-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 <snip> ...stealthy infection is trickier. </snip>
but not impossible, checkout Symantec/F-Secure joint analysis of mebroot: https://forums.symantec.com/t5/blogs/blogprintpage/blog- id/malicious_code/article- id/244;jsessionid=A4811540934368155A4B0BEE4D0B0615. Now that's tricky... On Mon, 23 Feb 2009 07:56:00 -0500 "John C. A. Bambenek, GCIH, CISSP" <[email protected]> wrote: >Yes, its possible, I mapped out something on a high level that >would >use rss/xml and would evade most detection methods on the >network... >Problem comes in is that stuff gets detected at infection-time and >gets reverse engineered. Stealthy botnets is easy, stealthy >infection >is trickier. > >On 2/19/09, T Biehn <[email protected]> wrote: >> God Valdis, >> Dont concentrate on the mundane, the core issue is the >unpredictable nature >> of it. >> You have them all coordinate reading the news at 12:00 AM GMT. >> You build some silly algorithm that ensures they pick the right >article. >> >> -Travis >> >> On Thu, Feb 19, 2009 at 11:34 PM, <[email protected]> >wrote: >> >>> On Thu, 19 Feb 2009 23:13:38 EST, T Biehn said: >>> >>> > You know how the current amateur botnet offerings are basing >domain >>> > lists >>> > off the current time to allow the 'good guys' to prepare? >>> > >>> > Why not base the seed off something like a news RSS feed? I >asked some >>> > whitehats when I was ruined in Washington DC and they >couldn't tell me. >>> >>> If you're the botnet owner, you need to have some way to know >what domain >>> name your botnet will be looking for, so you can register it. >>> >>> If you look at 11:06AM, see the top news story is something >about Obama >>> flipping the Republican party the bird, and computes the domain >name to >>> register based on that, but then at 11:07AM some editor at CNN >pulls that >>> headline and replaces it with "Obama sends obscene gesture to >Republicans" >>> before your bots wake up at 11:08AM and check what domain to >use, you're >>> screwed. >>> >>> >>> >> > >-- >Sent from my mobile device > >_______________________________________________ >Full-Disclosure - We believe in it. >Charter: http://lists.grok.org.uk/full-disclosure-charter.html >Hosted and sponsored by Secunia - http://secunia.com/ -----BEGIN PGP SIGNATURE----- Charset: UTF8 Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 3.0 wpwEAQECAAYFAkmi77AACgkQi04xwClgpZhpSAP/QaZAxqbMdtYnXr9wWeIA3LGW7HYS W47lUExf8UJdLeqFOA3n+LanXZhdaqpeX6vxnVYoinMEaqD1GU4WDd7f8Kwp0oFHjEMY x/oGaULnIbSp05SDIRdBo7lfl2iEiqzvrXTwGjc01sWRzLfTtjnb+Map/l+0+IanvkUh 7+PzOLQ= =xUVb -----END PGP SIGNATURE----- -- Click here to save cash and find low rates on auto loans. http://tagline.hushmail.com/fc/BLSrjkqhD124nV6YyCybw0EfnbPXFfMGwqpyMGkKED7rMOrsr1lVKA1kmA4/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
