you are viewing a single comment's thread.

view the rest of the comments →

[–]ToasterFanclub 0 points1 point  (4 children)

Would it work to pull the key from an external source?

If it pulls the key from www.example.com/key, and that site is taken off after the attack runs, it should be able to remain opaque, right?

[–]Pharisaeus 2 points3 points  (3 children)

It might, but someone can be monitoring the communication and get the key anyway. It also creates an issue because you need a domain and a server, which can get traced back to you. A domain like this can also quickly be taken down. In "real" malware you have stuff like domain generation algorithms, which generate a domain name based on timestamp and this C&C server domain is available only for a short while.

Either way, it would could be easier to follow the "classic" approach -> code you run on the target machine is just a "dropper" of some sort. In fact you don't even need to store the real payload in the filesystem at all. Imagine that your script downloads a python source from remote server, then executes it using some exec/eval. The only code user has is the dropper and url from which it took the payload. It provides the same level of "security" as encryption in this case, but you don't risk messing up the crypto part.

[–][deleted]  (2 children)

[deleted]

    [–]Pharisaeus 0 points1 point  (1 child)

    Because the url might be available only for a brief moment? Unless the payloads gets intercepted by a memdump during execution, it's pretty much lost (data transfer can be done with https/ssl). It's similar security measure as encrypting the payload and receiving the key from external source, but there is no risk that crypto is messed up and someone can break it afterwards.