Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

4/7/2008
12:00 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

New Massive Botnet Twice the Size of Storm

400,000-strong 'Kraken' botnet has infiltrated 50 Fortune 500 companies -- and now usurps Storm as world's biggest botnet

SAN FRANCISCO -– RSA 2008 Conference –- A new botnet twice the size of Storm has ballooned to an army of over 400,000 bots, including machines in the Fortune 500, according to botnet researchers at Damballa. (See The World's Biggest Botnets and MayDay! Sneakier, More Powerful Botnet on the Loose.)

The so-called Kraken botnet has been spotted in at least 50 Fortune 500 companies and is undetectable in over 80 percent of machines running antivirus software. Kraken appears to be evading detection by a combination of clever obfuscation techniques, including regularly updating its binary code and structuring the code in such a way that hinders any static analysis, says Paul Royal, principal researcher at Damballa.

"It's easy to trace but slow to get antivirus coverage. It seems to imply [the creators] have a good understanding of how AV tools operate and how to evade them," Royal says.

Kraken's successful infiltration of major enterprises is a wakeup call that bots aren't just a consumer problem. Damballa and other botnet experts over the past few months have seen an unsettling rise in bot infections in enterprises. (See Bots Rise in the Enterprise.)

Royal says like Storm, Kraken so far is mostly being used for spamming the usual scams -- high interest loans, gambling, male enhancement products, pharmacy advertisements, and counterfeit watches, for instance. "But given that it updates its binary, there's no reason it couldn't update itself to a binary that does other things," Royal says. "I'm wondering where this thing is going to go."

Damballa predicts that even now that Kraken has been outed, it will continue growing at least in the near-term -- up to at least 600,000 new bots by mid-April. Its bots are prolific, too: The firm has seen single Kraken bots sending out up to 500,000 pieces of spam in a day.

Just how Kraken is infecting machines is still unclear, but Royal says the malware seems to appear as an image file to the victim. When the victim tries to view the image, the malware is loaded onto his or her machine. "We know the picture... ends in an .exe, which is not shown" to the user, Royal says.

Royal initially didn't rule out the possibility that Kraken could be some sort of Storm spinoff, but later today concluded that recent analysis by Damballa confirms that the two botnets are unrelated.

Kraken's bots and command and control servers communicate via customized UDP and TCP-based protocols, he says, and the botnet has built-in redundancy features that automatically generate new domain names if a C&C server gets shut down or becomes disabled. "And the actual payload is encrypted," Royal says.

Damballa first noticed Kraken late last year, but says early variants of the botnet appear to date back to late 2006. The primary C&C servers are hosted in France, Russia, and the U.S., according to Damballa.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

  • Damballa Inc. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Data Leak Week: Billions of Sensitive Files Exposed Online
    Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon Contest
    Write a Caption, Win a Starbucks Card! Click Here
    Latest Comment: Our Endpoint Protection system is a little outdated... 
    Current Issue
    The Year in Security: 2019
    This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
    Flash Poll
    Rethinking Enterprise Data Defense
    Rethinking Enterprise Data Defense
    Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2019-12420
    PUBLISHED: 2019-12-12
    In Apache SpamAssassin before 3.4.3, a message can be crafted in a way to use excessive resources. Upgrading to SA 3.4.3 as soon as possible is the recommended fix but details will not be shared publicly.
    CVE-2019-16774
    PUBLISHED: 2019-12-12
    In phpfastcache before 5.1.3, there is a possible object injection vulnerability in cookie driver.
    CVE-2018-11805
    PUBLISHED: 2019-12-12
    In Apache SpamAssassin before 3.4.3, nefarious CF files can be configured to run system commands without any output or errors. With this, exploits can be injected in a number of scenarios. In addition to upgrading to SA 3.4.3, we recommend that users should only use update channels or 3rd party .cf ...
    CVE-2019-5061
    PUBLISHED: 2019-12-12
    An exploitable denial-of-service vulnerability exists in the hostapd 2.6, where an attacker could trigger AP to send IAPP location updates for stations, before the required authentication process has completed. This could lead to different denial of service scenarios, either by causing CAM table att...
    CVE-2019-5062
    PUBLISHED: 2019-12-12
    An exploitable denial-of-service vulnerability exists in the 802.11w security state handling for hostapd 2.6 connected clients with valid 802.11w sessions. By simulating an incomplete new association, an attacker can trigger a deauthentication against stations using 802.11w, resulting in a denial of...