[cryptography] Is there a cryptanalyst in the house?

Marsh Ray marsh at extendedsubset.com
Wed Jun 29 22:50:40 EDT 2011

There's a new and improved botnet around that's got the tech press all 

http://www.securelist.com/en/analysis/204792180/TDL4_Top_Bot :
> The ‘indestructible’ botnet Encrypted network connections
> One of the key changes in TDL-4 compared to previous versions is an
> updated algorithm encrypting the protocol used for communication
> between infected computers and botnet command and control servers.
> The cybercriminals replaced RC4 with their own encryption algorithm
> using XOR swaps and operations.

I think we can predict how this will end...maybe?

It's a curious phrase "using XOR swaps and operations", like something 
has been left out. Was it "XOR, swaps, and AND operations" fixed by an 
overzealous word processor? It could mean "swaps implemented with XOR 
and other XOR operations" (a big difference). Or it could be something 
redacted (like parts of some images in the article).

Perhaps its a more established algorithm that these researchers didn't 

In any case, if anyone is looking for an analysis project you might see 
what you could do with it. A successful break of this algorithm could 
earn you a hearty 'thank you' from 4.5 million infected PC owners. 
Perhaps we could collaborate on the list.

I don't have a code sample right now but I could ask around. Shouldn't 
be too hard to find with that many copies around.

- Marsh

More information about the cryptography mailing list