'Kraken' monster botnet causing controversy

Posted by   Virus Bulletin on   Apr 9, 2008

As latest botnet scare debated, Storm keeps on blowing.

Recent reports of a massive botnet, apparently sneaking its trojans past security software and far outnumbering better-known infections such as 'Storm', have been dismissed as hype by some analysts but firmly upheld by the researchers who first alerted on the threat.

The botnet has been dubbed 'Kraken' by researchers at Damballa, who have been monitoring bot communications for several months and discussed their findings at the RSA conference currently under way in San Francisco.

Their research implies that the network has infiltrated as many as 400,000 systems, including one in ten of Fortune 500 companies. Several news reports have claimed that the malware behind the botnet was only detected by a small minority of security products, but details released later indicate that detection has improved greatly since the attack was first checked by Damballa in late 2007.

Several similar stories of major botnets rivalling the infamous Storm attack have been reported recently, including 'Mega-Dik', reported as a major spam source by Marshall, and the 'May Day' botnet, also alerted on by Damballa, both of which emerged in early February.

Much like these two incidents, the 'Kraken' announcement has brought several ripostes from other researchers, including claims that the malware in question is in fact well known, possibly the family commonly known as W32/Bobax.

The confusion has once again resurrected the debate on malware naming issues, and also the complexity of measuring the size of an individual botnet - in this case, the Damballa researchers apparently hijacked communication servers used by the botnet by predicting names likely to be used and registering them for themselves. They then counted the compromised systems attempting to connect to them.

The size of the Storm botnet has been variously estimated from tens of thousands of systems to several million, fluctuating wildly over time and between sources, while numerous other botnets, such as those spread by the Cutwail/Pandex/Pushdu family and the much more venerable Rbot, have also been reckoned to have similar or even greater penetration. Many analysts have noted a marked inconsistency between the media attention gained by Storm and its actual impact, driven mainly by its highly fluid, innovative and often attention-grabbing social engineering techniques.

As if in response to the Kraken story, Storm has once again changed tack and sent out a wave of messages targeting new victims, picking up a common malware tactic of posing as video-decoding software and this time seemingly playing on its notoriety, cheekily entitling its latest attack the 'Storm codec'.

Initial news reports on the Damballa findings are in Darkreading here and The Register here, with analysis from Washington Post blogger Brian Krebs here and in more blog entries from Sophos here and Symantec here.

Details of the latest Storm run are at ESET here, at Sophos here and at Trend Micro here.

Posted on 9 April 2008 by Virus Bulletin



Latest posts:

In memoriam: Prof. Ross Anderson

We were very sorry to learn of the passing of Professor Ross Anderson a few days ago.

In memoriam: Dr Alan Solomon

We were very sorry to learn of the passing of industry pioneer Dr Alan Solomon earlier this week.

New paper: Nexus Android banking botnet – compromising C&C panels and dissecting mobile AppInjects

In a new paper, researchers Aditya K Sood and Rohit Bansal provide details of a security vulnerability in the Nexus Android botnet C&C panel that was exploited in order to gather threat intelligence, and present a model of mobile AppInjects.

New paper: Collector-stealer: a Russian origin credential and information extractor

In a new paper, F5 researchers Aditya K Sood and Rohit Chaturvedi present a 360 analysis of Collector-stealer, a Russian-origin credential and information extractor.

VB2021 localhost videos available on YouTube

VB has made all VB2021 localhost presentations available on the VB YouTube channel, so you can now watch - and share - any part of the conference freely and without registration.

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.