Re: Oh Yeah, botnet communications

[T Biehn <tbiehn () gmail com>]

I was going to toss it out there in my first post that they'd could just
expose an interface or load in a script to autonuke once deriving the
algorithm.
The point really wasnt this trick (which was about eliminating LEAD-TIME) it
was more so to prompt a discussion around various trivial tricks to write a
more 'reliable botnet'.
Such as the idea brought up to use alternative feeds rather than news, and
then the input of using the result to pick a range of ips (lead time enables
whitehats to secure boxes that would be hit FIRST) as control points, the
C&C ports would also be randomly chosen from this as well.
combined with encryption you can't really write a signature, unless (and
Valdis will point this out in between bouts of twirling his moustache) of
course you have a script that alerts on any traffic on the given port.

-Travis

On Sat, Feb 21, 2009 at 9:26 PM, <Valdis.Kletnieks () vt edu> wrote:

> On Fri, 20 Feb 2009 10:48:17 PST, "Gary E. Miller" said:
>
> > Or how about yesterday's close of the S&P 500 or Cisco stock?  Or
> > maybe yesterday's Lotto numbers.  Maybe a hash of all the above.
> >
> > This would drive bot hunters nuts.  Until they reverse engineer the
> > new scheme.  Since the scheme is in every bot it would just take
> > some reverse engineering.
>
> Thank you for noticing that detail. ;)
>
> And since *some* people need it spelled out for them in excruciating
> detail:
>
> Currently, hashing the current time is "good enough", because it works just
> fine until the bot hunters capture a copy and reverse engineer it to find
> out *what* hash function you're using.
>
> If you make a botnet that instead looks at the news articles at 12:01AM,
> or the S&P500, or anything like that, it's more complicated code, so it
> will
> take longer to reverse engineer.  But once that happens, the bot hunters
> can *also* look at the 12:01AM news, and submit the "nuke a domain" request
> at 12:03AM, or look at the S&P500 at the close and submit the nuke a domain
> request, or whatever is needed.
>
> In other words, the *only* thing all this code does is buy you an extra few
> days (tops) while the bot hunters reverse engineer your more complicated
> code.
> Once they do that, it's *no better at all* than something simple like
> hashing
> the time.  And unless you're *really* a superstar coder (rather than just
> somebody who *thinks* they are), there's a really good chance that the bot
> hunters (who have access to some *real* superstar RE guys) will actually
> be able to RE your code faster than you wrote it.  Taking 3 days to write
> and test code that gets broken in 2 days is a losing proposition.
>
> You want to make it more difficult for the bot hunters, spend more time
> devising ways to make the code harder to reverse engineer - that will buy
> you benefits *across the board*, as not only the hash function gets harder
> to reverse engineer, but all the *rest* of the code (little details like
> how your C&C works, or what payloads/attacks you have onboard, etc) also
> gets harder to do.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/