Risk
7/1/2010
01:25 PM
George V. Hulme
George V. Hulme
Commentary
50%
50%

The Kraken Botnet Returns

The return of the Kraken botnet from its reported death in 2009 shows just how difficult squashing the botnet threat really is.

The return of the Kraken botnet from its reported death in 2009 shows just how difficult squashing the botnet threat really is.Last week Paul Royal, research scientist at the Georgia Tech Information Security Center (GTISC), told DarkReading's Tim Wilson that the infamous Kraken botnet is surging in strength once again.

In the spring of 2008, the Kraken botnet was reported to be from 400,000 to 650,000 bots strong. Currently, the new rendition of Kraken is a spam distributor, with a single DSL-powered node spotted spewing more than 600,000 spam e-mails in a 24-hour period. According to Royal, the botnet has attained nearly half of its former peak at 318,000 systems.

What is equally as troubling is not what Kraken does, but how stealthy it has proven to be against the most poplar anti-virus tools. From DarkReading:

Many popular antivirus tools don't detect Kraken, Royal says. A scan by VirusTotal indicates that none of the top three antivirus tools -- Symantec, McAfee, and Trend Micro -- can detect current Kraken samples, he reports.

The resurrected Kraken is usually installed by another botnet, using botnet malware such as Butterfly, Royal reports. It's not clear whether Kraken installation is handled by the same criminal group as Kraken operations, but it could be an example of specialized criminal groups working together, he suggests.

Tie together a few of trends, and it's easy to see why botnets like Kraken are so troubling. First, they are profitable: criminal gangs use them to send massive quantities of spam for next to no cost. Second, as Royal noted, common anti-virus defenses fail to catch the bots on infected systems.

The third concerning trend is how easy it is for bot authors and operators to infect end users with their scourge. Bots can be delivered by e-mail with malicious payload attached, through other targeted exploit software, and even by visiting legitimate - but infected - Web sites. In the latter case users need not do anything. The infected web site seeks visitors with unpatched web browsers, or uses zero-day vulnerabilities, and exploit code to deliver the payload and bot.

Modern botnets have been around for years now, and it seems we are not getting any better at detecting and mitigating these threats. It's proving too easy for bots to obfuscate themselves from traditional anti-virus programs. It's time the industry get serious about finding other methods for spotting and destroying bots.

ISPs could do more to find and block botnet traffic, for instance. Another option would be to develop better algorithms capable of sniffing typical bot behavior on end points, such as calling out to IRC channels, sending/receiving communications from strange remote servers, among other potential red flags. Perhaps an endpoint rapid-firing 600,000 spam e-mails would be another clue that something is awry.

One thing is certain: current methods of bot detection and remediation are not getting the job done.

For my security and technology observations throughout the day, find me on Twitter.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-5211
Published: 2015-01-27
Stack-based buffer overflow in the Attachmate Reflection FTP Client before 14.1.433 allows remote FTP servers to execute arbitrary code via a large PWD response.

CVE-2014-8154
Published: 2015-01-27
The Gst.MapInfo function in Vala 0.26.0 and 0.26.1 uses an incorrect buffer length declaration for the Gstreamer bindings, which allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via unspecified vectors, which trigger a heap-based buffer overf...

CVE-2014-9197
Published: 2015-01-27
The Schneider Electric ETG3000 FactoryCast HMI Gateway with firmware before 1.60 IR 04 stores rde.jar under the web root with insufficient access control, which allows remote attackers to obtain sensitive setup and configuration information via a direct request.

CVE-2014-9198
Published: 2015-01-27
The FTP server on the Schneider Electric ETG3000 FactoryCast HMI Gateway with firmware through 1.60 IR 04 has hardcoded credentials, which makes it easier for remote attackers to obtain access via an FTP session.

CVE-2014-9646
Published: 2015-01-27
Unquoted Windows search path vulnerability in the GoogleChromeDistribution::DoPostUninstallOperations function in installer/util/google_chrome_distribution.cc in the uninstall-survey feature in Google Chrome before 40.0.2214.91 allows local users to gain privileges via a Trojan horse program in the ...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
If you’re a security professional, you’ve probably been asked many questions about the December attack on Sony. On Jan. 21 at 1pm eastern, you can join a special, one-hour Dark Reading Radio discussion devoted to the Sony hack and the issues that may arise from it.