how-to block ads
|
SUMware
Premium
join:2002-05-21
edit:
April 7th, @07:50PM
| Biggest Botnet Ever="Kraken">400,000 Infected Machines
From The Register
7th April 2008 - said by TR :
Move over Storm - there's a bigger, stealthier botnet in town
Researches have unearthed what they say is the biggest botnet ever. It comprises over 400,000 infected machines, more than twice the size of Storm, which was previously believed to be the largest zombie network.
Machines from at least 50 Fortune 500 companies have been observed to be running the malicious software that's at the heart of "Kraken," the botnet that security firm Damballa has been tracking for the last few weeks. So far, only about 20 percent of the anti-virus products out there are detecting the malware. Just as a con artist might throw off detectives by changing his hair color or other physical characteristics, Kraken's ability to morph its code base has allowed it to evade the majority of malware detectors.
"Kraken, despite being on all these people's computers, has such low anti-virus coverage," said Paul Royal, principal researcher at Atlanta-based Damballa. "Anti-virus companies can't keep up with the arms race because of the number of variants and the frequency of the updates."
In addition, the code inside the executable file that infects a PC has been arranged in a way that makes it hard for malware analysis tools to accurately disassemble the malicious program.
"It raises the question of whether this basically has been authored specifically with anti-virus evasion in mind," Royal added.
Kraken most likely spreads by tricking end users into clicking on a malicious file that's disguised as an image. When it's executed, the program automatically copies itself to the hard drive in a slightly altered format. In the event AV programs are eventually able to recognize the original file, Kraken can use the altered file to reinfect the machine. Moreover, zombie machines regularly update themselves as an additional measure to prevent detection.
Kraken's primary activity is sending spam that advertises high-interest loans, male-enhancement techniques, fake designer watches and gambling opportunities. Damballa has observed as many as 500,000 pieces of junk mail being sent from a single zombie.
Estimates have varied wildly for the number of bots belonging to the Storm network. While some researchers have said millions of machines have been compromised, MessageLabs in February put the number of nodes at just 85,000. Whatever the number - Damballa estimates Storm has 200,000 victim - it was believed to be the biggest.
Until now, that is. It has clearly been eclipsed by Kraken, which on March 25 was observed to have compromised 409,912 unique IP addresses during a 24-hour period. Royal predicted the number will grow to more than 600,000 in the next two weeks.
Royal says he's still trying to figure out how the bot is managing to horn its way on to so many machines, many of which are behind well-fortified networks of some of the world's biggest companies.
"Somehow, this thing is evading the canonical defense techniques that the enterprises use," such as intrusion detection systems and intrusion prevention systems, he said. "It should be caught by IDSes, IPSes and firewalls and it's not."
[Edit: Emphasis Added] | |
GercekSeytan
Rockin' with Raki
join:2001-10-19
Turkey
 ·TTNet
| ...and...
Information has just started flowing on the Kraken diary from earlier. As of this moment, I still don't have a sample of this particular malware, but I do have some packet captures of the control traffic.
C&C sends UDP/447 to the victim with packet lengths varying between 66, 115, 116 and 117 bytes. There does not appear to be an obvious pattern in the payload itself. Right now there are about 100 or so hostnames associated with this from dyndns and yi.org. I will publish a list and update this post with that information shortly. According to some malware we believe to be associated with Kraken, it will also use TCP 447 and encode data in some unknown way. (For those with malware zoos, look for MD5s 31b68fe29241d172675ca8c59b97d4f4 and c05eb75e00d54a041a057934979fed6d. Allegedly, MD5 1d51463150db06bc098fef335bc64971 is associated as well). Some other related bins (c1d078b93df31d032cea89f25dc56362, 3a8bd37f9b33de4d29198d125030f587, b0e7ac28f0a899afa0fcdda5f1252675, 1c6d6f727ee55a5797c369f7aa4a0f38, f43bebf91ae2f5cf1f2ad5168bf9d202, ffc2e41d8e729c7b8622a8420767cfb5)
Word on the street is that this may already be detected and it looks like it is just part of the Bobax family of malware related to this article on Dark Reading from last year. It appears that this malware is what Kraken malware is using to infect machines to based on the work of others.
Here are some sample packets (this is payload data only, no header):
(continues) »isc.sans.org/
--
One day President Roosevelt told me that he was asking publicly for suggestions about what the war should be called. I said at once "The Unnecessary War". Sir W. Churchill, Second World War, 1948 | |
Jrb2
Premium
join:2001-08-31
| reply to SUMware
quote:
Kraken's primary activity is sending spam
quote:
Kraken most likely spreads by tricking end users into clicking on a malicious file that's disguised as an image.
So (if I understand it right), we're talking about emails with things like .jpg.exe
Already ages ago WormGuard was made for this. | |
Name Game
Premium
join:2002-07-07
North Myrtle Beach, SC
edit:
April 12th, @12:27PM
| reply to SUMware
Kraken, Not New But Still Newsworthy? Posted by Jusu @
There's recently been quite much fuss about a botnet of spam trojans dubbed Kraken.
There've been some claims that the botnet is the biggest currently out there, massing over 400,000 infected computers. Most vendors in the industry have been wondering about the numbers, which seem to be a bit bloated when taking a look at received samples.
Yesterday, Brian Krebs of Security Fix revealed that Damballa, the initial breaker of the Kraken story, has hijacked some of Kraken's domain names and are using the hijacked DNS resource records to count infections.
»www.f-secure.com/weblog/archives···418.html
Brian Krebs on Computer Security
"Consequently, many botmasters -- including those who control the Kraken botnet -- have taken to using free so-called "dynamic DNS" services (DNS, short for domain name system, is what helps map human-friendly domain names like example.com into numeric Internet addresses that are easier for computers and Web browsers to route). Dynamic DNS services are great for small mom-and-pop Web sites that may be hosted on a network that frequently changes its numeric Internet address: No matter how many times that address changes, a dynamic DNS service will route a visiting Web browser to the latest address."
"Kraken also uses dynamic DNS services, but adds a twist: The authors include in the genetic makeup of the bot hidden instructions for finding brand new Web site names on the fly. Should security professionals or the dynamic DNS provider succeed in shutting down the domain name used to control the botnet, Kraken randomly creates another one, using an encryption routine built into the bot code."
»blog.washingtonpost.com/security···the.html
--
Gladiator Security Forum »www.gladiator-antivirus.com/
Missing Kids
»www.missingkids.com/ | |
Killler Maxxx
@rr.com
| Just another wigged out freak looking for a moment in the sun ? From the story....
"We've taken a look at this and it seems the Damballa guys are into rebranding, and that they've simply taken Bobax" and presented it as Kraken, said Dmitri Alperovitch, director of intelligence analysis at Secure Computing, also based in Atlanta. | |
|
