Re: [botnets] Alternative Botnet C&Cs - free chapter from Botnets:The Killer Web App

2007-07-26 Thread Thomas Raef 
To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
--An official review of the third chapter follows. My first comment was a little 
too generic - "Nice work!"
 
Upon further review, here are my comments about the third chapter of this book.
 
Third chapter starts by giving some good overview and details about the main 
form of C&C - IRC. The author describes why IRC was originally selected, what 
purpose it served and it's pros and cons. The information then moves to the 
history of C&C, what the botherders need, what they have available and the 
constant "one upmanship" of botherders and bothunters.
 
As I read this chapter certain thoughts started in the back of my mind. After 
the first two sections, I started thinking about why aren't the botherders 
using DNS? Well, the next section in this chapter moves directly to that very 
topic.
 
After prepping the reader with this necessary background data, you are then 
presented with the meat of the chapter - Alternative Control Channels. 
 
Two different web based C&C servers are discussed and as before, the reader is 
given both the pros and cons of each and at times, which bots used which 
technology.
 
Each technology is discussed without getting too detailed and while staying on 
the topic - which was very comforting.
 
Overall, I learned a lot about alternative C&C technology - what's possible and 
what we have to look forward to.
 
Certain web references were used and I found them to provide the detailed 
information that I thought was missing from the book. The web references worked 
(not outdated dead web links) and were to sites I feel confident with.
 
I found the entire book worth putting on my shelf. I don't crunch the numbers 
to determine if they all add up. I read to add to my knowledge base and this 
book fulfilled my need.



From: Gadi Evron [mailto:[EMAIL PROTECTED]
Sent: Thu 7/26/2007 12:09 AM
To: Craig Holmes
Cc: botnets@whitestar.linuxbox.org
Subject: Re: [botnets] Alternative Botnet C&Cs - free chapter from Botnets:The 
Killer Web App



To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
--
On Thu, 26 Jul 2007, Craig Holmes wrote:
> To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
> --
> As promised, I bought the book and finally received it (thanks for the slow
> turn around Amazon).
>
> I have begun reading it, and although I am only starting the third chapter I
> am wholly unimpressed.
>
> Before I discuss the text of the book, I am curious to know. Is it a print
> problem or do many of the graphics in the book look overly blurry or
> excessively jagged? Some of the pictures look like they were compressed to a
> monochrome bitmap of about 2k in size (see page 47).
>
> My experience with botnets seem to differ in many ways from the text in the
> book:
>
> The book begins by describing what SDBot, Agobot, GTBot, etc do. They include
> lists of ports and vulnerabilities that the given bot exploits, actions it
> may perform etc. The book doesn't make the point strong enough that a lot of
> code (especially SDBot code) started off as simply a public offering and
> evolved through many different trees by people with no organization. These
> trees criss-crossed without any knowledge of many of the contributors. In
> fact, as I recall SDBot (at least a couple of versions from sd) was released
> to the public without a single attack vector. It is my belief that this
> version is responsible for the most variants due to it's availability.
>
> The book seems to be making a point that bots are being used by organized
> crime. I think this point has been pushed on my fronts of this issue by many
> people, however I remain doubtful. In my experience with farmers (or bot
> herders as the book calls them) is that they're packet kiddies out to DoS
> their moronic buddies or enemies. The botnet was just a natural evaluation
> from Trinoo/TFN/Trinity/Kaiten or if they're even lamer then Backorifice,
> etc. Though I do certainly accept that some lone individuals use botnets for
> monitary gain (avert scams), I wouldn't classify it as organized. Look at the
> numbers given in the book:
> -4.5 Million active botnet computers
> -A small botnet is 10,000 computers
> That means that there are about 500 botnets active. The book states only a
> handful of cases that involved organized crime, possibly 5 cases. That means
> that they've identified at least 0.01% of the 500 botnets are being run by
> the big evil organized crime people. Not to say that proves them wrong, but
> it isn't enough evidence for me. I believe they are sensationalizing this
> fact quite a bit.
>
> The book paints a pretty diagram showing how people with their cam corders run
> from the movie theatre directly to their dorm and upload their bootlegs to
> topsites which are actually botnets. This is a silly notion. A great deal
> movies that are available on the internet today (and much software) are
>

Re: [botnets] Tor C&C? (Was: Re: Alternative Botnet C&Cs - free chapter from Botnets:The Killer Web App)

2007-07-26 Thread J. Oquendo 
To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
--
Marco Gruss wrote:

To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
--
While we're on the subject of alternative C&Cs, a thought just
crossed my mind: Suppose a bot herder started packaging Tor with
his malware in order to host the C&C on a .onion web site/irc
server. Any idea what could be done to mitigate those?!

As long as the secret key to the onion ID isn't lost, any tor
node could be turned into the C&C without the "danger" of losing
its name like a DNS name.

Marco
___
To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
All list and server information are public and available to law enforcement 
upon request.
http://www.whitestar.linuxbox.org/mailman/listinfo/botnets

  

Regardless if something is running on Tor you could filter
that part on a port level with your routers, firewalls, etc.
A scarier/deadlier combo would be covert channeling (TCP via
ICMP) with some type of false DNS server information running.
(http://www.phrack.org/issues.html?issue=51&id=6#article)

E.g.:

InfectedHost --> (TCP||UDP(tunneled in ICMP)) --> ControllingServer

Where the InfectedHost and ControllingServer had mechanisms
to keep ICMP packets under the radar. E.g.2 ControllingServer
receives say 1000 ICMP messages, recompiles the TCP||UDP info
buffers it and dishes it out on a "go as needed" basis. Would
be difficult to contain and discern from legitimate traffic
if done correctly.

While I don't really tinker with understanding botnets, I'd
like to think/pretend ;) I know enough about networking. I
can think of a lot worse mechanisms to go undetected, but
I'd rather not. Gadi, others who I've had the pleasure to
correspond to via lists and emails can freely email me on
a multicast threat theory lurking in the shadows... Certain
things I choose not to bring to public light anymore lest
I become a bigger pariah.

DNS server spoofing though, is a lot easier to mitigate
against and contain from a netops perspective... "Wait a
minute... I have a /22 and I know damn well I only have
4 DNS servers... Therefore everyone else gets blocked."



smime.p7s
Description: S/MIME Cryptographic Signature
___
To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
All list and server information are public and available to law enforcement 
upon request.
http://www.whitestar.linuxbox.org/mailman/listinfo/botnets

[botnets] Tor C&C? (Was: Re: Alternative Botnet C&Cs - free chapter from Botnets:The Killer Web App)

2007-07-26 Thread Marco Gruss 
To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
--
While we're on the subject of alternative C&Cs, a thought just
crossed my mind: Suppose a bot herder started packaging Tor with
his malware in order to host the C&C on a .onion web site/irc
server. Any idea what could be done to mitigate those?!

As long as the secret key to the onion ID isn't lost, any tor
node could be turned into the C&C without the "danger" of losing
its name like a DNS name.

Marco
___
To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
All list and server information are public and available to law enforcement 
upon request.
http://www.whitestar.linuxbox.org/mailman/listinfo/botnets

Re: [botnets] Alternative Botnet C&Cs - free chapter from Botnets:The Killer Web App

2007-07-26 Thread Craig Holmes 
To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
--
On Thursday 26 July 2007 01:09, Gadi Evron wrote:
> Got any comments on the third chapter?
I just finished reading it last night after I sent my last email:

I felt this chapter was the meatiest up to this point. I feel that your points 
are well made and that you cover a broad range of technologies. I don't have 
any factual problems with your writing (unlike the previous chapters, not 
written by you).

My only complaint is that I would have wished to have more technical details. 
For example: I am curious to know exactly how P2P decentralized networks 
work, specifically with the idea of public-key crypto for the farmer. 

On a personal note, I would have liked to see some more opinionated ideas from 
you on this chapter. What are the most dangerous C&C types? Where are the 
trends going to go? Unlike the other authors, I trust your thoughts on these 
matters as I know of your experience.

But take my complaint(s) with a grain of salt. On this matter I am already 
knowledgable, so I am looking to expand my knowledge and I have a critical 
eye when doing it.

Craig
___
To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
All list and server information are public and available to law enforcement 
upon request.
http://www.whitestar.linuxbox.org/mailman/listinfo/botnets