NOW READ THIS
("Security Advisory")
Submitted by: Bill Hickey
NCVA List Master
NRT-0467 New Botnet on the Loose:
Damballa botnet researchers say a new botnet - now twice the size of Storm - comprises over
400,000 bots, including computers of Fortune 500 companies. The so-called Kraken botnet, first
noticed late last year, has been spotted in at least 50 Fortune-500 companies and is undetected
by the antivirus software used on over 80% of machines. Damballa predicts that Kraken will exceed
600,000 bots by mid-April. The bots are prolific, with single Kraken bots sending out up to 500,000
pieces of spam in a day. Kraken appears to be evading detection by a combination of clever
obfuscation techniques, including regularly updating its binary code and structuring the code in such
a way that hinders any static analysis, says Paul Royal, principal researcher at Damballa.
Just how Kraken is infecting machines is still unclear, but Royal says the
malware seems to appear as an image file to the victim. When the victim tries to view the
image, the malware is loaded onto his or her machine. "We know the picture ... ends
in an .exe, which is not shown," Royal says.
Kraken's bots and command and control servers - hosted in France, Russia,
and the US - reportedly communicate via customized UDP and TCP-based protocols. The botnet
has built-in redundancy features that automatically generate new domain names if a control
server gets shut down or becomes disabled. "And the actual payload is encrypted,"
Royal says.
Botnet experts reportedly have seen an unsettling rise in bot infections
in enterprises over the past few months. Like Storm, Kraken so far is mostly being used
for spamming the usual scams - high interest loans, gambling, pharmacy advertisements, and
counterfeit watches. "But given that it updates its binary there's no reason it
couldn't update itself to a binary that does other things," Royal says.
(www.darkreading.com 07APR08)