Snort mailing list archives
Re: Bots using encryption?
From: Matt Kettler <mkettler () evi-inc com>
Date: Wed, 16 Mar 2005 17:03:34 -0500
Nick Hatch wrote:
I would be surprised. A few weeks ago I was commenting to a coworker about how it seemed strange that the zombie reports to the botnet channel were in plain english, eg "Scanning 10.0.x.x on port 445 with a delay of 1 second." Why not use a more efficient and coded protocol, I asked? We came to the conclusion that the protocol was simple so the script-kiddies could just sit in a channel and watch the reports. KISS -- Keep it Simple Stupid. Obviously this is pure speculation.I don't understand how encryption could really serve as an advantage to the botnets. It would be difficult to implement, would be more proprietary (eg you can't just use LeetBackdoorIRC1.7 on hacked PCs with existing back doors), and I fail to see the advantage.
1) encryption is not difficult to implement, it's trivial to implement. It's rather difficult to make a truly secure encryption system, but just adding RC4 to an existing system isn't hard. It might be crackable without a bit of extra work, but it's not going to be easily recognized.
2) There are plenty of backdoor bots out there that do this. So implementation cost for kiddies is 0.
An example bot from 2001 that does encryption: http://www.megasecurity.org/trojans/x/xot/Xot0.5b2.html3) More proprietary is an advantage. After all, if you can use LeetBackdoorIRC1.7, so can anyone else. You don't want some other two-bit skript kiddie stealing your bots. Protection of your turf and avoiding bot thieves is a benefit here. It's also pretty easy
4) The other advantage is reduced chance of detection, or if detected, a reduced chance of the admin realizing what you're doing. A bunch of random binary garbage is less likely to trip an IDS than text-mode strings.
Now, admittedly most popular bots are not going to do this, but to believe that none of them would do this is unwise.
------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Bots using encryption? Jeff Kell (Mar 16)
- Re: Bots using encryption? Matt Kettler (Mar 16)
- Re: Bots using encryption? Nick Hatch (Mar 16)
- Re: Bots using encryption? Matt Kettler (Mar 16)
- Re: Bots using encryption? Nick Hatch (Mar 16)
- Re: Bots using encryption? Matt Kettler (Mar 16)