Re: [botnets] Tor CC? (Was: Re: Alternative Botnet CCs - free chapter from Botnets:The Killer Web App)

2007-07-26 Thread J. Oquendo 
To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
--
Marco Gruss wrote:

To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
--
While we're on the subject of alternative CCs, a thought just
crossed my mind: Suppose a bot herder started packaging Tor with
his malware in order to host the CC on a .onion web site/irc
server. Any idea what could be done to mitigate those?!

As long as the secret key to the onion ID isn't lost, any tor
node could be turned into the CC without the danger of losing
its name like a DNS name.

Marco
___
To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
All list and server information are public and available to law enforcement 
upon request.
http://www.whitestar.linuxbox.org/mailman/listinfo/botnets

  

Regardless if something is running on Tor you could filter
that part on a port level with your routers, firewalls, etc.
A scarier/deadlier combo would be covert channeling (TCP via
ICMP) with some type of false DNS server information running.
(http://www.phrack.org/issues.html?issue=51id=6#article)

E.g.:

InfectedHost -- (TCP||UDP(tunneled in ICMP)) -- ControllingServer

Where the InfectedHost and ControllingServer had mechanisms
to keep ICMP packets under the radar. E.g.2 ControllingServer
receives say 1000 ICMP messages, recompiles the TCP||UDP info
buffers it and dishes it out on a go as needed basis. Would
be difficult to contain and discern from legitimate traffic
if done correctly.

While I don't really tinker with understanding botnets, I'd
like to think/pretend ;) I know enough about networking. I
can think of a lot worse mechanisms to go undetected, but
I'd rather not. Gadi, others who I've had the pleasure to
correspond to via lists and emails can freely email me on
a multicast threat theory lurking in the shadows... Certain
things I choose not to bring to public light anymore lest
I become a bigger pariah.

DNS server spoofing though, is a lot easier to mitigate
against and contain from a netops perspective... Wait a
minute... I have a /22 and I know damn well I only have
4 DNS servers... Therefore everyone else gets blocked.



smime.p7s
Description: S/MIME Cryptographic Signature
___
To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
All list and server information are public and available to law enforcement 
upon request.
http://www.whitestar.linuxbox.org/mailman/listinfo/botnets

[botnets] Tor CC? (Was: Re: Alternative Botnet CCs - free chapter from Botnets:The Killer Web App)

2007-07-26 Thread Marco Gruss 
To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
--
While we're on the subject of alternative CCs, a thought just
crossed my mind: Suppose a bot herder started packaging Tor with
his malware in order to host the CC on a .onion web site/irc
server. Any idea what could be done to mitigate those?!

As long as the secret key to the onion ID isn't lost, any tor
node could be turned into the CC without the danger of losing
its name like a DNS name.

Marco
___
To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
All list and server information are public and available to law enforcement 
upon request.
http://www.whitestar.linuxbox.org/mailman/listinfo/botnets

Re: [botnets] Alternative Botnet CCs - free chapter from Botnets:The Killer Web App

2007-07-26 Thread Craig Holmes 
To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
--
On Thursday 26 July 2007 01:09, Gadi Evron wrote:
 Got any comments on the third chapter?
I just finished reading it last night after I sent my last email:

I felt this chapter was the meatiest up to this point. I feel that your points 
are well made and that you cover a broad range of technologies. I don't have 
any factual problems with your writing (unlike the previous chapters, not 
written by you).

My only complaint is that I would have wished to have more technical details. 
For example: I am curious to know exactly how P2P decentralized networks 
work, specifically with the idea of public-key crypto for the farmer. 

On a personal note, I would have liked to see some more opinionated ideas from 
you on this chapter. What are the most dangerous CC types? Where are the 
trends going to go? Unlike the other authors, I trust your thoughts on these 
matters as I know of your experience.

But take my complaint(s) with a grain of salt. On this matter I am already 
knowledgable, so I am looking to expand my knowledge and I have a critical 
eye when doing it.

Craig
___
To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
All list and server information are public and available to law enforcement 
upon request.
http://www.whitestar.linuxbox.org/mailman/listinfo/botnets