In their quest to retain control over hijacked PCs, cybercriminals will add encryption to their malware to avoid detection and removal, one expert predicted on Monday.
In the near future, bots will include encryption to hide their presence from security and network sniffing tools often used to detect them, said Adam Meyers, an information assurance engineer at SRA International speaking at the Computer Security Institute conference in Washington.
"We will see encrypted sessions and as things become encrypted, we'll have a more difficult time investigating botnets," Meyers said.
Once it is installed on a PC, bot software typically connects to Internet Relay Chat to listen for commands. The IRC traffic can be a giveaway to the presence of bot software on a PC and can be spotted by security software such as intrusion detection systems (IDS) or protocol analysers, for example Ethereal.
"Bot creators will try to evade IDS' that might be looking for IRC connections and to avoid things like Ethereal," Meyers said. "They will do pretty much anything to obfuscate what they are doing. It is a constant change-off; with new techniques it will take some time for people on the investigatory side to get on the same page."
Bots are a serious computer security problem and law enforcement seems to just be catching up to it. Earlier this month, authorities announced the first bot-related arrest in the US . In October, police in the Netherlands said three men suspected of hijacking about 1.5 million PCs were arrested.
A computer that has bot software installed — for example through a malicious Web site or Trojan horse — is called a zombie. A network of zombies is referred to as a botnet. The zombies can be controlled remotely by the attacker, who can send commands while the owner is oblivious to what's happening.
Botnets are often rented out by their owners, called bot herders, to relay spam and launch phishing scams to steal sensitive personal data for fraud. Botnets have also been used in blackmail schemes, where the criminals threaten online businesses with a denial-of-service attack on their Web site to extort money.
The bot writers have a choice of a variety of encryption technologies, according to Meyers. They could use SSH, SSL, ROT-13 or a proprietary method, Meyers said. Such a bot would be harder to craft than today's bots, but worthwhile, he said.
"The longer they keep their bot in place, the better it is for them, the more money they are going to make," Meyers said.
Talkback
Is this a joke? Please tell me this article is an early/late April Fool's joke. I mean really - let's be somewhat grounded here. Worms that act in a "retarded" but mass effort haven't _commonly_ used encryption for the past 5 years or so (some of the unix ones, back when there were unix worms, did). However, most of the manual and even auto-rooter compromises I've been looking at for the past few years are doing this - whether it's encryption or "binary" protocols the backdoor runs over, the effect is the same (the dooms-day effect of IDS evasion. Wow. That's a new and exciting subject.[1]) This is a great example of conference schedulers *desperate* for speakers and "journalists" desperate for content.
[1] - http://www.google.com/search?q=ids%20evasion
Results 1 - 100 of about 137,000 for ids evasion.
It started with a lot of spam coming into my pc.I opened something - I think a pop-up and registered. Also I filled in some subsequent surveys.Due to a possible career change I was interested in I was emailed by someone and over a few months we formed a friendship online.I won't go into the details here. We met briefly and she had physical access to to my pc twice and my laptop once.Some time later, I received blackmail emails with an attachment containing information I had given her regarding a family member.I was threatened that this information would be passed on if I didn't pay a sum of money.I paid the money - big mistake. I was later threatened and blackmailed again. This time it was much more serious - if I didn't pay a large sum of money, they would tell someone I'm close to that I paid the money to have him killed.They said they could make it look so. Now it seems that they set up an email account and it looks like I set it up. Emails have been produced with my name on them, sent to a 'hired assasin' It's like a bad movie. But the emails have gotten into the hands of the police and they seem to believe that I sent them.They are waiting for information re where the email account was set up. If it happens to have been at my pc, I don't know how I can convince them I didn't do it. Basically, they used information that I had emailed to the original contact. They edited my emails and used some of the text, but in a different context, ie they put personal information about me in with instructions to kill and it looks very real. Can anyone explain if this could be done remotely. The email address, which is a yahoo address, was not set up until about 6 weeks after physical access with my pc and laptop. Has anything like this happened to anyone else out there? I'm desperate for any help I can get. My life is in tatters and my family is very badly affected