.

new botnet, largest ever

<<

pseud0

User avatar

Recruiters
Recruiters

Posts: 210

Joined: Sat Nov 17, 2007 8:26 pm

Location: Detroit, Michigan

Post Mon Apr 07, 2008 10:16 am

new botnet, largest ever

These guys are not kidding around:

http://www.darkreading.com/document.asp ... vl=news1_1

-researchers have found it on a variety of system in Fortune 500 companies
-at this point it is undetectable using normal AV products
-500k+ machines
-communicates using custom encrypted protocols

SAN FRANCISCO -– RSA 2007 Conference –- A new botnet twice the size of Storm has ballooned to an army of over 400,000 bots, including machines in the Fortune 500, according to botnet researchers at Damballa. (See The World's Biggest Botnets  and MayDay! Sneakier, More Powerful Botnet on the Loose.)

The so-called Kraken botnet has been spotted in at least 50 Fortune 500 companies and is undetectable in over 80 percent of machines running antivirus software. Kraken appears to be evading detection by a combination of clever obfuscation techniques, including regularly updating its binary code and structuring the code in such a way that hinders any static analysis, says Paul Royal, principal researcher at Damballa.

"It's easy to trace but slow to get antivirus coverage. It seems to imply [the creators] have a good understanding of how AV tools operate and how to evade them," Royal says.

Kraken's successful infiltration of major enterprises is a wakeup call that bots aren't just a consumer problem. Damballa and other botnet experts over the past few months have seen an unsettling rise in bot infections in enterprises. (See Bots Rise in the Enterprise.)

Royal says like Storm, Kraken so far is mostly being used for spamming the usual scams -- high interest loans, gambling, male enhancement products, pharmacy advertisements, and counterfeit watches, for instance. "But given that it updates its binary, there's no reason it couldn't update itself to a binary that does other things," Royal says. "I'm wondering where this thing is going to go."

Damballa predicts that even now that Kraken has been outed, it will continue growing at least in the near-term -- up to at least 600,000 new bots by mid-April. Its bots are prolific, too: The firm has seen single Kraken bots sending out up to 500,000 pieces of spam in a day.

Just how Kraken is infecting machines is still unclear, but Royal says the malware seems to appear as an image file to the victim. When the victim tries to view the image, the malware is loaded onto his or her machine. "We know the picture... ends in an .exe, which is not shown" to the user, Royal says.

Royal didn't rule out the possibility that Kraken could be some sort of Storm spinoff since Damballa had not performed any analysis of any potential "intersections" between the two botnets, he says.

Kraken's bots and command and control servers communicate via customized UDP and TCP-based protocols, he says, and the botnet has built-in redundancy features that automatically generate new domain names if a C&C server gets shut down or becomes disabled. "And the actual payload is encrypted," Royal says.

Damballa first noticed Kraken late last year, but says early variants of the botnet appear to date back to late 2006. The primary C&C servers are hosted in France, Russia, and the U.S., according to Damballa.
CISSP, CISM, CISA, GCIH, GREM, CEH, HMFIC, KTHXBIROFLCOPTER
<<

RoleReversal

User avatar

Hero Member
Hero Member

Posts: 928

Joined: Fri Jan 04, 2008 8:54 am

Location: UK

Post Mon Apr 07, 2008 10:25 am

Re: new botnet, largest ever

Pseudo,

thanks for the link. I've just read the same story on The Register and was looking for more technical details on implemenations/capabilities etc.

I'll be interested to see how soon AV vendors manage decent coverage of this. Unfortunately newer malware techniques seem to be leaving traditional defense mechanisms behind.

One thing that does surprise me from this is that there appears to be a heirachical C&C structure, so this may not last long once it hits noteriety.
<edit: just re-read article, looks like it's already got this base covered>

But as it's already reaching a supposed half million infections it may have more tricks up its sleeve yet.

Seems like the war rages on....
Last edited by RoleReversal on Mon Apr 07, 2008 10:27 am, edited 1 time in total.
<<

shawal

Jr. Member
Jr. Member

Posts: 88

Joined: Mon Mar 10, 2008 1:24 pm

Post Mon Apr 07, 2008 11:09 am

Re: new botnet, largest ever

nice one Pseudo

I will email this to my managmenet first thing in the morning tommorow, they are still believe that we are secure. the false sense of security is the threat. having antiviruses, and the state of the art ips,ids,firewalls, and vpns does not help much if we can not understand the 0day issues, and the amount of work the bad guys are investing in new attack vectors.
RHCE, GIAC GCIH.
<<

g00d_4sh

User avatar

Sr. Member
Sr. Member

Posts: 394

Joined: Tue Sep 18, 2007 1:50 pm

Location: Guayaquil, Ecuador

Post Tue Apr 08, 2008 7:47 pm

Re: new botnet, largest ever

If I understood the article, which I read earlier when it first came out, the botnet uses the method of continually evolving it's binary, or simply pushing out slightly changed binary to all it's nodes.  Kind of makes traditional AV that is signature based worthless against it.  I was reading about one a month ago or so that altered it's code as it moved from machine to machine, I don't think Kraken does that from what I have thus far read. If I understand the workings of that correctly, until behavior analysis style AV becomes more popular this isn't going to be protected against. 

On a related note, just started trying out Comodo firewall at home, anyone else use it?  Seems kind of nifty, I've been using the free Zonealarm firewall for years.  The built in registry lock seems interesting, kind of like Tea Timer from Spybot, but less buggy interface wise.  I'm assuming a decent personal firewall set  up correctly would be at least more helpful than AV vs a bot infection, then again there is the rootkit you probably don't find anyway heh.
"Bad.. Good?  I'm the guy with the gun"
<<

dean

Post Tue Apr 08, 2008 8:40 pm

Re: new botnet, largest ever

Dynamic binary repacking and code obfuscation and static/dynamic analysis techniques are not new. Most bots have some level of each today. Storm's binary changes approximately every 15minuts or so. I ran an analysis on about 60 binaries of Storm collected over a period of one hour and from different url's and about 30% were unique.

As for Kraken, there is talk that it may be FUD on the part of Damballa.

""We've taken a look at this and it seems the Damballa guys are into rebranding, and that they've simply taken Bobax" and presented it as Kraken, said Dmitri Alperovitch, director of intelligence analysis at Secure Computing, also based in Atlanta."  http://blog.washingtonpost.com/security ... f_the.html

Some more links:

http://www.incidents.org/diary.html?storyid=4256
http://emergingthreats.net/ - includes links to other sites with in.

Either way it's interesting to note that bots and the management of them is evolving and so detection is getting more difficult at both a network and host level. Traditional methods of anti virus or anti spyware are limited and so use of honeynets and honey-clients are evolving from being research tools to valid detection and mitigation solutions.

dean
<<

shawal

Jr. Member
Jr. Member

Posts: 88

Joined: Mon Mar 10, 2008 1:24 pm

Post Tue Apr 08, 2008 11:53 pm

Re: new botnet, largest ever

g00d_4sh ,

firewalls do prevent from most of the threats, however they are not the key factor in preventing this. enterprise/personal firewall would still most likely allow port 80 trafic to pass. most likely you have asked the personal firewal to always trust your favourite browser. so if the bot agent/trojan/malware can inject itself onto the browser code, or even spoof itself as it is the firewall is uselss

Dean,

Interesting URLs, need to investigate this more when i have more time, and collect some storm speciemens from the wild net  ;D
RHCE, GIAC GCIH.
<<

RoleReversal

User avatar

Hero Member
Hero Member

Posts: 928

Joined: Fri Jan 04, 2008 8:54 am

Location: UK

Post Wed Apr 09, 2008 4:44 am

Re: new botnet, largest ever

Dean,
dean wrote:I ran an analysis on about 60 binaries of Storm collected over a period of one hour and from different url's and about 30% were unique.


Sounds like you've been having some fun, are you able/willing to tell what tools/processes your are using to collect your samples?
<<

dean

Post Wed Apr 09, 2008 9:04 am

Re: new botnet, largest ever

Sounds like you've been having some fun, are you able/willing to tell what tools/processes your are using to collect your samples?


I use a set of perl scripts I've written to download the binaries and compare hashes on those binaries. I also use similar scripts to perform lookups and geo-ip mapping to determine the locations of compromised machines. The urls/ip addresses come from various spam emails  that I collect, honeypots like nepenthes and client honeypots like honey-hpc.

If anyone is interested I'll post some of the scripts.

dean
<<

shawal

Jr. Member
Jr. Member

Posts: 88

Joined: Mon Mar 10, 2008 1:24 pm

Post Wed Apr 09, 2008 10:51 am

Re: new botnet, largest ever

Dean,
is that an XSS test in your signature?
RHCE, GIAC GCIH.
<<

dean

Post Wed Apr 09, 2008 2:04 pm

Re: new botnet, largest ever

It could be but the sig is more of a joke.

type:

javascript:alert('%52%54%46%4D')

in your browsers navigation bar.

It will decode the hex for you.

dean
<<

dean

Post Wed Apr 09, 2008 4:19 pm

Re: new botnet, largest ever

In follow up to the original post.

http://www.computerworld.com/action/art ... _PM&nlid=8

Joe Stewart presented his findings at RSA on the top botnets.

dean
<<

RoleReversal

User avatar

Hero Member
Hero Member

Posts: 928

Joined: Fri Jan 04, 2008 8:54 am

Location: UK

Post Thu Apr 10, 2008 2:10 am

Re: new botnet, largest ever

Dean,
dean wrote:javascript:alert('%52%54%46%4D')


nice 8)

Thanks for the link to Keizer's article, makes for interesting reading.

One aspect that always surprises me witht these sorts of articles is the numbers of infections etc. that get quoted as fact. I might be missing a trick, but is there any more to these figures than educated guesswork? I just can't see how any of these stats could be claimed with any definity.
<<

dean

Post Thu Apr 10, 2008 8:37 am

Re: new botnet, largest ever

The numbers are an estimate but they can be pretty accurate. It depends on how you do the detection. Arbor Networks has a worldwide series of Honeypots in place at most of the large ISPs. This with the netflow they use for doing analysis can give a pretty good indication of the spread/scale of an infection. Have a look at http://atlas.arbor.net/

Secureworks seem to have developed signatures for the smtp engines the bots use and detect the traffic that way using spam traps.

Trustedsouce have this page that tracks the spread of storm: http://www.trustedsource.org/TS?do=thre ... rm_tracker

For a fastflux/round robin DNS enabled botnet I use simple dns queries of a malware domain  but query against multiple nameservers to determine the number of unique ip addresses associated with that domain. By running this over a period of time, until you see the rate of infection begin to decline, you can estimate the scale of the botnet.

I also sometimes run a script that will masquerade as a bot in a channel and collect information on the size of the channel. I've also seen research on P2P based botnets where the P2P network is 'crawled'.

None of this is perfect as you are dealing with changing bot code, new domains, time zones, etc... but if you trend it out over time you can get a pretty good indication of the size of the botnet.

I posted a simple lookup script in another post that will run continuous lookups on a domain and map the ip to country. It's interesting just to run it on a domain to see the results.

dean
<<

RoleReversal

User avatar

Hero Member
Hero Member

Posts: 928

Joined: Fri Jan 04, 2008 8:54 am

Location: UK

Post Thu Apr 10, 2008 10:44 am

Re: new botnet, largest ever

Dean,

thanks for the response and links, looks like I've got some extra research to do.

Return to News from the Outside World

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software