Re: Bots using encryption?

[Matt Kettler <mkettler () evi-inc com>]

Jeff Kell wrote:

> Tracking host traffic after a bot signature (MySQL, bleeding sig 
> 2001690) I've run into some encrypted traffic.  After 3-way handshake 
> the thing fires off a "SHA-1:  " followed by a base-64 string.
>
> Are the bots encrypting now?

Well, SHA1 isn't an encryption algorithm, it's a hash algorithm. 
Encryption implies the proper recipient easily decipher the message back 
to it's plain text form. SHA1 is designed to resist reversal, even by 
the originator. (It's also designed to resist collision, but that is 
showing signs of weakness)

However, it wouldn't surprise me if bots are using SHA1 for some kind of 
shared-secret authentication scheme.  You could do a system that works 
much like CRAM-MD5, or any one of many hash-based challenge-response 
schemes. This would be a good way to keep people other than the 
originator of the bot from gaining control of it. Something that 
protects the bot "owner" from having his botnet invaded by others.

I also would not be surprised if they use encryption too.


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users