Proof of Work -> atmospheric carbon

Steven M. Bellovin smb at cs.columbia.edu
Sat Jan 31 14:11:42 EST 2009 

On Fri, 30 Jan 2009 11:40:12 -0700
Thomas Coppi <thisnukes4u at gmail.com> wrote:

> On Wed, Jan 28, 2009 at 2:19 PM, John Levine <johnl at iecc.com> wrote:
> > Indeed.  And don't forget that through the magic of botnets, the bad
> > guys have vastly more compute power available than the good guys.
> 
>  Just out of curiosity, does anyone happen to know of any documented
> examples of a botnet being used for something more interesting than
> just sending spam or DDoS?

I asked Rob Thomas of Team Cymru this question (he and they study the
underground).  Here is his answer, posted with permission:

====
Botnets are routinely used as:

1. Proxies (IRC, HTTP & HTTPS)

2. To recover financial credentials, e.g. paypal, citibank, et al.
   This was the original purpose of the PSNIFF code in some of the early
bots.

Here's a code snippet from the now venerable
rBot_rxbot_041504-dcom-priv-OPTIX_MASTERPASSWORD dating back several
years:

[ ... ]

// Scaled down distributed network raw packet sniffer (ala Carnivore)
//
// When activated, watches for botnet login strings, and
// reports them when found.
//
// The bots NIC must be configured for promiscuous mode (recieve
// all). Chances are this already done, if not, you can enable it
// by passing the SIO_RCVALL* DWORD option with a value of 1, to
// disable promiscuous mode pass with value 0.
//
// This won't work on Win9x bots since SIO_RCVALL needs raw
// socket support which only WinNT+ has.

[ ... ]

PSWORDS pswords[]={
        {":.login",BOTP},
        {":,login",BOTP},
        {":!login",BOTP},
[ ... ]
        {"paypal",HTTPP},
        {"PAYPAL",HTTPP},
        {"paypal.com",HTTPP},
        {"PAYPAL.COM",HTTPP},
        {"Set-Cookie:",HTTPP},
        {NULL,0}
};

[ ... ]


3. Remember they're called "boats" now, so anything is possible.  Screen
captures are becoming increasingly popular.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list