0 Replies Latest reply on Apr 10, 2008 3:31 PM by HarryWaldron

    Kraken - Large sophisticated Botnet discovered

      AV researchers have recently discovered a new botnet that may be as large and as sophisticated than the Storm Worm network. This new botnet uses some of the following advanced techniques:

      -- encrypted communications (to evade firewall, IDS, and AV detections)
      -- encrypted payloads (to evate AV detections)
      -- polymorphic droppers (malicious web based downloads that constantly change)
      -- multi-threaded spam engine (over 500,000 spam entries observed to be sent from one "zombie" PC owned by this network)
      -- command-and-control server redundancy (when a master server is taken offline by authorities, new master servers are automatically re-hosted)

      There are still many unknowns at this point. Only 20% of AV vendors are estimated to have coverage at this point, but this is expected to improve as more technical details of this new threat emerge.

      Kraken - Large sophisticated botnet discovered
      http://www.symantec.com/enterprise/security_response/weblog/2008/04/kracken_to_o ut_do_storm.html

      QUOTE: There is news that there is a new botnet in town, over twice the size of the Storm Worm in town called Kraken. Researchers from Damballa have discovered and tracked it the last two weeks and I'm guessing from news reports have presented their findings at RSA.

      The so-called Kraken botnet has been spotted in at least 50 Fortune 500 companies and is undetectable in over 80 percent of machines running antivirus software. Kraken appears to be evading detection by a combination of clever obfuscation techniques, including regularly updating its binary code and structuring the code in such a way that hinders any static analysis, says Paul Royal, principal researcher at Damballa.

      "It's easy to trace but slow to get antivirus coverage. It seems to imply [the creators] have a good understanding of how AV tools operate and how to evade them," Royal says.

      Just how Kraken is infecting machines is still unclear, but Royal says the malware seems to appear as an image file to the victim. When the victim tries to view the image, the malware is loaded onto his or her machine. "We know the picture... ends in an .exe, which is not shown" to the user, Royal says.

      Kraken's bots and command and control servers communicate via customized UDP and TCP-based protocols, he says, and the botnet has built-in redundancy features that automatically generate new domain names if a C&C server gets shut down or becomes disabled. "And the actual payload is encrypted," Royal says.

      Kraken is thought to be infecting computers by using social engineering methods similar to those used by Storm. The malicious code is believed to be posing as an image file to the user, although this has yet to be confirmed. At the time of writing, the Trojan is serving up debt consolidation and gambling-related spam linking to Chinese sites.