[Snort-users] Bots using encryption?
mkettler at ...4108...
Wed Mar 16 11:11:19 EST 2005
Jeff Kell wrote:
> Tracking host traffic after a bot signature (MySQL, bleeding sig
> 2001690) I've run into some encrypted traffic. After 3-way handshake
> the thing fires off a "SHA-1: " followed by a base-64 string.
> Are the bots encrypting now?
Well, SHA1 isn't an encryption algorithm, it's a hash algorithm.
Encryption implies the proper recipient easily decipher the message back
to it's plain text form. SHA1 is designed to resist reversal, even by
the originator. (It's also designed to resist collision, but that is
showing signs of weakness)
However, it wouldn't surprise me if bots are using SHA1 for some kind of
shared-secret authentication scheme. You could do a system that works
much like CRAM-MD5, or any one of many hash-based challenge-response
schemes. This would be a good way to keep people other than the
originator of the bot from gaining control of it. Something that
protects the bot "owner" from having his botnet invaded by others.
I also would not be surprised if they use encryption too.
More information about the Snort-users