Bots may get cloak of encryption

To retain control over hijacked PCs, cybercriminals will add encryption capabilities to their bots, a security expert predicts.

Joris Evers
Joris Evers Staff Writer, CNET News.com

Joris Evers covers security.

2 min read
WASHINGTON--In their quest to retain control over hijacked PCs, cybercriminals will add encryption to their malicious software to avoid detection and removal, one expert predicted Monday.

In the near future, bots will include encryption to hide their presence from security and network sniffing tools often used to detect their presence, said Adam Meyers, an information assurance engineer at SRA International speaking at the Computer Security Institute conference here.

"We will see encrypted sessions, and as things become encrypted, we'll have a more difficult time investigating botnets," Meyers said.

Once it is installed on a PC, bot software typically connects to Internet Relay Chat to listen for commands. The IRC traffic can be a giveaway to the presence of bot software on a PC and can be spotted by security software such as intrusion detection systems (IDS) or protocol analyzers, for example Ethereal.

"Bot creators will try to evade IDSes that might be looking for IRC connections and to avoid things like Ethereal," Meyers said. "They will do pretty much anything to obfuscate what they are doing. It is a constant change-off; with new techniques it will take some time for people on the investigatory side to get on the same page."

Bots are a serious computer security problem, and law enforcement seems to just be catching up to it. Earlier this month, authorities announced the first bot-related arrest in the U.S. In October, police in the Netherlands said three men suspected of hijacking about 1.5 million PCs were arrested.

A computer that has bot software installed--for example through a malicious Web site or Trojan horse--is called a zombie. A network of zombies is referred to as a botnet. The zombies can be controlled remotely by the attacker, who can send commands while the owner is oblivious to what's happening.

Botnets are often rented out by their owners, called bot herders, to relay spam and launch phishing scams to steal sensitive personal data for fraud. Botnets have also been used in blackmail schemes, where the criminals threaten online businesses with a denial-of-service attack on their Web site to extort money.

The bot writers have a choice of a variety of encryption technologies, according to Meyers. They could use SSH, SSL (Secure Sockets Layer), ROT-13 or a proprietary method, Meyers said. Such a bot would be harder to craft than today's bots, but worthwhile, he said.

However, other experts have contended that bot creators have already been using encryption. "Some bots have had that capability since at least 1999," Dave Dittrich, a researcher at the University of Washington's i-School, wrote in an e-mail to CNET News.com.

"The longer they keep their bot in place, the better it is for them, the more money they are going to make," Meyers said.