encrypted botnets?

[Gadi Evron <ge () linuxbox org>]

Paul Schmehl wrote:
> --On Wednesday, January 25, 2006 15:19:18 +0000 Fergie 
> <fergdawg () netzero net> wrote:
>
> > I see Jon's busy stirring things up. :-)
> >
> > Via TechWorld.
> >
> > [snip]
> >
> > Voice-over-IP apps could be used to cloak networks of zombies, used to
> > launch denial of service attacks, a Cambridge professor has warned.
> >
> > Armies of ordinary PCs - "botnets" - that have been infected by a virus
> > and put under malicious control, could be controlled and orchestrated by
> > messages hidden in VoIP traffic generated by programs such as Skype,
> > warned Jon Crowcroft, Marconi professor of communications systems at
> > Cambridge University.
> >
> > [snip]
> >
> > More here:
> > http://www.techworld.com/news/index.cfm?NewsID=5232
> I dunno.  Maybe I'm dense.  How is this different from any other method 
> of control once you encrypt the traffic?  (And please don't tell me that 
> IM or IRC can't be encrypted.)  The issue isn't the protocol being 
> used.  It's the behavior.  And how does encrypting the traffic *hide* 
> the botmaster?
>
> Scenario:
> 100,000 bot network
> 10,000 "sub" controllers
> 1000 "master" controllers
>
> All traffic between these 100,000 bots is encrypted Skype, and the 
> traffic patterns match DDoS or spam runs.  Gee.  I wonder what's going 
> on there? But we can't tell because {{{gasp}}} it's encrypted!
>
> Huh?  What am I missing?

Nothing, you will still see the botnet as you stated.

Once you have the sample, you will also probably learn how to see most 
of what's going on desite encryption.

        Gadi.
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.