01:25 PM
George V. Hulme
George V. Hulme

The Kraken Botnet Returns

The return of the Kraken botnet from its reported death in 2009 shows just how difficult squashing the botnet threat really is.

The return of the Kraken botnet from its reported death in 2009 shows just how difficult squashing the botnet threat really is.Last week Paul Royal, research scientist at the Georgia Tech Information Security Center (GTISC), told DarkReading's Tim Wilson that the infamous Kraken botnet is surging in strength once again.

In the spring of 2008, the Kraken botnet was reported to be from 400,000 to 650,000 bots strong. Currently, the new rendition of Kraken is a spam distributor, with a single DSL-powered node spotted spewing more than 600,000 spam e-mails in a 24-hour period. According to Royal, the botnet has attained nearly half of its former peak at 318,000 systems.

What is equally as troubling is not what Kraken does, but how stealthy it has proven to be against the most poplar anti-virus tools. From DarkReading:

Many popular antivirus tools don't detect Kraken, Royal says. A scan by VirusTotal indicates that none of the top three antivirus tools -- Symantec, McAfee, and Trend Micro -- can detect current Kraken samples, he reports.

The resurrected Kraken is usually installed by another botnet, using botnet malware such as Butterfly, Royal reports. It's not clear whether Kraken installation is handled by the same criminal group as Kraken operations, but it could be an example of specialized criminal groups working together, he suggests.

Tie together a few of trends, and it's easy to see why botnets like Kraken are so troubling. First, they are profitable: criminal gangs use them to send massive quantities of spam for next to no cost. Second, as Royal noted, common anti-virus defenses fail to catch the bots on infected systems.

The third concerning trend is how easy it is for bot authors and operators to infect end users with their scourge. Bots can be delivered by e-mail with malicious payload attached, through other targeted exploit software, and even by visiting legitimate - but infected - Web sites. In the latter case users need not do anything. The infected web site seeks visitors with unpatched web browsers, or uses zero-day vulnerabilities, and exploit code to deliver the payload and bot.

Modern botnets have been around for years now, and it seems we are not getting any better at detecting and mitigating these threats. It's proving too easy for bots to obfuscate themselves from traditional anti-virus programs. It's time the industry get serious about finding other methods for spotting and destroying bots.

ISPs could do more to find and block botnet traffic, for instance. Another option would be to develop better algorithms capable of sniffing typical bot behavior on end points, such as calling out to IRC channels, sending/receiving communications from strange remote servers, among other potential red flags. Perhaps an endpoint rapid-firing 600,000 spam e-mails would be another clue that something is awry.

One thing is certain: current methods of bot detection and remediation are not getting the job done.

For my security and technology observations throughout the day, find me on Twitter.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Current Issue
E-Commerce Security: What Every Enterprise Needs to Know
The mainstream use of EMV smartcards in the US has experts predicting an increase in online fraud. Organizations will need to look at new tools and processes for building better breach detection and response capabilities.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio