"Look at me all smiles like a proud papa." -Jesus
On Mon, Feb 23, 2009 at 8:31 AM, James Matthews <[email protected]> wrote: > II would use something like UDP or IGMP and modify the packets slightly. I > know that most routers will just pass them on and not worry about a few > weird things. > > On Mon, Feb 23, 2009 at 2:56 PM, John C. A. Bambenek, GCIH, CISSP < > [email protected]> wrote: > >> Yes, its possible, I mapped out something on a high level that would >> use rss/xml and would evade most detection methods on the network... >> Problem comes in is that stuff gets detected at infection-time and >> gets reverse engineered. Stealthy botnets is easy, stealthy infection >> is trickier. >> >> On 2/19/09, T Biehn <[email protected]> wrote: >> > God Valdis, >> > Dont concentrate on the mundane, the core issue is the unpredictable >> nature >> > of it. >> > You have them all coordinate reading the news at 12:00 AM GMT. >> > You build some silly algorithm that ensures they pick the right article. >> > >> > -Travis >> > >> > On Thu, Feb 19, 2009 at 11:34 PM, <[email protected]> wrote: >> > >> >> On Thu, 19 Feb 2009 23:13:38 EST, T Biehn said: >> >> >> >> > You know how the current amateur botnet offerings are basing domain >> >> > lists >> >> > off the current time to allow the 'good guys' to prepare? >> >> > >> >> > Why not base the seed off something like a news RSS feed? I asked >> some >> >> > whitehats when I was ruined in Washington DC and they couldn't tell >> me. >> >> >> >> If you're the botnet owner, you need to have some way to know what >> domain >> >> name your botnet will be looking for, so you can register it. >> >> >> >> If you look at 11:06AM, see the top news story is something about Obama >> >> flipping the Republican party the bird, and computes the domain name to >> >> register based on that, but then at 11:07AM some editor at CNN pulls >> that >> >> headline and replaces it with "Obama sends obscene gesture to >> Republicans" >> >> before your bots wake up at 11:08AM and check what domain to use, >> you're >> >> screwed. >> >> >> >> >> >> >> > >> >> -- >> Sent from my mobile device >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> > > > > -- > http://www.astorandblack.com/ > > http://www.jewelerslounge.com/ >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
