[Snort-users] Bots using encryption?
nick at ...11410...
Wed Mar 16 12:38:16 EST 2005
Matt Kettler wrote:
> Jeff Kell wrote:
>> Are the bots encrypting now?
> I also would not be surprised if they use encryption too.
I would be surprised. A few weeks ago I was commenting to a coworker
about how it seemed strange that the zombie reports to the botnet
channel were in plain english, eg "Scanning 10.0.x.x on port 445 with a
delay of 1 second." Why not use a more efficient and coded protocol, I
asked? We came to the conclusion that the protocol was simple so the
script-kiddies could just sit in a channel and watch the reports. KISS
-- Keep it Simple Stupid. Obviously this is pure speculation.
I don't understand how encryption could really serve as an advantage to
the botnets. It would be difficult to implement, would be more
proprietary (eg you can't just use LeetBackdoorIRC1.7 on hacked PCs with
existing back doors), and I fail to see the advantage.
Anyone know if there a good analysis of the actual capabilities of
existing botnet software anywhere?
More information about the Snort-users