Full Disclosure mailing list archives
Re: Oh Yeah, botnet communications
From: Valdis.Kletnieks () vt edu
Date: Sat, 21 Feb 2009 21:26:50 -0500
On Fri, 20 Feb 2009 10:48:17 PST, "Gary E. Miller" said:
Or how about yesterday's close of the S&P 500 or Cisco stock? Or maybe yesterday's Lotto numbers. Maybe a hash of all the above. This would drive bot hunters nuts. Until they reverse engineer the new scheme. Since the scheme is in every bot it would just take some reverse engineering.
Thank you for noticing that detail. ;) And since *some* people need it spelled out for them in excruciating detail: Currently, hashing the current time is "good enough", because it works just fine until the bot hunters capture a copy and reverse engineer it to find out *what* hash function you're using. If you make a botnet that instead looks at the news articles at 12:01AM, or the S&P500, or anything like that, it's more complicated code, so it will take longer to reverse engineer. But once that happens, the bot hunters can *also* look at the 12:01AM news, and submit the "nuke a domain" request at 12:03AM, or look at the S&P500 at the close and submit the nuke a domain request, or whatever is needed. In other words, the *only* thing all this code does is buy you an extra few days (tops) while the bot hunters reverse engineer your more complicated code. Once they do that, it's *no better at all* than something simple like hashing the time. And unless you're *really* a superstar coder (rather than just somebody who *thinks* they are), there's a really good chance that the bot hunters (who have access to some *real* superstar RE guys) will actually be able to RE your code faster than you wrote it. Taking 3 days to write and test code that gets broken in 2 days is a losing proposition. You want to make it more difficult for the bot hunters, spend more time devising ways to make the code harder to reverse engineer - that will buy you benefits *across the board*, as not only the hash function gets harder to reverse engineer, but all the *rest* of the code (little details like how your C&C works, or what payloads/attacks you have onboard, etc) also gets harder to do.
Attachment:
_bin
Description:
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Oh Yeah, botnet communications, (continued)
- Re: Oh Yeah, botnet communications Valdis . Kletnieks (Feb 19)
- Re: Oh Yeah, botnet communications T Biehn (Feb 19)
- Re: Oh Yeah, botnet communications Valdis . Kletnieks (Feb 19)
- Re: Oh Yeah, botnet communications T Biehn (Feb 20)
- Re: Oh Yeah, botnet communications Kurt Buff (Feb 22)
- Re: Oh Yeah, botnet communications John C. A. Bambenek, GCIH, CISSP (Feb 23)
- Re: Oh Yeah, botnet communications James Matthews (Feb 23)
- Re: Oh Yeah, botnet communications T Biehn (Feb 23)
- Re: Oh Yeah, botnet communications T Biehn (Feb 19)
- Re: Oh Yeah, botnet communications Valdis . Kletnieks (Feb 19)
- Re: Oh Yeah, botnet communications T Biehn (Feb 20)
- Re: Oh Yeah, botnet communications Valdis . Kletnieks (Feb 21)
- Re: Oh Yeah, botnet communications T Biehn (Feb 22)
- Re: Oh Yeah, botnet communications Siim Põder (Feb 23)
- Re: Oh Yeah, botnet communications Jordan Bray (Feb 20)