Risk
7/1/2010
01:25 PM
George V. Hulme
George V. Hulme
Commentary
50%
50%

The Kraken Botnet Returns

The return of the Kraken botnet from its reported death in 2009 shows just how difficult squashing the botnet threat really is.

The return of the Kraken botnet from its reported death in 2009 shows just how difficult squashing the botnet threat really is.Last week Paul Royal, research scientist at the Georgia Tech Information Security Center (GTISC), told DarkReading's Tim Wilson that the infamous Kraken botnet is surging in strength once again.

In the spring of 2008, the Kraken botnet was reported to be from 400,000 to 650,000 bots strong. Currently, the new rendition of Kraken is a spam distributor, with a single DSL-powered node spotted spewing more than 600,000 spam e-mails in a 24-hour period. According to Royal, the botnet has attained nearly half of its former peak at 318,000 systems.

What is equally as troubling is not what Kraken does, but how stealthy it has proven to be against the most poplar anti-virus tools. From DarkReading:

Many popular antivirus tools don't detect Kraken, Royal says. A scan by VirusTotal indicates that none of the top three antivirus tools -- Symantec, McAfee, and Trend Micro -- can detect current Kraken samples, he reports.

The resurrected Kraken is usually installed by another botnet, using botnet malware such as Butterfly, Royal reports. It's not clear whether Kraken installation is handled by the same criminal group as Kraken operations, but it could be an example of specialized criminal groups working together, he suggests.

Tie together a few of trends, and it's easy to see why botnets like Kraken are so troubling. First, they are profitable: criminal gangs use them to send massive quantities of spam for next to no cost. Second, as Royal noted, common anti-virus defenses fail to catch the bots on infected systems.

The third concerning trend is how easy it is for bot authors and operators to infect end users with their scourge. Bots can be delivered by e-mail with malicious payload attached, through other targeted exploit software, and even by visiting legitimate - but infected - Web sites. In the latter case users need not do anything. The infected web site seeks visitors with unpatched web browsers, or uses zero-day vulnerabilities, and exploit code to deliver the payload and bot.

Modern botnets have been around for years now, and it seems we are not getting any better at detecting and mitigating these threats. It's proving too easy for bots to obfuscate themselves from traditional anti-virus programs. It's time the industry get serious about finding other methods for spotting and destroying bots.

ISPs could do more to find and block botnet traffic, for instance. Another option would be to develop better algorithms capable of sniffing typical bot behavior on end points, such as calling out to IRC channels, sending/receiving communications from strange remote servers, among other potential red flags. Perhaps an endpoint rapid-firing 600,000 spam e-mails would be another clue that something is awry.

One thing is certain: current methods of bot detection and remediation are not getting the job done.

For my security and technology observations throughout the day, find me on Twitter.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7421
Published: 2015-03-02
The Crypto API in the Linux kernel before 3.18.5 allows local users to load arbitrary kernel modules via a bind system call for an AF_ALG socket with a module name in the salg_name field, a different vulnerability than CVE-2014-9644.

CVE-2014-8160
Published: 2015-03-02
net/netfilter/nf_conntrack_proto_generic.c in the Linux kernel before 3.18 generates incorrect conntrack entries during handling of certain iptables rule sets for the SCTP, DCCP, GRE, and UDP-Lite protocols, which allows remote attackers to bypass intended access restrictions via packets with disall...

CVE-2014-9644
Published: 2015-03-02
The Crypto API in the Linux kernel before 3.18.5 allows local users to load arbitrary kernel modules via a bind system call for an AF_ALG socket with a parenthesized module template expression in the salg_name field, as demonstrated by the vfat(aes) expression, a different vulnerability than CVE-201...

CVE-2015-0239
Published: 2015-03-02
The em_sysenter function in arch/x86/kvm/emulate.c in the Linux kernel before 3.18.5, when the guest OS lacks SYSENTER MSR initialization, allows guest OS users to gain guest OS privileges or cause a denial of service (guest OS crash) by triggering use of a 16-bit code segment for emulation of a SYS...

CVE-2014-8921
Published: 2015-03-01
The IBM Notes Traveler Companion application 1.0 and 1.1 before 201411010515 for Window Phone, as distributed in IBM Notes Traveler 9.0.1, does not properly restrict the number of executions of the automatic configuration option, which makes it easier for remote attackers to capture credentials by c...

Dark Reading Radio
Archived Dark Reading Radio
How can security professionals better engage with their peers, both in person and online? In this Dark Reading Radio show, we will talk to leaders at some of the security industry’s professional organizations about how security pros can get more involved – with their colleagues in the same industry, with their peers in other industries, and with the IT security community as a whole.