[hobofan]

I'm not really into malware, so I was just wondering:

- Isn't this really non-viable in practice? The "few headers" that were shown include an Authorization header, that would presumable rotate every ~24 hours and would have to rotate for all the malware clients as well.

- Are centralized Command and Control Severs still a thing in the malware space? I would have assumed that this function mainly migrated onto one of the popular blockchains with clients using one of thousands of available gateways for reading.

[Imustaskforhelp]

One could probably use matrix (perhaps might need account creation?) or session or simplex (their accounts are sort of like addresses, easy to make compartively to matrix)

I have built dead simple bots on both session/simplex trying both of them out and session was the more ergonomic one to build on but simplex is more decentralized considering session's more crypto related and wants to ask you for money for node whereas simplex doesn't

Although on the other hand, simplex wants to do client side verification on their official client and their bot creation was really painful to start with so but I do feel like its more decentralized but not sure, Both have consequences but honestly I just really end up shilling signal in the end for most people's usual use cases which is communication but its super great to know that there are alternatives.

Matrix is really cool as well. especially cinny's ui (https://cinny.in)

[jdsnape]

probably not so useful in practise, but still fun and interesting.

Yes, centralised C2 is definitely still a thing in the malware space, for commodity malware it works well enough that there's little real incentive to move to anything more complex.

[monerozcash]

> I would have assumed that this function mainly migrated onto one of the popular blockchains with clients using one of thousands of available gateways for reading.

Why would you want to use blockchains for this? DHT has been used for distributed c&c for ages and is generally a much lighter option.

But no, P2P C&C is still not really typical. In practice, there's mostly not that much need for it. Also, FWIW, for practically all use-cases P2P C&C discovery is a vastly better option.

[mattwiese]

Regarding your first point, extraction of the headers could be trivially automated. Also, using Hinge's CDN (which I think is CloudFlare and/or AWS) is more viable imo, as you don't need to provide headers to GET the files. If that also applies to user-uploaded videos then I do think there's some meat on this bone. But as the other user who replied to you pointed out, this was mostly for nerdy delight.

Also thanks for bringing up the blockchain C2 use, that's cool and news to me.

[easterncalculus]

In most red team contexts, the implants don't talk directly to the actual C2 - the implants talk to listening posts (often behind redirectors/transient reverse proxies) and then the listening posts request commands from the C2 server.