Despite that at the beginning of 2006, I pointed out on how malware related documentation and howtos turned into open source code resulting in a flood of malware variants, thus lowering the entry barries for a novice malware copycats, a week ago I located a very throughout document on various botnet communication platforms and I'm sure its author wouldn't mind me reposting the fancy graphs and commenting on them.
IRC based Botnet CommunicationsNothing ground breaking in this one besides the various advices on stripping the IRCd, creating own network of IRC servers compared to using public ones, and on the importance of distributed secrecy of the botnet participants' IPs, namely each bot would never know the exact number or location of all servers and bots.
HTTP Botnet Communications
The possiblities with PHP and MySQL in respect to flexibility of the statistics, layered encryption and tunneling, and most importantly, decentralizing the command even improving authentication with port knocking are countless. Besides, with all the buzz of botnets continuing to use IRC, it's a rather logical move for botnet masters to shift to other platforms, where communicating in between HTTP's noise improves their chance of remaining undetected. Rather ironic, the author warns of possible SQL injection vulnerabilities in the botnet's command panel.
ICQ Botnet CommunicationsPerhaps among the main reasons to repost these graphs was the ICQ communication platform which I'll leave up to you to figure out. As a major weakness is listed the reliance on icq.com, but as we've already seen cases of botnets obtaining their commands by visiting an IRC channel and processing its topic, in this case it's ICQ WhiteLists getting the attention.
Related comments on the programming "know-how" discussed will follow. Know your Enemy!
No comments:
Post a Comment