undefined | Better HN

0 pointsXk14y ago0 comments

> Maybe it is public/private key, and they use (derive?) the public key from the name of the server?

How would that work though? Maybe I just don't know enough, but I can't think of a way to generate a public key from some known source, and then somehow derive a private key from that source such that no one else can derive that same private key.

I guess you could generate an RSA key pair using the domain name as a seed for your random number generator, but that seems like a terrible idea. As soon as they introduce some real randomness in to it, then you're no longer deriving the key from the domain name.

I also suspect (2), but I wouldn't be surprised if they added some extra distortion to make the article read more like "Look how impressive these guys are! They made their own encryption algorithm!".

0 comments

rufibarbatus14y ago

DISCLAIMER: I'm not even a rookie at crypto; I'm just trying to make sense of what I'm reading, like you are.

From [1]:

> The cybercriminals replaced RC4 with their own encryption algorithm using XOR swaps and operations. The domain names to which connections are made and the bsh parameter from the cfg.ini file are used as encryption keys.

A bit later:

> The new protocol encryption algorithm for communications between the botnet control center and infected machines ensures that the botnet will run smoothly, while protecting infected computers from network traffic analysis, and blocking attempts of other cybercriminals to take control of the botnet.

So we have authentication of the C&C through encryption ("block other cybercriminals"), and obfuscation of the payload through encryption ("protect from network traffic analysis"). I suppose the bsh parameter is used for auth, and the domain name just to scramble the payload.

[1] http://www.securelist.com/en/analysis/204792180/TDL4_Top_Bot

nl14y ago

Maybe the server generates the private key/public key pair, then derives the domain name from the public key (eg, long-random-string-that-comes-from-public-key.dyndns.com)? This derivation process could be the "encryption algorithm" the article refers to?

The client is given the new servername via the P2P network, then derives the public key from the hostname, encrypts using it and communicates with the server which can decode using the private key.

I'm not sure what the max length of a hostname is, which might be a problem.

Another possibility is to put the public key in a TEXT DNS for the server hostname. That could be what they meant maybe?

j / k navigate · click thread line to collapse