On Tue, May 4, 2010 at 3:18 PM, Adrian Crenshaw <[email protected]> wrote: > Hi all, > I'm working on a class final paper, and would like your feed back on the > ideas I have. Attached is a paper in PDF format (no embedded exploits, trust > me) on Steganographic Command and Control for Botnets and Darknets. Please > let me have your comments.
Cool idea. Have you considered the possibility of setting a bot up as a transparent proxy for web traffic on the user's system, and on-the-fly rewriting the user's actual content in order to hide the data (and processing the data the user views for incoming hidden data). This way, you would be using the user's actual facebook posts, twitpics, etc. as your carrier. Bots/nodes would "discover" each other through processing the traffic the user normally browses on social networking sites, and relay instructions back out by modifying the user's posts. Latency would be higher and less predictable than if you were to generate content yourself, but it would be much more stealthy. Your bot could hang out for a while and generate metrics such as: how many friends the user of the infected system has, how active are they, and how often they post things that can hide lots of data (images, for example). Infected systems with favorable metrics could form backbones for communications between other less-active systems. It wouldn't have the instant gratification of connecting to an IRC C&C and having your horde respond immediately, but I think that there are a lot of applications of botnets where this would be acceptable. -- Wesley McGrew http://mcgrewsecurity.com _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
