> TDL-4's makers created their own encryption algorithm
Two comments about this
-- I give it maybe a week or two against a good cryptographer. You never, ever invent your own encryption algorithm.
-- Even if the encryption algorithm happens to be secure against differential/linear/slide/boomerang attacks, I bet there will be an implementation flaw. It's really hard to get implementation right on those things, even if you have an almost perfect algorithm.
Not that that all really matters -- anything that it's encrypted can be decrypted since they key lives on the computer -- but the fact that they created their own encryption algorithm gives some insight in to their minds. Namely, that they they they are smarter than they really are, and that despite all of that, they don't know enough about security to stick with AES.
> and the botnet uses the domain names of the C&C servers as the encryption keys.
... what? That kind of defeats the entire purpose of encryption when they key is something like that. Besides, what are they using this encryption for. It seems more likely they want a check on the integrity of messages. And even still, a MAC is equally worthless since it's not public/private key.
Either (1) this botnet is really weak or (2) the writers of this article have distorted the truth.
> The code in the MBR uses an unsophisticated encryption algorithm, but even small modifications to the algorithm are sufficient to evade signature-based detection by most antivirus products.
I give it maybe a week or two against a good cryptographer. You never, ever invent your own encryption algorithm.
Don't rule out the possibility that the botnet code was written by a good cryptographer. It may be that they're using a well-designed algorithm that these researchers didn't happen to recognize.
Even if the encryption algorithm happens to be secure against differential/linear/slide/boomerang attacks, I bet there will be an implementation flaw. It's really hard to get implementation right on those things, even if you have an almost perfect algorithm.
Sometimes something that would be bad as a standard building block can hold up in a specific use case. Maybe this thing really only needs to obfuscate the communications.
Not that that all really matters -- anything that it's encrypted can be decrypted since they key lives on the computer -- but the fact that they created their own encryption algorithm gives some insight in to their minds. Namely, that they they they are smarter than they really are, and that despite all of that, they don't know enough about security to stick with AES.
I wouldn't underestimate the Russians and Eastern Europeans like that.
[...] Either (1) this botnet is really weak or (2) the writers of this article have distorted the truth.
Probably both, at least (2).
It's really really hard to write technically accurate descriptions of these things that are also accessible to a wide enough audience that you reach the people you need to reach.
Has any botnet ever been written by a good cryptographer? I remember Vern Paxson getting a whole paper out of supposedly-skillful botnet authors not even being able to generate random numbers securely.
Undoubtedly there has been, the question is whether or not it's been released from the lab.
I don't know about its cryptography specifically, but Stuxnet, for example, is a botnet regarded as a game-changer precisely because it was such a professional hit.
BTW, I'm trying to see if there's any interest in a collaboration on the cryptanalysis of this custom encryption system. Anyone with an interest please ping me. It may turn out to be nothing.
(1) You should put your email in your "about" section so the rest of us can see it.
(2) Do you have the source of it? Do you have a non-obfuscated version?
(3) Even if the answer to both questions in (2) is "yes", I still doubt any serious cryptographers would take a look at it. They (mostly) do things to write papers, and you don't get a paper out of "we broke a really weak encryption algorithm in a botnet". The chances that the paper is instead "this botnet has a reasonable encryption algorithm" are so slim, they won't consider it.
(4) That said, there are a number of non-serious cryptographers who would find it an interesting challenge, but if they can't break it, it still doesn't mean it's any good.
(2) No, I haven't heard of anyone getting the source. There are 4.5M PCs with an obfuscated binary, so that should be obtainable. We can de-obfuscate it ourselves (it obviously has to load into memory at some point), or we can also ask other researchers who have already done this. The latter is likely to be successful according to 'who' and 'how serious' we have interested.
(3) You never know and it never hurts to ask. Don't forget, they also often have students looking for projects. Anti-botnet ops is an active research topic in data security.
(4) Yep. I doubt anyone would consider using it for anything else.
I'm not saying that's the case here, but surely cryptographers are just as corruptible as everyone else.
There's nothing preventing a scenario where someone with nefarious intent and a large pile of money convinces a skillful cryptographer into building a cipher robust enough be resistant to cryptanalysis.
To condense a long reply: AES works just fine. If you're really paranoid, use SALSA-after-Blowfish-after-AES or something like that. Designing your own cipher is a bad idea, and I'm pretty sure you couldn't buy a sufficient number of the handful of truly competent people in this area (and even if you could, you should prefer a battle-tested algorithm.)
SALSA-after-Blowfish-after-AES or something like that
Still you could easily end up with something much less secure than any of them used independently. For example, read about the "meet-in-the-middle" attack.
We obviously use three independent keys. The security of the composition is then at least as good as the security of the best of these algorithms. (You're right that it's not much better, but it doesn't need to be; I don't see how you get "much less", were you thinking of using the same key for each algorithm?)
If you somehow convince yourself that the NSA can break many well-known encryption algorithms and that it's willing to risk exposing this ability to shut down your botnet (which is the counterfactual I'm working off in this thread), this may give you some peace of mind: Blowfish and AES are well-tested designs by separate teams and SALSA is a very simple, very different design that you can easily implement yourself and that's pretty resistant to side-channel attacks. It seems likely that any agency that can break all three can break anything you can come up with.
When you said "something like that" I began imagining the type of liberties a well-meaning developer might take with that advice. For example, he might use the same key for all algorithms. He might use two block ciphers with two keys. The effective security you get from these constructions is notoriously counterintuitive.
We obviously use three independent keys. The security of the composition is then at least as good as the security of the best of these algorithms.
> TDL-4's makers created their own encryption algorithm
Well, they could simply be using more than one algorithm. They could use AES as the main one and then re-encrypt everything with their own algorithm. If cryptographers break through their own created algorithm (probably just a variation of 3DES or AES) then they still have to break through the standard AES. I would be surprised if they were not doing something like this. As you say, everybody knows that you do not create your own algorithm. However, layering it with different algorithms, would probably be a good idea and it would make cryptographers work a lot harder (maybe?)
Although if the keys are as easily accessible as they say then I agree with you, what is the point?
If they're using their own algorithm and then AES, what's the point? They're worrying about AES being broken? But yeah, you're right.
Seems like it would be better to spend time on the implementation of other parts of their botnet (like ... public key cryptography instead of using domain names as a key?).
> and the botnet uses the domain names of the C&C servers as the encryption keys.
... what? That kind of defeats the entire purpose of encryption when they key is something like that. Besides, what are they using this encryption for. It seems more likely they want a check on the integrity of messages. And even still, a MAC is equally worthless since it's not public/private key.
Maybe it is public/private key, and they use (derive?) the public key from the name of the server?
Either (1) this botnet is really weak or (2) the writers of this article have distorted the truth.
I suspect (2), but I don't think they did it deliberately. I suspect it was an attempt at simplification, but they went too far.
> Maybe it is public/private key, and they use (derive?) the public key from the name of the server?
How would that work though? Maybe I just don't know enough, but I can't think of a way to generate a public key from some known source, and then somehow derive a private key from that source such that no one else can derive that same private key.
I guess you could generate an RSA key pair using the domain name as a seed for your random number generator, but that seems like a terrible idea. As soon as they introduce some real randomness in to it, then you're no longer deriving the key from the domain name.
I also suspect (2), but I wouldn't be surprised if they added some extra distortion to make the article read more like "Look how impressive these guys are! They made their own encryption algorithm!".
DISCLAIMER: I'm not even a rookie at crypto; I'm just trying to make sense of what I'm reading, like you are.
From [1]:
> The cybercriminals replaced RC4 with their own encryption algorithm using XOR swaps and operations. The domain names to which connections are made and the bsh parameter from the cfg.ini file are used as encryption keys.
A bit later:
> The new protocol encryption algorithm for communications between the botnet control center and infected machines ensures that the botnet will run smoothly, while protecting infected computers from network traffic analysis, and blocking attempts of other cybercriminals to take control of the botnet.
So we have authentication of the C&C through encryption ("block other cybercriminals"), and obfuscation of the payload through encryption ("protect from network traffic analysis"). I suppose the bsh parameter is used for auth, and the domain name just to scramble the payload.
Maybe the server generates the private key/public key pair, then derives the domain name from the public key (eg, long-random-string-that-comes-from-public-key.dyndns.com)? This derivation process could be the "encryption algorithm" the article refers to?
The client is given the new servername via the P2P network, then derives the public key from the hostname, encrypts using it and communicates with the server which can decode using the private key.
I'm not sure what the max length of a hostname is, which might be a problem.
Another possibility is to put the public key in a TEXT DNS for the server hostname. That could be what they meant maybe?
Anyone got a link to a source with some info that isn't aimed at someone with the technical expertise of the average pensioner? There was no information in this article.
Who are these people that read the front pages of both Hacker News and computerworld.com?
So at what point does a botnet cease to be a parasite and start to be a symbiote?
If TDL-4 keeps your machine free of other malware at the cost of engaging in the occasional DDoS....
Actually, wouldn't TDL-4's owners possibly earn more money by doing remote management and tuning of 4.5 million PCs than they could by selling malware connectivity?
Indestructable isn't the right word to describe this. More like very resilant or resistant. Title is very linkbait and the reporting looks like its based off of phrases by security researchers.
Fancy cryptography, p2p networking, with web-based command and control: indestructible 'new' type of botnet, or practically identical to Zues? You decide!
Ahhh... memories. Back when trying to dual-boot linux had about 20% chance of not fucking your whole shit up up.
Although that may have been down to my relative inexperience at the time.
EDIT: I have more memories of using the plain ol 'fixmbr' command that you ran from that weird 'recovery console' shell on the windows install CD. Didn't realise fdisk had a /fixmbr switch. Guess it does the same thing.
-There's a lot of software with no equivalent in other OSs (including computer games, which are a selling point for a lot of people, and Visual Studio)
-Many companies are reluctant to change software they've been using for any length of time. Changing the OS is specially unlikely.
As someone who jumped from Windows XP to Linux (Knoppix, Ubuntu, and Arch) and now back to Windows 7: 1) No driver issues. I've heard bad things about Nvidia Optimus drivers for Linux. 2) I don't have to worry about not being able to install software, or other compatibility issues. 3) Games (the Mac gaming situation is pathetic). 4) It doesn't force me to muck around with the system all the time. 5) Windows 7 is actually really pleasant to use - much more so than XP or OS X; out of the box, it's only a bit less pleasant than Arch after I've spent a day installing and configuring software.
My misadventures with linux include forgetting to set up a netbook to connect to unencrypted wireless networks and the latest kernel update breaking wifi after suspending or hibernating; I've never had to deal with any of that on Windows. The most time that I've spent on system administration has been switching to an SSD, which became extremely easy after I found the right software to mirror my disk.
Because it comes on most PCs, runs most applications, and on the whole works "good enough (TM)"
The fact that the malware has to bury itself so deep into the boot sector actually says some pretty positive things about Windows security. Nothing like those heroics would be needed to target Linux for example (I don't know about Mac).
1. Ubiquity
2. Honestly - better user experience in Windows 7 than any Linux desktop I've used, but then I go back 20 years with Windows
3. Any document-handling industry is so deeply into Word that you really won't be switching any time soon. Sad, but true.
Two comments about this
-- I give it maybe a week or two against a good cryptographer. You never, ever invent your own encryption algorithm.
-- Even if the encryption algorithm happens to be secure against differential/linear/slide/boomerang attacks, I bet there will be an implementation flaw. It's really hard to get implementation right on those things, even if you have an almost perfect algorithm.
Not that that all really matters -- anything that it's encrypted can be decrypted since they key lives on the computer -- but the fact that they created their own encryption algorithm gives some insight in to their minds. Namely, that they they they are smarter than they really are, and that despite all of that, they don't know enough about security to stick with AES.
> and the botnet uses the domain names of the C&C servers as the encryption keys.
... what? That kind of defeats the entire purpose of encryption when they key is something like that. Besides, what are they using this encryption for. It seems more likely they want a check on the integrity of messages. And even still, a MAC is equally worthless since it's not public/private key.
Either (1) this botnet is really weak or (2) the writers of this article have distorted the truth.