[Snort-users] Bots using encryption?

Matt Kettler mkettler at ...4108...
Wed Mar 16 11:11:19 EST 2005

Jeff Kell wrote:

> Tracking host traffic after a bot signature (MySQL, bleeding sig 
> 2001690) I've run into some encrypted traffic.  After 3-way handshake 
> the thing fires off a "SHA-1:  " followed by a base-64 string.
> Are the bots encrypting now?

Well, SHA1 isn't an encryption algorithm, it's a hash algorithm. 
Encryption implies the proper recipient easily decipher the message back 
to it's plain text form. SHA1 is designed to resist reversal, even by 
the originator. (It's also designed to resist collision, but that is 
showing signs of weakness)

However, it wouldn't surprise me if bots are using SHA1 for some kind of 
shared-secret authentication scheme.  You could do a system that works 
much like CRAM-MD5, or any one of many hash-based challenge-response 
schemes. This would be a good way to keep people other than the 
originator of the bot from gaining control of it. Something that 
protects the bot "owner" from having his botnet invaded by others.

I also would not be surprised if they use encryption too.

More information about the Snort-users mailing list