Posted by Virus Bulletin on Apr 9, 2008
As latest botnet scare debated, Storm keeps on blowing.
Recent reports of a massive botnet, apparently sneaking its trojans past security software and far outnumbering better-known infections such as 'Storm', have been dismissed as hype by some analysts but firmly upheld by the researchers who first alerted on the threat.
The botnet has been dubbed 'Kraken' by researchers at Damballa, who have been monitoring bot communications for several months and discussed their findings at the RSA conference currently under way in San Francisco.
Their research implies that the network has infiltrated as many as 400,000 systems, including one in ten of Fortune 500 companies. Several news reports have claimed that the malware behind the botnet was only detected by a small minority of security products, but details released later indicate that detection has improved greatly since the attack was first checked by Damballa in late 2007.
Several similar stories of major botnets rivalling the infamous Storm attack have been reported recently, including 'Mega-Dik', reported as a major spam source by Marshall, and the 'May Day' botnet, also alerted on by Damballa, both of which emerged in early February.
Much like these two incidents, the 'Kraken' announcement has brought several ripostes from other researchers, including claims that the malware in question is in fact well known, possibly the family commonly known as W32/Bobax.
The confusion has once again resurrected the debate on malware naming issues, and also the complexity of measuring the size of an individual botnet - in this case, the Damballa researchers apparently hijacked communication servers used by the botnet by predicting names likely to be used and registering them for themselves. They then counted the compromised systems attempting to connect to them.
The size of the Storm botnet has been variously estimated from tens of thousands of systems to several million, fluctuating wildly over time and between sources, while numerous other botnets, such as those spread by the Cutwail/Pandex/Pushdu family and the much more venerable Rbot, have also been reckoned to have similar or even greater penetration. Many analysts have noted a marked inconsistency between the media attention gained by Storm and its actual impact, driven mainly by its highly fluid, innovative and often attention-grabbing social engineering techniques.
As if in response to the Kraken story, Storm has once again changed tack and sent out a wave of messages targeting new victims, picking up a common malware tactic of posing as video-decoding software and this time seemingly playing on its notoriety, cheekily entitling its latest attack the 'Storm codec'.
Initial news reports on the Damballa findings are in Darkreading here and The Register here, with analysis from Washington Post blogger Brian Krebs here and in more blog entries from Sophos here and Symantec here.