- Isn't this really non-viable in practice? The "few headers" that were shown include an Authorization header, that would presumable rotate every ~24 hours and would have to rotate for all the malware clients as well.
- Are centralized Command and Control Severs still a thing in the malware space? I would have assumed that this function mainly migrated onto one of the popular blockchains with clients using one of thousands of available gateways for reading.
I have built dead simple bots on both session/simplex trying both of them out and session was the more ergonomic one to build on but simplex is more decentralized considering session's more crypto related and wants to ask you for money for node whereas simplex doesn't
Although on the other hand, simplex wants to do client side verification on their official client and their bot creation was really painful to start with so but I do feel like its more decentralized but not sure, Both have consequences but honestly I just really end up shilling signal in the end for most people's usual use cases which is communication but its super great to know that there are alternatives.
Matrix is really cool as well. especially cinny's ui (https://cinny.in)
Yes, centralised C2 is definitely still a thing in the malware space, for commodity malware it works well enough that there's little real incentive to move to anything more complex.
Also thanks for bringing up the blockchain C2 use, that's cool and news to me.
Why would you want to use blockchains for this? DHT has been used for distributed c&c for ages and is generally a much lighter option.
But no, P2P C&C is still not really typical. In practice, there's mostly not that much need for it. Also, FWIW, for practically all use-cases P2P C&C discovery is a vastly better option.
I found it when I realized that nano had 0 fees and I realized that by using a nano vanity address generator, I can embed data into a series of transactions and then basically embed data into the chain (for free) since there is 0 gas fees
Now I created it as a way of getting timestamps of any data onto the chain but you can embed any information and create c2c's on top of that
There is also a way that I vibe coded once to embed data directly into the vanity address and so you can lose 10^-32 nano or basically negligble which is more efficient as well
If you have any questions, I'd love to answer (also even if I like the tech, I think that crypto's fundamentally really really volatile and I prefer things like index funds being honest)
Is this you? https://github.com/Koeng101/nanotimestamps
> also even if I like the tech, I think that crypto's fundamentally really really volatile and I prefer things like index funds being honest
At the risk of derailing the thread, I agree. However, I think "tokenization" is probably crypto's killer app if the messy problem of legal finality rectifying assets on the blockchain with their real-world counterparts can be solved. I touched upon this in a separate post on my blog.
You really don't need to spend any money at all and that's actually how I built it. I recommend you to contact me if you wish to run it locally for experiments purposes as it requires bao and nano-vanity-generator, you can take the look at the code
Also I would like to disclose that the code is AI generated. I have no expertise in this field but I found this idea fascinating and saw nobody doing it so did it. But still, I am just proud of my idea and I get good reception whenever I mention this idea (which is quite a lot, tbh I am proud of it a little) so yeah, I love talking about this project's idea fascinating as well and I have expanded upon this work privately to even build ways of creating ones own tokens on top of nano etc. but creating wallet etc. and more abstractions felt wrong and I just wanted to prove it was possible
To be honest, you creating a c2 server on hinge was similar to this feeling of "proving" as well.
To me, its just that if I can prove something, then I can figure out the practical uses of it later (like discussing it right now) etc.
I guess we both are similar in the "proving" way reading your article which is nice to hear, Let me know if you have any questions as I would love to answer!
No its not, I have the domain nanotimestamps.org but its not really doing much (its called laziness from my side)
https://github.com/SerJaimeLannister/nanotimestamp/blob/main...
Here you go! (the video starts as a gif but there is also a .mp4)
Ended up finding that the best way to upload videos is probably github wiki pages
https://github.com/SerJaimeLannister/nanotimestamp/wiki
So let me know how you like this project, Y'know making this project had to make me build some abstractions which you might be interested to look at as well and could be used for multiple purposes.
Create an issue in my github repo if you want to talk to me if you have any questions as well and I would love to answer there and here as well if you wish! Glad my project could be of interest to ya! If you have any use cases for my project, then let me know as well
have a nice day! Looking forward to talk to ya
If you are interested in L2's, polygon's cheap as well fwiw
Essentially the exact approach you propose has been attempted in far cleverer ways, it did not work very well.
For a very small botnet that doesn't attract attention, you could really use any social media site for C&C if your goal was to avoid network-level detection.
For a slightly bigger botnet that might get abuse reports, you could just get a bunch of domains on different ccTLDs from various bulletproof registrars. There are some huge botnets doing this without much trouble.
It's really only the really big botnets where you want to worry about things like P2P C&Cs for censorship resistance, they're the ones that will face co-ordinated efforts to shut them don.
I feel like the block explorers aren't a really good solution, for small botnets there are less conspicuous options. Here's a (real) botnet C&C that uses Steam, and has been doing so for a long time https://steamcommunity.com/profiles/76561199621451974 It's a rather silly implementation though, not sure why the developer decided to do it this way.
It's also worth noting that most botnets aren't targeting networks where they'd really have to worry about network-level detection, so in almost all cases using your own domain names is by far the easiest and most reliable option.
I'd also guess the most common malware these days is of the often short-lived "stealer" type, where the operator doesn't necessarily really care about keeping their bots alive as the malware just immediately grabs all the interesting data from your computer and uploads it.
I mean, even just shipping a Tor client embedded in your malware seems like a much better idea.
>just rely on explorers to query your own wallet
This kind of defeats the point, you get exactly 0 censorship resistance like this.
you would have to extract the keys from the malware, you would then have to implement the logic and announce it - then rely on blockchain exploreres actually using that data to block addresses in real time.
> you would have to extract the keys from the malware
Yeah? That happens all the time. If you're designing mechanisms like this, it's presumably specifically against adversaries which are doing exactly that.
> you would then have to implement the logic and announce it - then rely on blockchain exploreres actually using that data to block addresses in real time.
Someone would only have to do this once and all your bots would be gone.
Usually the whole point of these mechanisms is C&C resilience, and usually that only matters for really big botnets which face co-ordinated attacks.
Any good C&C system for a bigger botnet would seek to eliminate all meaningful external points of failure for C&C. Using a block explorer, or HN comments, does not achieve that.
but explorers are the easiest since there's so many of them and so many of them that do not give two shits about blacklisting addresses.
You could've just used DHT, or even bundled Tor.
There are lots of ways to disguise p2p traffic to make it indistinguishable from common, legitimate software.
So that you can then use that account, which is tied to your biometrics, for lawbreaking?
Wut?
Account creation requires biometric face-scan.
https://redlib.catsarch.com/r/SwipeHelper/search?q=hinge+sel...
Maybe you're getting lucky and not tickling their risk-based nonsense, but now that this article has been posted they'll certainly crank that knob up to 11.
You probably don't use Hinge. The verification is not necessary at all. It's merely used to "verify" your identity to other users. It has no bearing on what I cover in the post.
Edit: e.g. via residential proxy IPs and a bunch of cheap Android phones
There is an extremely profitable company (whose data hoard keeps geting hacked but why should they care?) built around this:
https://www.au10tix.com/
They don't feed it a video clip. They hold the camera in front of a screen playing the video. Use a low-end phone with a blurry camera to increase your chances.
Neural networks are very, very, very good at detecting this.
It's much easier than detecting "liveness" (for whatever definition of that term you subscribe to).
Fundamentally no amount of front facing camera on a physical device or other shenanigan a company might do can really do anything about it?
The author basically found a creative use of Hinge’s infrastructure and proved it could be used to control malware.
A secondary goal is to do so while evading detection. This is why many threat actors piggy-back off of legitimate services, it disguises the malware communications and avoids directly exposing the upstream C2 instance.