By Joris Evers
Staff Writer, CNET News.com
November 14, 2005
WASHINGTON -- In their quest to retain control over hijacked PCs,
cybercriminals will add encryption to their malicious software to
avoid detection and removal, one expert predicted Monday.
In the near future, bots will include encryption to hide their
presence from security and network sniffing tools often used to detect
their presence, said Adam Meyers, an information assurance engineer at
SRA International speaking at the Computer Security Institute
"We will see encrypted sessions, and as things become encrypted, we'll
have a more difficult time investigating botnets," Meyers said.
Once it is installed on a PC, bot software typically connects to
Internet Relay Chat to listen for commands. The IRC traffic can be a
giveaway to the presence of bot software on a PC and can be spotted by
security software such as intrusion detection systems (IDS) or
protocol analyzers, for example Ethereal.
"Bot creators will try to evade IDSes that might be looking for IRC
connections and to avoid things like Ethereal," Meyers said. "They
will do pretty much anything to obfuscate what they are doing. It is a
constant change-off; with new techniques it will take some time for
people on the investigatory side to get on the same page."
Bots are a serious computer security problem, and law enforcement
seems to just be catching up to it. Earlier this month, authorities
announced the first bot-related arrest in the U.S. In October, police
in the Netherlands said three men suspected of hijacking about 1.5
million PCs were arrested.
A computer that has bot software installed--for example through a
malicious Web site or Trojan horse--is called a zombie. A network of
zombies is referred to as a botnet. The zombies can be controlled
remotely by the attacker, who can send commands while the owner is
oblivious to what's happening.
Botnets are often rented out by their owners, called bot herders, to
relay spam and launch phishing scams to steal sensitive personal data
for fraud. Botnets have also been used in blackmail schemes, where the
criminals threaten online businesses with a denial-of-service attack
on their Web site to extort money.
The bot writers have a choice of a variety of encryption technologies,
according to Meyers. They could use SSH, SSL (Secure Sockets Layer),
ROT-13 or a proprietary method, Meyers said. Such a bot would be
harder to craft than today's bots, but worthwhile, he said.
"The longer they keep their bot in place, the better it is for them,
the more money they are going to make," Meyers said.
Copyright =A91995-2005 CNET Networks, Inc. All rights reserved.
Earn your Master's degree in Information Security ONLINE
Study IA management practices and the latest infosec issues.
Norwich University is an NSA Center of Excellence.