Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Bots using encryption?

From: Nick Hatch <nick () restek wwu edu>
Date: Wed, 16 Mar 2005 12:36:25 -0800
Matt Kettler wrote:


Jeff Kell wrote:


[...]
Are the bots encrypting now?


[...]
I also would not be surprised if they use encryption too.
I would be surprised. A few weeks ago I was commenting to a coworker about how it seemed strange that the zombie reports to the botnet channel were in plain english, eg "Scanning 10.0.x.x on port 445 with a delay of 1 second." Why not use a more efficient and coded protocol, I asked? We came to the conclusion that the protocol was simple so the script-kiddies could just sit in a channel and watch the reports. KISS -- Keep it Simple Stupid. Obviously this is pure speculation.
I don't understand how encryption could really serve as an advantage to the botnets. It would be difficult to implement, would be more proprietary (eg you can't just use LeetBackdoorIRC1.7 on hacked PCs with existing back doors), and I fail to see the advantage.
Anyone know if there a good analysis of the actual capabilities of existing botnet software anywhere? 

-Nick


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: