top | item 46500735

(no title)

I'm not 100% sure I understand what you're saying, but I guess you're asking how this could be censored?

> you would have to extract the keys from the malware

Yeah? That happens all the time. If you're designing mechanisms like this, it's presumably specifically against adversaries which are doing exactly that.

> you would then have to implement the logic and announce it - then rely on blockchain exploreres actually using that data to block addresses in real time.

Someone would only have to do this once and all your bots would be gone.

Usually the whole point of these mechanisms is C&C resilience, and usually that only matters for really big botnets which face co-ordinated attacks.

Any good C&C system for a bigger botnet would seek to eliminate all meaningful external points of failure for C&C. Using a block explorer, or HN comments, does not achieve that.

discuss

kachapopopow|1 month ago

that's why you have large lists, fallbacks and rolling updates to said fallbacks. it isolates you as the c2 owner to the c2 malware. once you have that you can just query from any kind of server and publish it anywhere else, you can have it act as an indirect proxy, not the primary contact point - it's a globally available database for a low low cost of transaction fees.

but explorers are the easiest since there's so many of them and so many of them that do not give two shits about blacklisting addresses.

JasonADrury|1 month ago

And what do you gain from all this extra complexity designed to compensate for fundamentally unreliable c&c channels?

You could've just used DHT, or even bundled Tor.

jhbafgshjk|1 month ago

[deleted]