Re: Cambridge Professor Warns of Skype Botnet Threat

[Paul Schmehl <pauls () utdallas edu>]

--On Wednesday, January 25, 2006 15:19:18 +0000 Fergie 
<fergdawg () netzero net> wrote:

> I see Jon's busy stirring things up. :-)
>
> Via TechWorld.
>
> [snip]
>
> Voice-over-IP apps could be used to cloak networks of zombies, used to
> launch denial of service attacks, a Cambridge professor has warned.
>
> Armies of ordinary PCs - "botnets" - that have been infected by a virus
> and put under malicious control, could be controlled and orchestrated by
> messages hidden in VoIP traffic generated by programs such as Skype,
> warned Jon Crowcroft, Marconi professor of communications systems at
> Cambridge University.
>
> [snip]
>
> More here:
> http://www.techworld.com/news/index.cfm?NewsID=5232
I dunno.  Maybe I'm dense.  How is this different from any other method of 
control once you encrypt the traffic?  (And please don't tell me that IM or 
IRC can't be encrypted.)  The issue isn't the protocol being used.  It's 
the behavior.  And how does encrypting the traffic *hide* the botmaster?

Scenario:
100,000 bot network
10,000 "sub" controllers
1000 "master" controllers

All traffic between these 100,000 bots is encrypted Skype, and the traffic 
patterns match DDoS or spam runs.  Gee.  I wonder what's going on there? 
But we can't tell because {{{gasp}}} it's encrypted!

Huh?  What am I missing?

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/ir/security/
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.