I mean, at that point, why wouldn't you just rely on a DGA? At least then you wouldn't be flooding block explorer sites with millions or potentially tens of millions of requests per day for your C&C traffic.
Essentially the exact approach you propose has been attempted in far cleverer ways, it did not work very well.
well you wouldn't really want to use it for botnets that large, modern botnets run off similar systems internet runs off - edge endpoints and crypto currency is just a nice distributed database to rely upon to synchronize everything
I don't think you'd want to go through the trouble for smaller botnets though. It's really only the very big ones that face co-ordinated takedown efforts.
For a very small botnet that doesn't attract attention, you could really use any social media site for C&C if your goal was to avoid network-level detection.
For a slightly bigger botnet that might get abuse reports, you could just get a bunch of domains on different ccTLDs from various bulletproof registrars. There are some huge botnets doing this without much trouble.
It's really only the really big botnets where you want to worry about things like P2P C&Cs for censorship resistance, they're the ones that will face co-ordinated efforts to shut them don.
I feel like the block explorers aren't a really good solution, for small botnets there are less conspicuous options. Here's a (real) botnet C&C that uses Steam, and has been doing so for a long time https://steamcommunity.com/profiles/76561199621451974 It's a rather silly implementation though, not sure why the developer decided to do it this way.
It's also worth noting that most botnets aren't targeting networks where they'd really have to worry about network-level detection, so in almost all cases using your own domain names is by far the easiest and most reliable option.
I'd also guess the most common malware these days is of the often short-lived "stealer" type, where the operator doesn't necessarily really care about keeping their bots alive as the malware just immediately grabs all the interesting data from your computer and uploads it.
enlighten me how a non trivially generated address that is only known by malware can be implemented in every single blockchain explorer?
you would have to extract the keys from the malware, you would then have to implement the logic and announce it - then rely on blockchain exploreres actually using that data to block addresses in real time.
I'm not 100% sure I understand what you're saying, but I guess you're asking how this could be censored?
> you would have to extract the keys from the malware
Yeah? That happens all the time. If you're designing mechanisms like this, it's presumably specifically against adversaries which are doing exactly that.
> you would then have to implement the logic and announce it - then rely on blockchain exploreres actually using that data to block addresses in real time.
Someone would only have to do this once and all your bots would be gone.
Usually the whole point of these mechanisms is C&C resilience, and usually that only matters for really big botnets which face co-ordinated attacks.
Any good C&C system for a bigger botnet would seek to eliminate all meaningful external points of failure for C&C. Using a block explorer, or HN comments, does not achieve that.
that's why you have large lists, fallbacks and rolling updates to said fallbacks. it isolates you as the c2 owner to the c2 malware. once you have that you can just query from any kind of server and publish it anywhere else, you can have it act as an indirect proxy, not the primary contact point - it's a globally available database for a low low cost of transaction fees.
but explorers are the easiest since there's so many of them and so many of them that do not give two shits about blacklisting addresses.
because a c2 mechanism isn't that useful when you can't even send the packets out to the internet to use it when t1's get off their ass and actually do something useful.
>because a c2 mechanism isn't that useful when you can't even send the packets out to the internet to use it when t1's get off their ass and actually do something useful.
There are lots of ways to disguise p2p traffic to make it indistinguishable from common, legitimate software.
Also often not unique to a person, although email addresses probably tend to have much longer lifespans as identifiers than phone numbers.
If the idea is to have a true opt-out system, it's really really difficult to implement given how these systems work.
If you look at the data provided by services like accurint, you'll frequently see the same SSNs used for decades by multiple different individuals, often with IDs from different states with the same name and DoB despite obviously being different people. With how the system works in the US, it can often be impossible for anyone to determine which physical person the SSN was actually originally assigned to.
Same obviously applies to other identifiers you suggested, but even the seemingly good ones are not very good at uniquely identifying people.
As long as there is centralization, there is always an avenue for abuse with money. The DNS root itself is heavily influenced by a group of allied nations, through the ICANN if I'm right. That can be used to exert pressure on TLD registries, including ccTLD registries. Of course, that cannot be used for surgical control single domains like Anna's Archives'. But DNS blocking is an old technique by now. The copyright cartel needs to get it banned only in a few populous countries to destroy the value of a domain. We can keep finding workarounds. But at some point, they won't have to worry about people who can actually do that.
> I would have assumed that this function mainly migrated onto one of the popular blockchains with clients using one of thousands of available gateways for reading.
Why would you want to use blockchains for this? DHT has been used for distributed c&c for ages and is generally a much lighter option.
But no, P2P C&C is still not really typical. In practice, there's mostly not that much need for it. Also, FWIW, for practically all use-cases P2P C&C discovery is a vastly better option.
You could of course key on things like SSNs, but data brokers wouldn't be very happy about that because there are lots of SSNs tied to multiple different people.
The government will, given that they're a fairly integral part of how the US economy.
Every single financial institution relies on these data-brokers. U-haul needs data brokers to be able to verify your driver's license, the TSA needs data brokers to let you on a flight without an ID. There are simply countless of reasons for why you wouldn't want to break this system for people who haven't opted in for breakage.
Yea, I tried that, and it does fix it initially, but as you scroll through the content, the site decides to resize its canvas all by itself, to the point where you have a giant horizontal canvas again soon. Why do web developers have to do this stuff?
Removing network connectivity from basically any new car is trivial, often as simple as pulling an easily accessible fuse.
I'm guessing that you haven't actually done this on "basically any new car".
If you had tried, you would know that there is no fuse dedicated to "network connectivity". It is typically tied in with other, often essential functions like the engine control computer --- specifically in order to thwart a simple disconnect.
What I have seen done is to tear into the right roof pillar and cut the wires going to the antenna on the roof. But this is usually not without consequences as well such as a perpetual error code display and/or the radio, navigation or entertainment functions stop working.
I've done this on a W222, a W223, a continental GT and an Urus. On each of those cars it was as easy as disconnecting the antenna, on none of them did I have to tear into the roof pillars.
I've never seen an antenna that was difficult to disconnect, on the super simple end you have something like the W222 where you can literally just pop out the antenna cover on the roof and just remove the antenna module inside.
>But this is usually not without consequences as well such as a perpetual error code display or the radio, navigation or entertainment functions stop working.
Well sure, I do have cars without GPS because I was lazy. Carplay still works fine, so can't really bother to do anything about it.
> Carplay still works fine, so can't really bother to do anything about it.
That largely depends on the specific vehicle. I’m surprised that there wer no negative effects in pulling the telematics fuse on a W223, less surprised on a W222.
I didn't find AirDrop to work very well while trying to airdrop only 1TB of photos/videos from my phone to my MacBook, YMMV. Not only was it really slow, but occasionally it seemed to freeze and there weren't really any meaningful progress indicators.
Essentially the exact approach you propose has been attempted in far cleverer ways, it did not work very well.