Back in January/February 2008, researchers managed to take over torpig botnet, they have now some updates.
Torpig is using Domain Flux technique not only to increase the reliability of its C&C communication, but also to generate the names of the drive-by-download servers that it uses to spread.
Here is an example of what it does:
- Download http://search.twitter.com/trends/weekly.json?callback=c&exclude=hashtags
the file contains the search trends in twitter for the past week:
c({"as_of":1254480620,"trends":{"2009-09-25":[{"name":"Glee","query":"Glee"},{"name":"ODST","query":"ODST"},{"name":"Modern Family","query":"\"Modern Family\""}........
- Extracts the second character from the first data item, which is "l" in our example.
- The letter "l" is used to calculate a magic number, that is used to generate the domain name.
0 comments:
Post a Comment