
Clock ticking on worm attack code - habs
http://news.bbc.co.uk/1/hi/technology/7832652.stm
======
lincolnq
I am especially interested in the domain-generation part. I've wondered how it
would be convenient for an infection to phone home to its owner (call her
Mallory). There are several interesting requirements for such a communications
channel -- it must not have a single point of failure; extremely difficult to
trace to Mallory after the fact, even for a powerful (e.g., governmental)
entity; it doesn't allow convenient hijacking of the channel by an external
party.

According to the article and related articles, this worm generates domain
names based on the current date. Probably many of these domains are owned by
innocent parties, and many are unowned. At some point, one of the domains will
serve Mallory's payload. The question is whether it will be a new domain that
she registered, or an existing, innocent-looking domain she has hacked (or
otherwise convinced to serve the content she wants -- perhaps
steganographically via a blog comment or something?) If she registers a single
domain, it seems likely she will be able to be tracked down by following a
money trail. So my guess is that she's found some sites who have been
"convinced" to serve her magic content, and tweaked the constants for the
domain-generating algorithm so that the worm will land on these sites on a day
of her choice in the future.

Of course, the magic content isn't up yet. The sites she's found to host it
won't serve it until the correct day, otherwise white-hats would be able to
play their computer clock forward and figure out what domains served the
content on which day.

And she can bundle her public key with the worm so that she can verify her own
payload as opposed to some hijacker's. (That part's easy.)

This is cool. The tough part is finding people willing to serve your magic
content on the right day. But I bet that's not too hard in practice. I always
wondered how people would control a botnet -- some old bots used to use IRC,
but that has a single point of failure (the IRC network).

~~~
lpgauth
Buying a domain anonymously is not really that hard if you're in that
business. Use a stolen credit card + proxy chain + free wifi access point and
you should be pretty much untraceable. Then you just add multiple dns to a
bunch of compromised servers and serve the payload.

------
pavel_lishin
Eh, I already saw this in the season finale of Reboot. I'm pretty sure we need
to find Hexadecimal.

