[Snort-users] Bots using encryption?

Matt Kettler mkettler at ...4108...
Wed Mar 16 14:04:51 EST 2005

Nick Hatch wrote:

> I would be surprised. A few weeks ago I was commenting to a coworker 
> about how it seemed strange that the zombie reports to the botnet 
> channel were in plain english, eg "Scanning 10.0.x.x on port 445 with 
> a delay of 1 second." Why not use a more efficient and coded protocol, 
> I asked? We came to the conclusion that the protocol was simple so the 
> script-kiddies could just sit in a channel and watch the reports. KISS 
> -- Keep it Simple Stupid. Obviously this is pure speculation.
> I don't understand how encryption could really serve as an advantage 
> to the botnets. It would be difficult to implement, would be more 
> proprietary (eg you can't just use LeetBackdoorIRC1.7 on hacked PCs 
> with existing back doors), and I fail to see the advantage.

1) encryption is not difficult to implement, it's trivial to implement. 
It's rather difficult to make a truly secure encryption system, but just 
adding RC4 to an existing system isn't hard. It might be crackable 
without a bit of extra work, but it's not going to be easily recognized.

2) There are plenty of backdoor bots out there that do this. So 
implementation cost for kiddies is 0.
An example bot from 2001 that does encryption:

3) More proprietary is an advantage. After all, if you can use 
LeetBackdoorIRC1.7, so can anyone else. You don't want some other 
two-bit skript kiddie stealing your bots. Protection of your turf and 
avoiding bot thieves is a benefit here. It's also pretty easy

4) The other advantage is reduced chance of detection, or if detected, a 
reduced chance of the admin realizing what you're doing. A bunch of 
random binary garbage is less likely to trip an IDS than text-mode strings.

Now, admittedly most popular bots are not going to do this, but to 
believe that none of them would do this is unwise.

More information about the Snort-users mailing list