Technical Introduction to Bots ◾ 85
is converts to “wait 30.” Multiple commands look like this:
d2FpdCAzMA0KdGlkIDE5NQ0Kcmd0dHAgMTA=
is converts to the following:
wait 30
tid 195
rgttp 10
Haxtor (aka “Prg,” “NTOS,” and “WSNPoem”) uses encrypted communica-
tions between a bot and the Web-based C&C. e snippet below shows standard
ping-pong-type connection status events with three dots, followed by encrypted
communications (trimmed significantly here):
...
...
...
..........o.:p.1.....MR.Sd
...P....
...0......xNca.p......I..!l...w.gy..$~ov.Q.|c..d$....]..
a.y....Z.......%..v#...
......+..(..+<~......0..
N..x.pcY.$....h...v$.0XT.{f....yg(....Y_......:...\.....
G..VP.....Q...u...mg({‘.....$.S.......9.5G.4.E..k..;..kn-
....v.....j7gQ.B..~.)...._<..=U..bH.w..1^..}. ...