OT New botnet virus idea

I came up with a nefarious, but interesting idea. It would be useful
to those who run botnets.

Botnet software could be enhanced in the following ways:

- besides everything else, check if you have a wifi adaptor. If so,
scan neighboring networks to look for unprotected networks or those
encrypted with WEP. Take your time and crack the WEP encryption using
computers in botnet.

Then proceed with

1) Using those other connections to send spams and other bad things
(thus protecting a little bit the computer on the botnet)

2) Infect all private computers on those external private networks,
put virus code into .EXE files on private shared drives, etc

The effect of this is going to be that all apartment buildings will
become giant zombie anthills, so to speak.

The viruses and scumware would "hop" the firewalls in ways not done
before (through air rather than incoming ISP data pipes).

I do not write viruses or run botnets, but I think that it is a neat
idea.

i


Ignoramus25760

In news:C5SdnXK63-(E-Mail Removed),
Ignoramus25760 <(E-Mail Removed)> wrote:

> I came up with a nefarious, but interesting idea. It would be useful
> to those who run botnets.

<*plonk*>

In comp.os.linux.advocacy, Ignoramus25760
<(E-Mail Removed)>
wrote
on Wed, 26 Sep 2007 11:37:08 -0500
<C5SdnXK63-(E-Mail Removed)>:
> I came up with a nefarious, but interesting idea. It would be useful
> to those who run botnets.
>
> Botnet software could be enhanced in the following ways:
>
> - besides everything else, check if you have a wifi adaptor. If so,
> scan neighboring networks to look for unprotected networks or those
> encrypted with WEP. Take your time and crack the WEP encryption using
> computers in botnet.
>
> Then proceed with
>
> 1) Using those other connections to send spams and other bad things
> (thus protecting a little bit the computer on the botnet)
>
> 2) Infect all private computers on those external private networks,
> put virus code into .EXE files on private shared drives, etc
>
> The effect of this is going to be that all apartment buildings will
> become giant zombie anthills, so to speak.
>
> The viruses and scumware would "hop" the firewalls in ways not done
> before (through air rather than incoming ISP data pipes).
>
> I do not write viruses or run botnets, but I think that it is a neat
> idea.
>

A few questions.

[1] In Linux, at least, infection of .EXE files might be
hampered by the issue that the user account can't write
into /bin, /usr/bin, /etc, etc., or most files sitting
therein. (The exceptions are /tmp and /var/tmp; some
programs get a little sloppy therein. These are holes,
and they do happen.) How does one get around this?

[2] A compromised root machine might have some difficulties
spreading on NFS-mounted drives if said drives have the
no_root_squash option. How does one get around *this*?

[3] Assuming NAT software (which on Linux isn't too hard
to set up), how does the virus on an infected machine do
the bunny hop? Especially if the virus hasn't crossed
the local user-root barrier? Best I can do is Slightly
Suspect Emails(tm), and those aren't all that hard to block.

[4] Which is simpler, activating Javascript which sets up
a polling attack on a central server when a malicious webpage
is clicked, or a packet attack through a NAT firewall?
(Hint: emails allow users to click things on Windows.)

[5] Whatever gave you the notion that this is a neat idea?
Of course, it does have an appeal to those who like to set
up botnets -- but those are few and far between. Most people
will probably think it's a terrible idea, and will want to
cast about for defenses against it.

--
#191, (E-Mail Removed)
Useless C/C++ Programming Idea #10239993:
char * f(char *p) {char *q = malloc(strlen(p)); strcpy(q,p); return q; }

--
Posted via a free Usenet account from http://www.teranews.com

On Wed, 26 Sep 2007 11:51:54 -0700, The Ghost In The Machine <(E-Mail Removed)> wrote:
> In comp.os.linux.advocacy, Ignoramus25760
><(E-Mail Removed)>
> wrote
> on Wed, 26 Sep 2007 11:37:08 -0500
><C5SdnXK63-(E-Mail Removed)>:
>> I came up with a nefarious, but interesting idea. It would be useful
>> to those who run botnets.
>>
>> Botnet software could be enhanced in the following ways:
>>
>> - besides everything else, check if you have a wifi adaptor. If so,
>> scan neighboring networks to look for unprotected networks or those
>> encrypted with WEP. Take your time and crack the WEP encryption using
>> computers in botnet.
>>
>> Then proceed with
>>
>> 1) Using those other connections to send spams and other bad things
>> (thus protecting a little bit the computer on the botnet)
>>
>> 2) Infect all private computers on those external private networks,
>> put virus code into .EXE files on private shared drives, etc
>>
>> The effect of this is going to be that all apartment buildings will
>> become giant zombie anthills, so to speak.
>>
>> The viruses and scumware would "hop" the firewalls in ways not done
>> before (through air rather than incoming ISP data pipes).
>>
>> I do not write viruses or run botnets, but I think that it is a neat
>> idea.
>>
>
> A few questions.
>
> [1] In Linux, at least, infection of .EXE files might be
> hampered by the issue that the user account can't write
> into /bin, /usr/bin, /etc, etc., or most files sitting
> therein. (The exceptions are /tmp and /var/tmp; some
> programs get a little sloppy therein. These are holes,
> and they do happen.) How does one get around this?

Usually those directories are not network shared either.

> [2] A compromised root machine might have some difficulties
> spreading on NFS-mounted drives if said drives have the
> no_root_squash option. How does one get around *this*?

The typical worm action on a network (as happened in the last work
attack at one place I know), is that the worm looks for EXE files on
shared drives and infects them, hoping that one day they will be
executed.

> [3] Assuming NAT software (which on Linux isn't too hard
> to set up), how does the virus on an infected machine do
> the bunny hop? Especially if the virus hasn't crossed
> the local user-root barrier? Best I can do is Slightly
> Suspect Emails(tm), and those aren't all that hard to block.

The only thing that I can think of where linux boxes can be
compromised this way, is to look for less secure things inside
presumed safe home networks, or pretending to be trusted hosts (I am
10.0.0.3, and want to log on as joeblow) and using rlogin and such.

> [5] Whatever gave you the notion that this is a neat idea?
> Of course, it does have an appeal to those who like to set
> up botnets -- but those are few and far between. Most people
> will probably think it's a terrible idea, and will want to
> cast about for defenses against it.

I think that it is clever, but "unhelpful" idea.

i

In comp.os.linux.advocacy, Ignoramus25760
<(E-Mail Removed)>
wrote
on Wed, 26 Sep 2007 14:13:47 -0500
<(E-Mail Removed)>:
> On Wed, 26 Sep 2007 11:51:54 -0700, The Ghost In The Machine <(E-Mail Removed)> wrote:
>> In comp.os.linux.advocacy, Ignoramus25760
>><(E-Mail Removed)>
>> wrote
>> on Wed, 26 Sep 2007 11:37:08 -0500
>><C5SdnXK63-(E-Mail Removed)>:
>>> I came up with a nefarious, but interesting idea. It would be useful
>>> to those who run botnets.
>>>
>>> Botnet software could be enhanced in the following ways:
>>>
>>> - besides everything else, check if you have a wifi adaptor. If so,
>>> scan neighboring networks to look for unprotected networks or those
>>> encrypted with WEP. Take your time and crack the WEP encryption using
>>> computers in botnet.
>>>
>>> Then proceed with
>>>
>>> 1) Using those other connections to send spams and other bad things
>>> (thus protecting a little bit the computer on the botnet)
>>>
>>> 2) Infect all private computers on those external private networks,
>>> put virus code into .EXE files on private shared drives, etc
>>>
>>> The effect of this is going to be that all apartment buildings will
>>> become giant zombie anthills, so to speak.
>>>
>>> The viruses and scumware would "hop" the firewalls in ways not done
>>> before (through air rather than incoming ISP data pipes).
>>>
>>> I do not write viruses or run botnets, but I think that it is a neat
>>> idea.
>>>
>>
>> A few questions.
>>
>> [1] In Linux, at least, infection of .EXE files might be
>> hampered by the issue that the user account can't write
>> into /bin, /usr/bin, /etc, etc., or most files sitting
>> therein. (The exceptions are /tmp and /var/tmp; some
>> programs get a little sloppy therein. These are holes,
>> and they do happen.) How does one get around this?
>
> Usually those directories are not network shared either.

I could see mounting /usr and /opt on an NFS share.
I'll admit there are some issues with doing so,
especially if one has to support multiple system types
(x86 and PPC, perhaps -- or even Athlon and Pentium D).

One can also mount /bin as well, if one is running diskless.

Of course, Linux doesn't have Intel PE formatted files
anyway (unless one installs WinE), or, generally, files
named '.exe'. The best one can do is something along the
lines of

find / -type f | xargs file | grep 'ELF 32-bit' | cut -d: -f1 | \
xargs ./infect_me_please.sh

or some such. "infect_me_please.sh" would not be the actual name
of the virus, but it would be something that looks innocuous.

>
>> [2] A compromised root machine might have some difficulties
>> spreading on NFS-mounted drives if said drives have the
>> no_root_squash option. How does one get around *this*?
>
> The typical worm action on a network (as happened in the last work
> attack at one place I know), is that the worm looks for EXE files on
> shared drives and infects them, hoping that one day they will be
> executed.

So how does the worm write to read-only files?

>
>> [3] Assuming NAT software (which on Linux isn't too hard
>> to set up), how does the virus on an infected machine do
>> the bunny hop? Especially if the virus hasn't crossed
>> the local user-root barrier? Best I can do is Slightly
>> Suspect Emails(tm), and those aren't all that hard to block.
>
> The only thing that I can think of where linux boxes can be
> compromised this way, is to look for less secure things inside
> presumed safe home networks, or pretending to be trusted hosts (I am
> 10.0.0.3, and want to log on as joeblow) and using rlogin and such.

I never use rlogin; I use ssh exclusively. I'll have to
look to see if TCP can be impersonated (UDP, yes, but
that's not used for ssh, rlogin, telnet, etc.)

>
>> [5] Whatever gave you the notion that this is a neat idea?
>> Of course, it does have an appeal to those who like to set
>> up botnets -- but those are few and far between. Most people
>> will probably think it's a terrible idea, and will want to
>> cast about for defenses against it.
>
> I think that it is clever, but "unhelpful" idea.

Depends on who's being helped. :-)

>
> i


--
#191, (E-Mail Removed)
Murphy was an optimist.

--
Posted via a free Usenet account from http://www.teranews.com

["Followup-To:" header set to comp.os.linux.misc.]
Ignoramus25760 <(E-Mail Removed)>:
> I came up with a nefarious, but interesting idea. It would be useful
> to those who run botnets.
>
> Botnet software could be enhanced in the following ways:
>
> - besides everything else, check if you have a wifi adaptor. If so,
> scan neighboring networks to look for unprotected networks or those

Cool. So maybe spam and malware (and indeed, Microsoft) are parts of
an unconscious defence mechanism to kill Skynet before it becomes
operational. Destroy its environment (the net), save humanity.

IMO, dissolving Microsoft and getting that execrable so-called OS
assigned to the crap bin of history would be quicker and easier, but
what do I know.

At home, I fired up Network Neighbourhood (I ordinarily don't use
WiFi) on my client's laptop the other day, and yes, there was one
unsecured connection broadcasting.

I imagine some Russian/Chinese psychopath is working on the
implementation as I write. So long Skynet. Ya never had a chance.
We humans are hardwired to resist, and we design antigens you wouldn't
believe.


--
Any technology distinguishable from magic is insufficiently advanced.
(*) http://blinkynet.net/comp/uip5.html Linux Counter #80292
- - http://www.faqs.org/rfcs/rfc1855.html Please, don't Cc: me.

["Followup-To:" header set to comp.os.linux.misc.]
The Ghost In The Machine <(E-Mail Removed)>:
> In comp.os.linux.advocacy, Ignoramus25760
> <(E-Mail Removed)>
> wrote
> on Wed, 26 Sep 2007 11:37:08 -0500
> <C5SdnXK63-(E-Mail Removed)>:
> > I came up with a nefarious, but interesting idea. It would be useful
> > to those who run botnets.
> >
> > Botnet software could be enhanced in the following ways:
> >
> > - besides everything else, check if you have a wifi adaptor. If so,
> > scan neighboring networks to look for unprotected networks or those
>
> A few questions.
>
> [1] In Linux, at least, infection of .EXE files might be

To you and the others who've replied (in essence) that this won't
work for Linux; what's that got to do with anything? The vast
majority of bots or potential bots are Windows machines whose numbers
dwarf the installed base of Linux/*BSD/Mac. So, who cares whether it's
possible to own a Linux/*BSD/Mac, when there's plenty of easy boxes
out there where you could apply this scheme with a vengeance?

I'm still hoping we can get that undernet or alternet thing going; the
one where no Windows packet is allowed.


--
Any technology distinguishable from magic is insufficiently advanced.
(*) http://blinkynet.net/comp/uip5.html Linux Counter #80292
- - http://www.faqs.org/rfcs/rfc1855.html Please, don't Cc: me.

["Followup-To:" header set to comp.os.linux.misc.]
Ignoramus25760 <(E-Mail Removed)>:
>
> I think that it is clever, but "unhelpful" idea.

Forewarned is forearmed. Don't shoot the messenger. The blackhats
would have gotten it on their own sooner or later, if they haven't
already.


--
Any technology distinguishable from magic is insufficiently advanced.
(*) http://blinkynet.net/comp/uip5.html Linux Counter #80292
- - http://www.faqs.org/rfcs/rfc1855.html Please, don't Cc: me.