Risk
7/1/2010
01:25 PM
George V. Hulme
George V. Hulme
Commentary
Connect Directly
RSS
E-Mail
50%
50%

The Kraken Botnet Returns

The return of the Kraken botnet from its reported death in 2009 shows just how difficult squashing the botnet threat really is.

The return of the Kraken botnet from its reported death in 2009 shows just how difficult squashing the botnet threat really is.Last week Paul Royal, research scientist at the Georgia Tech Information Security Center (GTISC), told DarkReading's Tim Wilson that the infamous Kraken botnet is surging in strength once again.

In the spring of 2008, the Kraken botnet was reported to be from 400,000 to 650,000 bots strong. Currently, the new rendition of Kraken is a spam distributor, with a single DSL-powered node spotted spewing more than 600,000 spam e-mails in a 24-hour period. According to Royal, the botnet has attained nearly half of its former peak at 318,000 systems.

What is equally as troubling is not what Kraken does, but how stealthy it has proven to be against the most poplar anti-virus tools. From DarkReading:

Many popular antivirus tools don't detect Kraken, Royal says. A scan by VirusTotal indicates that none of the top three antivirus tools -- Symantec, McAfee, and Trend Micro -- can detect current Kraken samples, he reports.

The resurrected Kraken is usually installed by another botnet, using botnet malware such as Butterfly, Royal reports. It's not clear whether Kraken installation is handled by the same criminal group as Kraken operations, but it could be an example of specialized criminal groups working together, he suggests.

Tie together a few of trends, and it's easy to see why botnets like Kraken are so troubling. First, they are profitable: criminal gangs use them to send massive quantities of spam for next to no cost. Second, as Royal noted, common anti-virus defenses fail to catch the bots on infected systems.

The third concerning trend is how easy it is for bot authors and operators to infect end users with their scourge. Bots can be delivered by e-mail with malicious payload attached, through other targeted exploit software, and even by visiting legitimate - but infected - Web sites. In the latter case users need not do anything. The infected web site seeks visitors with unpatched web browsers, or uses zero-day vulnerabilities, and exploit code to deliver the payload and bot.

Modern botnets have been around for years now, and it seems we are not getting any better at detecting and mitigating these threats. It's proving too easy for bots to obfuscate themselves from traditional anti-virus programs. It's time the industry get serious about finding other methods for spotting and destroying bots.

ISPs could do more to find and block botnet traffic, for instance. Another option would be to develop better algorithms capable of sniffing typical bot behavior on end points, such as calling out to IRC channels, sending/receiving communications from strange remote servers, among other potential red flags. Perhaps an endpoint rapid-firing 600,000 spam e-mails would be another clue that something is awry.

One thing is certain: current methods of bot detection and remediation are not getting the job done.

For my security and technology observations throughout the day, find me on Twitter.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2942
Published: 2014-09-22
Cobham Aviator 700D and 700E satellite terminals use an improper algorithm for PIN codes, which makes it easier for attackers to obtain a privileged terminal session by calculating the superuser code, and then leveraging physical access or terminal access to enter this code.

CVE-2014-5522
Published: 2014-09-22
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2014-6025. Reason: This candidate is a reservation duplicate of CVE-2014-6025. Notes: All CVE users should reference CVE-2014-6025 instead of this candidate. All references and descriptions in this candidate have been removed to pre...

CVE-2014-5523
Published: 2014-09-22
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2014-5524. Reason: This candidate is a duplicate of CVE-2014-5524. Notes: All CVE users should reference CVE-2014-5524 instead of this candidate. All references and descriptions in this candidate have been removed to prevent acciden...

CVE-2014-5575
Published: 2014-09-22
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.

CVE-2014-5665
Published: 2014-09-22
The Mzone Login (aka com.mr384.MzoneLogin) application 1.2.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

Best of the Web
Dark Reading Radio