funsec mailing list archives
Re: The Criminal Underground: A Walk on the Dark Side
From: "Dude VanWinkle" <dudevanwinkle () gmail com>
Date: Wed, 5 Sep 2007 20:32:56 -0400
I know a lot of people smarter than me have though of these things, but I have been out of the game for a few years... On 9/5/07, coderman <coderman () gmail com> wrote:
On 9/5/07, Dude VanWinkle <dudevanwinkle () gmail com> wrote:... What ever happened to looking at the C&C for incoming connections and ngrepping out the IP's ?the C&C for storm and other advanced botnets has moved into distributed hash tables
so most comcast machines send hash fragments over the web? or is it just port 443 traffic to legitimate sites? I tried googling but found only theory. If anyone has a good link I would appreciate it. It seems impossible to me that they have no centralized communications, else how would commands be given? Does anyone have some pcap files to share?
and dns fast flux reached via multiple hops (where each hop is monitored upstream as well, to know when to cut and run...)
You can use their size against them, you cant personally watch that many machines at once, or is the cut-and-run programmatic, because if so, I see a great solution ;-)
this is actually the most interesting aspect of these modern botnets, the decentralized and anonymized control structures pulling the strings
I keep thinking that if the bot herder has a way to tell all machines to do something (DDoS, send spam, etc), we could take advantage of that and tell them to uninstall the malware.. after RCE'ing their code
more details would be excellent, but seem sparse for some reason. (researchers don't want to encourage more adoption of effective countermeasures?)Is there no programmatic way to use the detection methods in place to generate a list of currently controlled bots?it would require constantly scanning a large DHT ring (overnet) with a fair amount of node churn. perhaps someone is doing this (CAIDA?) but it would take a good amount of bandwidth, honeypots, and effort. and even if they are, they're not publishing the data, and even if they did, i bet you money they'd disappear under a DDoS flood within hours... :) best regards,
thanks for the info! I have a lot of terms to google! -JP _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- The Criminal Underground: A Walk on the Dark Side Paul Ferguson (Sep 01)
- <Possible follow-ups>
- Re: The Criminal Underground: A Walk on the Dark Side Paul Ferguson (Sep 01)
- Re: The Criminal Underground: A Walk on the Dark Side Dude VanWinkle (Sep 04)
- Re: The Criminal Underground: A Walk on the Dark Side Valdis . Kletnieks (Sep 04)
- Re: The Criminal Underground: A Walk on the Dark Side Dude VanWinkle (Sep 05)
- Re: The Criminal Underground: A Walk on the Dark Side Valdis . Kletnieks (Sep 05)
- High Concept Comedy: Security is Economic! Bruce Ediger (Sep 05)
- Re: The Criminal Underground: A Walk on the Dark Side Dude VanWinkle (Sep 05)
- Re: The Criminal Underground: A Walk on the Dark Side Valdis . Kletnieks (Sep 05)
- Re: The Criminal Underground: A Walk on the Dark Side coderman (Sep 05)
- Re: The Criminal Underground: A Walk on the Dark Side Dude VanWinkle (Sep 05)
- Re: The Criminal Underground: A Walk on the Dark Side coderman (Sep 05)
- Re: The Criminal Underground: A Walk on the Dark Side Dude VanWinkle (Sep 06)
- Re: The Criminal Underground: A Walk on the Dark Side Valdis . Kletnieks (Sep 06)
- Re: The Criminal Underground: A Walk on the Dark Side Jim Murray (Sep 06)
- Re: The Criminal Underground: A Walk on the Dark Side Rob, grandpa of Ryan, Trevor, Devon & Hannah (Sep 06)
- Re: The Criminal Underground: A Walk on the Dark Side Dude VanWinkle (Sep 04)