Rik's Ramblings

Wednesday, July 14, 2004

Bot'speriment

Scum Bots

So, I'm trying to refine my theory about what I will call 'scumbot-channel'.

I did a search on Google for "Sign Guest Book". I then picked, at random, some hits and traversed to their site.

If the landing page had a form on, I filled it with 'pseudo-garbage'. The garbage basically consists of three fields, depending on the type of field;




Field name contains 'name' or 'email'form element name plus
%20%3fdiveboy@hotmail.com
Field is a 'textarea'form element name plus
%20%3f&09f3228caf090ef4b98c1d44e03c6c03 *-
Otherwiseform element name plus
%20%3frandom digits


The textarea one is the important one. The text after the '&' is supposed to be a secret message from the 'scumbot master' to a scumbot running on a zombied machine somewhere out on the internet.

What next?
The idea is that I will, in a week or so, do a search of Google for diveboy@hotmail.com.

If I find it then I can extract, from the search result, the textarea field - identified by the magic prefix string %20%3f&.... The text after the '&' I consider my 'secret message'. [infact it's just a md5sum of This is random selection 1].

Why?
I consider the messages posted (fairly annonymously) in the third party guest books to be control messages from 'scumbot master' to scumbots. Scumbots can run scripts that use a XML interface to Google to obtain search results. The scumbots will get their instructions from the guestbook posts. A short message, possibly telling them to connect to a specific IP address at a specific time to receive their real payload. Let's call it the 'scumbot semaphore'.

The scumbot master will post the message to hundreds of guestbooks - I got 3million hits for "sign guest book" when I just did the google search. It should be easy to get the 'scumbot semaphore' to stick on a least a few of them. And because we know those guest books are also going to be indexed by Google (after all, the guest book was found through Google) then we can be fairly confident that a later search will be successful in locating the available 'scumbot semaphores'.

Why am I telling you this, doesn't it spoil the suprise?
So in the interest of full disclosure I'm publishing my intent here.

Stating that it's research in the name of internet security gives me a fighting chance in court of not being sent to Guantanamo bay ;-)

I'd like to write a real paper on this when it's proved try, then talk at some swanky conference where people will chear me and throw pettles...

0 Comments:

Post a Comment



<< Home