[Snort-users] Bots using encryption?

Nick Hatch nick at ...11410...
Wed Mar 16 12:38:16 EST 2005


Matt Kettler wrote:

> Jeff Kell wrote:
>
>> [...]
>> Are the bots encrypting now?
>
> [...]
> I also would not be surprised if they use encryption too.

I would be surprised. A few weeks ago I was commenting to a coworker 
about how it seemed strange that the zombie reports to the botnet 
channel were in plain english, eg "Scanning 10.0.x.x on port 445 with a 
delay of 1 second." Why not use a more efficient and coded protocol, I 
asked? We came to the conclusion that the protocol was simple so the 
script-kiddies could just sit in a channel and watch the reports. KISS 
-- Keep it Simple Stupid. Obviously this is pure speculation.

I don't understand how encryption could really serve as an advantage to 
the botnets. It would be difficult to implement, would be more 
proprietary (eg you can't just use LeetBackdoorIRC1.7 on hacked PCs with 
existing back doors), and I fail to see the advantage.

Anyone know if there a good analysis of the actual capabilities of 
existing botnet software anywhere?

-Nick




More information about the Snort-users mailing list