To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ---------- True, but then you really get near to the point where you only talk about ports and not about underlying protocols / principles anymore. Actually it makes no difference to me, whether the payload on the wire is `NICK foobot' or `GET /cmd.php HTTP/1.0'. In my opinion, what counts is the idea behind. And then you're near to IRC like with what you described.
Georg 'oxff' Wicherski Ken Dunham wrote: >>I am coming late into this one, but what about HTTP/S for C&C ? >> >>>You cannot push commands, but they are polled. > > > True, in part Georg. But what if you manage multiple domains with multiple > variants? It's easier to maintain survivability for a week+ on each one. > Then, you can have them auto-update every time via a BHO and FTP. Thus, > it's rather rapid and effective for push data via the BHO angle with this > server side solution. In fact, it's not that far off from what you'd see if > you had an IRC standard setup for bots, but over port 80 and no central > point of interference from anti-guys. That's what we see now with > Metafisher type bots that are moving to the http/s direction. > > Cheers, > Ken Dunham > Director of the Rapid Response Team > > _______________________________________________ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
