|
|
|
|
|
|
by Xk
5467 days ago
|
|
|
> Maybe it is public/private key, and they use (derive?) the public key from the name of the server? How would that work though? Maybe I just don't know enough, but I can't think of a way to generate a public key from some known source, and then somehow derive a private key from that source such that no one else can derive that same private key. I guess you could generate an RSA key pair using the domain name as a seed for your random number generator, but that seems like a terrible idea. As soon as they introduce some real randomness in to it, then you're no longer deriving the key from the domain name. I also suspect (2), but I wouldn't be surprised if they added some extra distortion to make the article read more like "Look how impressive these guys are! They made their own encryption algorithm!". |
|
|
From [1]:
> The cybercriminals replaced RC4 with their own encryption algorithm using XOR swaps and operations. The domain names to which connections are made and the bsh parameter from the cfg.ini file are used as encryption keys.
A bit later:
> The new protocol encryption algorithm for communications between the botnet control center and infected machines ensures that the botnet will run smoothly, while protecting infected computers from network traffic analysis, and blocking attempts of other cybercriminals to take control of the botnet.
So we have authentication of the C&C through encryption ("block other cybercriminals"), and obfuscation of the payload through encryption ("protect from network traffic analysis"). I suppose the bsh parameter is used for auth, and the domain name just to scramble the payload.
[1] http://www.securelist.com/en/analysis/204792180/TDL4_Top_Bot