I have been thinking about this for a long time. Decentralization!

(I'm talking about http here, and by server I mean a registered domain and host. Malware refers to keyloggers/botnets)

Malware has always a single point of failure, the server. For example keyloggers have to report to a server, which is hardcoded. Hosting company shuts down the server, keylogger is useless.
Solutions to this have been to include multiple servers, but that isn't very pretty. Problems with multiple servers are that if you don't have them registered yet, someone else can register them and 'steal' your work, or if you have registered them, they will be shut down too.

I have tried to come up with solutions to this, but nothing that really solves this well!

My solutions:

- use social networking sites
Make profiles on social networking sites (facebook, twitter, myspace,...) and post links to servers on there (eventually obfuscated in a post). I have tried this and it actually works pretty well.

problem: Social profiles have to be hardcoded in the malware, and they will get deleted. This doesn't fix anything really, except it is easier to register these.

- use a search engine to find servers
I have not actually tried this, but you could make your malware search on google for a specified string and make sure your servers show up. The server won't have to rank high, since the malware can test for example if there is a specific file on that server. You could even use some authentication with RSA encryption, so no one else can steal your work.

problem: Google can ban your search strings that will have to be hardcoded in the malware.

I was wondering, has anyone else thought about this?

Find few (or more) free email providers and create logic in app for creating account on them.

1. Send all data from random accounts to Yours email (again can be some free webmail).

2. Or You can create some smart logic that will create email accounts with username/password that is generated from time (and than encripted, xored or something), so You can login into that accounts and read the data.


... Its the morning here, this is just few morning ideas :)

http://www.security-net.biz/

An alternative to using a specific email (which can be banned) is to send to a mailing list or other un-moderated public forum, mailing lists are better since they are push, rather than pull. As long as you public-key encrypt, you can spam it via as many outlets as you want.

An alternative to hard-coded addresses would be to use a formula, like Conficker did, where Conficker went wrong IMO was to not register the domains ahead of time and to not often collide with real domains, so that all domains fitting the pattern could be reasonably banned at the registrar and dns level.

One approach could be to scatter update info around the web and have a collaborative spider, where every infection gets added to a p2p network and where parts to spider are handed off, and sites with update info will have cryptographically signed messages, so that their authenticity can be verified and misbehaving/malicious (or would that be well-meaning?) nodes would be ignored. Of course, proxies could scan for messages, etc, or become part of the network an wait untill they get a URL, then ban that, but it's a bit more flexible...

----------------------------------------------------------
Don't forget our IRC: irc://irc.irchighway.net/#slackers
[kuza55.blogspot.com]

How about a cloud approach?

Quad core CPU + VirtualBox + +Ubuntu JEOS+ IP Harvesters + solid list of private honey pot proxies + cUrl

Just make all your purchases via adwords with the honeypots and suddenly the honeypots are pots of gold! Cloud the blacklists and drop maybe a few hundred on office supplies, and use the blacklists to surf normally, or heck, buy off them too! Who cares about credit rating anyways. Just don't welsh on deals and you will be fine.

Then when the fools come to get your gold, you run with it and throw it off the cliff and watch them all tumble like the stupid buffalo they are. Blame them and you get out of prison for free!

Don't get me wrong. I am a big fan of decentralization. I feel the more spread out the society, the stronger it is. People won't be able to drop bombs on another if there are no targets. That's too bad, because I personally like the bombs.

The trick is how do we decentralize hard goods needed to be shipped, like a two ton piece of steel which needs to be forged in Michigan today while painted and boxed in California within a month to ship back to China.

The only feasible idea I can think of is an "always on" shipping network, like a pipeline. Encapsulate heavy goods, submerge them in some magical incompressible fluid, provide constant power and god damn it be on time!

Get antiabuse hosting in Pakistan/Malazia/China/so on :)

You can use site like twitter or any other social networks, and post your bot commands with a custom encription tag that bots would be able to find and recognize. For example, you add day/month/year (encrypted) to your command and you post it on twitter, then the bots can encrypt day/month/year and see if theres something that contains that on twitter and if they find something they decrypt the command and execute it.

I think there's a POC of this made in python but I can't remember the name or url.

Quote

Posted by: lukethedrifter (IP Logged)
Date: October 30, 2009 07:25AM

Quad core CPU + VirtualBox + +Ubuntu JEOS+ IP Harvesters + solid list of private honey pot proxies + cUrl

I like pot proxies. Hmmm. Nice...