[143277] in cryptography@c2.net mail archive
Re: Proof of Work -> atmospheric carbon
daemon@ATHENA.MIT.EDU (Steven M. Bellovin)
Sat Jan 31 14:32:35 2009
Date: Sat, 31 Jan 2009 14:11:42 -0500
From: "Steven M. Bellovin" <smb@cs.columbia.edu>
To: Thomas Coppi <thisnukes4u@gmail.com>
Cc: John Levine <johnl@iecc.com>, cryptography@metzdowd.com, hal@finney.org
In-Reply-To: <5e04a4c60901301040m689b9f62y9dad80f162ad296c@mail.gmail.com>
On Fri, 30 Jan 2009 11:40:12 -0700
Thomas Coppi <thisnukes4u@gmail.com> wrote:
> On Wed, Jan 28, 2009 at 2:19 PM, John Levine <johnl@iecc.com> wrote:
> > Indeed. And don't forget that through the magic of botnets, the bad
> > guys have vastly more compute power available than the good guys.
>
> Just out of curiosity, does anyone happen to know of any documented
> examples of a botnet being used for something more interesting than
> just sending spam or DDoS?
I asked Rob Thomas of Team Cymru this question (he and they study the
underground). Here is his answer, posted with permission:
====
Botnets are routinely used as:
1. Proxies (IRC, HTTP & HTTPS)
2. To recover financial credentials, e.g. paypal, citibank, et al.
This was the original purpose of the PSNIFF code in some of the early
bots.
Here's a code snippet from the now venerable
rBot_rxbot_041504-dcom-priv-OPTIX_MASTERPASSWORD dating back several
years:
[ ... ]
// Scaled down distributed network raw packet sniffer (ala Carnivore)
//
// When activated, watches for botnet login strings, and
// reports them when found.
//
// The bots NIC must be configured for promiscuous mode (recieve
// all). Chances are this already done, if not, you can enable it
// by passing the SIO_RCVALL* DWORD option with a value of 1, to
// disable promiscuous mode pass with value 0.
//
// This won't work on Win9x bots since SIO_RCVALL needs raw
// socket support which only WinNT+ has.
[ ... ]
PSWORDS pswords[]={
{":.login",BOTP},
{":,login",BOTP},
{":!login",BOTP},
[ ... ]
{"paypal",HTTPP},
{"PAYPAL",HTTPP},
{"paypal.com",HTTPP},
{"PAYPAL.COM",HTTPP},
{"Set-Cookie:",HTTPP},
{NULL,0}
};
[ ... ]
3. Remember they're called "boats" now, so anything is possible. Screen
captures are becoming increasingly popular.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
