Risk
7/1/2010
01:25 PM
George V. Hulme
George V. Hulme
Commentary
50%
50%

The Kraken Botnet Returns

The return of the Kraken botnet from its reported death in 2009 shows just how difficult squashing the botnet threat really is.

The return of the Kraken botnet from its reported death in 2009 shows just how difficult squashing the botnet threat really is.Last week Paul Royal, research scientist at the Georgia Tech Information Security Center (GTISC), told DarkReading's Tim Wilson that the infamous Kraken botnet is surging in strength once again.

In the spring of 2008, the Kraken botnet was reported to be from 400,000 to 650,000 bots strong. Currently, the new rendition of Kraken is a spam distributor, with a single DSL-powered node spotted spewing more than 600,000 spam e-mails in a 24-hour period. According to Royal, the botnet has attained nearly half of its former peak at 318,000 systems.

What is equally as troubling is not what Kraken does, but how stealthy it has proven to be against the most poplar anti-virus tools. From DarkReading:

Many popular antivirus tools don't detect Kraken, Royal says. A scan by VirusTotal indicates that none of the top three antivirus tools -- Symantec, McAfee, and Trend Micro -- can detect current Kraken samples, he reports.

The resurrected Kraken is usually installed by another botnet, using botnet malware such as Butterfly, Royal reports. It's not clear whether Kraken installation is handled by the same criminal group as Kraken operations, but it could be an example of specialized criminal groups working together, he suggests.

Tie together a few of trends, and it's easy to see why botnets like Kraken are so troubling. First, they are profitable: criminal gangs use them to send massive quantities of spam for next to no cost. Second, as Royal noted, common anti-virus defenses fail to catch the bots on infected systems.

The third concerning trend is how easy it is for bot authors and operators to infect end users with their scourge. Bots can be delivered by e-mail with malicious payload attached, through other targeted exploit software, and even by visiting legitimate - but infected - Web sites. In the latter case users need not do anything. The infected web site seeks visitors with unpatched web browsers, or uses zero-day vulnerabilities, and exploit code to deliver the payload and bot.

Modern botnets have been around for years now, and it seems we are not getting any better at detecting and mitigating these threats. It's proving too easy for bots to obfuscate themselves from traditional anti-virus programs. It's time the industry get serious about finding other methods for spotting and destroying bots.

ISPs could do more to find and block botnet traffic, for instance. Another option would be to develop better algorithms capable of sniffing typical bot behavior on end points, such as calling out to IRC channels, sending/receiving communications from strange remote servers, among other potential red flags. Perhaps an endpoint rapid-firing 600,000 spam e-mails would be another clue that something is awry.

One thing is certain: current methods of bot detection and remediation are not getting the job done.

For my security and technology observations throughout the day, find me on Twitter.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3586
Published: 2015-04-21
The default configuration for the Command Line Interface in Red Hat Enterprise Application Platform before 6.4.0 and WildFly (formerly JBoss Application Server) uses weak permissions for .jboss-cli-history, which allows local users to obtain sensitive information via unspecified vectors.

CVE-2014-5361
Published: 2015-04-21
Multiple cross-site request forgery (CSRF) vulnerabilities in Landesk Management Suite 9.6 and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) start, (2) stop, or (3) restart services via a request to remote/serverServices.aspx.

CVE-2014-5370
Published: 2015-04-21
Directory traversal vulnerability in the CFChart servlet (com.naryx.tagfusion.cfm.cfchartServlet) in New Atlanta BlueDragon before 7.1.1.18527 allows remote attackers to read or possibly delete arbitrary files via a .. (dot dot) in the QUERY_STRING to cfchart.cfchart.

CVE-2014-8111
Published: 2015-04-21
Apache Tomcat Connectors (mod_jk) before 1.2.41 ignores JkUnmount rules for subtrees of previous JkMount rules, which allows remote attackers to access otherwise restricted artifacts via unspecified vectors.

CVE-2014-8125
Published: 2015-04-21
XML external entity (XXE) vulnerability in Drools and jBPM before 6.2.0 allows remote attackers to read arbitrary files or possibly have other unspecified impact via a crafted BPMN2 file.

Dark Reading Radio
Archived Dark Reading Radio
Join security and risk expert John Pironti and Dark Reading Editor-in-Chief Tim Wilson for a live online discussion of the sea-changing shift in security strategy and the many ways it is affecting IT and business.