Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

2/4/2008
07:28 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

MayDay! Sneakier, More Powerful Botnet on the Loose

Peer-to-peer MayDay botnet is stealthier and more powerful than Storm, researchers say

A new peer-to-peer (P2P) botnet even more powerful and stealthy than the infamous Storm has begun infiltrating mostly U.S.-based large enterprises, educational institutions, and customers of major ISPs.

The MayDay botnet can evade leading antivirus products, and so far has compromised thousands of hosts, according to Damballa, which says 96.5 percent of the infected machines are in the U.S., and about 2.5 percent in Canada. Damballa first hinted of this potential successor to Storm late last year. (See The World's Biggest Botnets .)

MayDay uses a combination of techniques to communicate with its bots, including hijacking browser proxy settings, says Tripp Cox, vice president of engineering for Damballa. He says, "It can communicate through an enterprise's secure Web proxy and conduct updates and attack activities" -- a unique method for a botnet.

The Web proxy approach also demonstrates that this is no random bot infection: "Designing bot malware to specifically use Web proxies is a clear indicator that it's targeting [specific] enterprise systems," Cox says.

The botnet uses two forms of P2P communications to ensure it can talk to its bots, including the Internet Control Message Protocol (ICMP). "This malware is for multiple protocols and is specifically designed to be successful despite whatever security controls might be" in place, Cox says.

Cox says Damballa is not sure why AV engines aren't detecting MayDay's malware. "Is it because of the advanced techniques it's using in how the malware is constructed? Or have AV companies not been able to identify these pieces of malware?"

The infection comes in the form of what appears to the victim to be an Adobe Reader executable, but is actually the malware. Damballa is still studying the botnet's delivery mechanisms for the malware, Cox says.

As for Storm, researchers are now looking at whether another spam-spewing botnet, called Mega-D, is somehow related to Storm. Researchers from U.K.-based security vendor Marshal over the weekend blogged about Mega-D overshadowing Storm in spam delivery, with 32 percent of all spam they caught in their filters versus only 2 percent from Storm, which they say previously had accounted for 20 percent of the spam. Mega-D mostly spams male sexual enhancement drugs, according to Marshal.

"There's a chance the Storm folks have taken their lessons learned and made a new subset of it... we've observed that the traffic on Storm has gone way down," says Glen Myers, a sales engineer for Marshal, who noted that a connection between Mega-D and Storm is just speculation for now.

Damballa says Storm and Mega-D are unrelated. "Our research indicates that it's distinct from Storm," Cox says. "Each compromised host can send thousands of [spam] email addresses with random subject lines. It's clearly capable of sending out huge amounts of spam."

Size doesn't always matter with botnets. MayDay is not nearly as large as Storm, but Damballa says it could potentially do more damage due to its more sophisticated and targeted approach. "MayDay is unique because it has the ability to communicate from within the inside of the enterprise," Cox says. "It's powerful in the damage it could do when orchestrated for a common purpose. It could potentially be more powerful because of the types of networks it's successfully compromised."

So far, MayDay is mostly ordering its bots to send spam runs, he says. It also sends accounting information back to the command and control servers on the success of the spam runs, so it appears relatively businesslike.

Meanwhile, Damballa is working on reverse-engineering the ICMP communications, which are encrypted, Cox says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

  • Damballa Inc.
  • Marshal Inc.

    Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    News
    Inside the Ransomware Campaigns Targeting Exchange Servers
    Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
    Commentary
    Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
    Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon
    Current Issue
    2021 Top Enterprise IT Trends
    We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
    Flash Poll
    How Enterprises are Developing Secure Applications
    How Enterprises are Developing Secure Applications
    Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2021-29445
    PUBLISHED: 2021-04-16
    jose-node-esm-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...
    CVE-2021-29446
    PUBLISHED: 2021-04-16
    jose-node-cjs-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...
    CVE-2021-29451
    PUBLISHED: 2021-04-16
    Portofino is an open source web development framework. Portofino before version 5.2.1 did not properly verify the signature of JSON Web Tokens. This allows forging a valid JWT. The issue will be patched in the upcoming 5.2.1 release.
    CVE-2021-29452
    PUBLISHED: 2021-04-16
    a12n-server is an npm package which aims to provide a simple authentication system. A new HAL-Form was added to allow editing users in version 0.18.0. This feature should only have been accessible to admins. Unfortunately, privileges were incorrectly checked allowing any logged in user to make this ...
    CVE-2021-29444
    PUBLISHED: 2021-04-16
    jose-browser-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDec...