biehn <[email protected]> wrote: > > God Valdis, > > Dont concentrate on the mundane, the core issue is the unpredictable > nature > > of it. > > You have them all coordinate reading the news at 12:00 AM GMT. > > You build some silly algorithm that ensures they pick the right article. > > > > -Travis > > > > On Thu, Feb 19, 2009 at 11:34 PM, <[email protected]> wrote: > > > >> On Thu, 19 Feb 2009 23:13:38 EST, T Biehn said: > >> > >> > You know how the current amateur botnet offerings are basing domain > >> > lists > >> > off the current time to allow the 'good guys' to prepare? > >> > > >> > Why not base the seed off something like a news RSS feed? I asked some > >> > whitehats when I was ruined in Washington DC and they couldn't tell > me. > >> > >> If you're the botnet owner, you need to have some way to know what > domain > >> name your botnet will be looking for, so you can register it. > >> > >> If you look at 11:06AM, see the top news story is something about Obama > >> flipping the Republican party the bird, and computes the domain name to > >> register based on that, but then at 11:07AM some editor at CNN pulls > that > >> headline and replaces it with "Obama sends obscene gesture to > Republicans" > >> before your bots wake up at 11:08AM and check what domain to use, you're > >> screwed. > >> > >> > >> > > > > -- > Sent from my mobile device > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -- http://www.astorandblack.com/ http://www.jewelerslounge.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
