A common technique for malware to find it's C&C server is to embed a seed into the binary, along with an algorithm that takes the seed and a time epoch (e.g. midnight every day or midnight every 4 days) to generate a new domain name to connect to. The algorithm and see are designed to be hard to reverse engineer. It's always possible though, and once one has done so, you can pre-generate (and block) the domain names into the future.
One mitigation for that is to distribute a bunch of seeds in the hope the adversary doesn't find all of them. (Does get expensive with domain names though.)
Another technique is to add in an unpredictable value into the generation algorithm alongside the seed and the time epoch. Something the adversary can't predict ahead of time like the closing price of a stock ticker or the tip of the bitcoin blockchain. The problem with that is that it requires the application to make a query to some service to retrieve that information and that query could be (a) blocked or (b) detected (unless anyone has any great ideas there[0]). If we had a reliable, unblockable, anonymous method of making a connection somewhere we wouldn't be in this mess ;)
-tom
[0] Maybe Android has something system-accessible like the last virus definition update from the Play store or something?
On Thu, 1 Apr 2021 at 13:26, Nathan of Guardian nathan@guardianproject.info wrote:
It seems like Azure Domain Fronting may already be going offline, according to some reports. Our own testing from US and EU show that it is still working for now.
That said, here is our plan for updating Orbot and Onion Browser in response to what may come at any moment:
- Move to Fastly for Snowflake and Moat as soon as they are ready.
Please keep us posted on this.
Remove Meek as a built-in option.
Promote "social distribution" of bridge URLs via links and QR codes
through communities that need them
- Work on setting up our own additional pool of CDN front addresses for
Moat and the Snowflake broker(s) that we can round-robin/cat-and-mouse through for both Snowflake and Moat. These would be compiled into our apps, or provided through some kind of S3/hard to block bootstrap URL.
- Continue our own work in mobile-specific bridge distribution (push
messages, SMS, chat bots, social etc) options we can employ in the future.
.... any other things to know, that we missed, that we are being naive about?
Thanks!
+n
anti-censorship-team mailing list anti-censorship-team@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/anti-censorship-team