Encrypted bots could be the next threat
Published: 15 Nov 2005 10:55 GMT
In their quest to retain control over hijacked PCs, cybercriminals will add encryption to their malware to avoid detection and removal, one expert predicted on Monday.
In the near future, bots will include encryption to hide their presence from security and network sniffing tools often used to detect them, said Adam Meyers, an information assurance engineer at SRA International speaking at the Computer Security Institute conference in Washington.
"We will see encrypted sessions and as things become encrypted, we'll have a more difficult time investigating botnets," Meyers said.
Once it is installed on a PC, bot software typically connects to Internet Relay Chat to listen for commands. The IRC traffic can be a giveaway to the presence of bot software on a PC and can be spotted by security software such as intrusion detection systems (IDS) or protocol analysers, for example Ethereal.
"Bot creators will try to evade IDS' that might be looking for IRC connections and to avoid things like Ethereal," Meyers said. "They will do pretty much anything to obfuscate what they are doing. It is a constant change-off; with new techniques it will take some time for people on the investigatory side to get on the same page."
Bots are a serious computer security problem and law enforcement seems to just be catching up to it. Earlier this month, authorities announced the first bot-related arrest in the US . In October, police in the Netherlands said three men suspected of hijacking about 1.5 million PCs were arrested.
A computer that has bot software installed — for example through a malicious Web site or Trojan horse — is called a zombie. A network of zombies is referred to as a botnet. The zombies can be controlled remotely by the attacker, who can send commands while the owner is oblivious to what's happening.
Botnets are often rented out by their owners, called bot herders, to relay spam and launch phishing scams to steal sensitive personal data for fraud. Botnets have also been used in blackmail schemes, where the criminals threaten online businesses with a denial-of-service attack on their Web site to extort money.
The bot writers have a choice of a variety of encryption technologies, according to Meyers. They could use SSH, SSL, ROT-13 or a proprietary method, Meyers said. Such a bot would be harder to craft than today's bots, but worthwhile, he said.
"The longer they keep their bot in place, the better it is for them, the more money they are going to make," Meyers said.
Did you find this article useful?
64 out of 168 people found this useful
- Share this article:
Full Talkback thread
2 comments
