MayDay! Sneakier, More Powerful Botnet on the Loose

Peer-to-peer MayDay botnet is stealthier and more powerful than Storm, researchers say

Dark Reading logo in a gray background | Dark Reading

A new peer-to-peer (P2P) botnet even more powerful and stealthy than the infamous Storm has begun infiltrating mostly U.S.-based large enterprises, educational institutions, and customers of major ISPs.

The MayDay botnet can evade leading antivirus products, and so far has compromised thousands of hosts, according to Damballa, which says 96.5 percent of the infected machines are in the U.S., and about 2.5 percent in Canada. Damballa first hinted of this potential successor to Storm late last year. (See The World's Biggest Botnets .)

MayDay uses a combination of techniques to communicate with its bots, including hijacking browser proxy settings, says Tripp Cox, vice president of engineering for Damballa. He says, "It can communicate through an enterprise's secure Web proxy and conduct updates and attack activities" -- a unique method for a botnet.

The Web proxy approach also demonstrates that this is no random bot infection: "Designing bot malware to specifically use Web proxies is a clear indicator that it's targeting [specific] enterprise systems," Cox says.

The botnet uses two forms of P2P communications to ensure it can talk to its bots, including the Internet Control Message Protocol (ICMP). "This malware is for multiple protocols and is specifically designed to be successful despite whatever security controls might be" in place, Cox says.

Cox says Damballa is not sure why AV engines aren't detecting MayDay's malware. "Is it because of the advanced techniques it's using in how the malware is constructed? Or have AV companies not been able to identify these pieces of malware?"

The infection comes in the form of what appears to the victim to be an Adobe Reader executable, but is actually the malware. Damballa is still studying the botnet's delivery mechanisms for the malware, Cox says.

As for Storm, researchers are now looking at whether another spam-spewing botnet, called Mega-D, is somehow related to Storm. Researchers from U.K.-based security vendor Marshal over the weekend blogged about Mega-D overshadowing Storm in spam delivery, with 32 percent of all spam they caught in their filters versus only 2 percent from Storm, which they say previously had accounted for 20 percent of the spam. Mega-D mostly spams male sexual enhancement drugs, according to Marshal.

"There's a chance the Storm folks have taken their lessons learned and made a new subset of it... we've observed that the traffic on Storm has gone way down," says Glen Myers, a sales engineer for Marshal, who noted that a connection between Mega-D and Storm is just speculation for now.

Damballa says Storm and Mega-D are unrelated. "Our research indicates that it's distinct from Storm," Cox says. "Each compromised host can send thousands of [spam] email addresses with random subject lines. It's clearly capable of sending out huge amounts of spam."

Size doesn't always matter with botnets. MayDay is not nearly as large as Storm, but Damballa says it could potentially do more damage due to its more sophisticated and targeted approach. "MayDay is unique because it has the ability to communicate from within the inside of the enterprise," Cox says. "It's powerful in the damage it could do when orchestrated for a common purpose. It could potentially be more powerful because of the types of networks it's successfully compromised."

So far, MayDay is mostly ordering its bots to send spam runs, he says. It also sends accounting information back to the command and control servers on the success of the spam runs, so it appears relatively businesslike.

Meanwhile, Damballa is working on reverse-engineering the ICMP communications, which are encrypted, Cox says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights