SAN FRANCISCO -– RSA 2007 Conference –- A new botnet twice the size of Storm has ballooned to an army of over 400,000 bots, including machines in the Fortune 500, according to botnet researchers at Damballa. (See The World's Biggest Botnets and MayDay! Sneakier, More Powerful Botnet on the Loose.)
The so-called Kraken botnet has been spotted in at least 50 Fortune 500 companies and is undetectable in over 80 percent of machines running antivirus software. Kraken appears to be evading detection by a combination of clever obfuscation techniques, including regularly updating its binary code and structuring the code in such a way that hinders any static analysis, says Paul Royal, principal researcher at Damballa.
"It's easy to trace but slow to get antivirus coverage. It seems to imply [the creators] have a good understanding of how AV tools operate and how to evade them," Royal says.
Kraken's successful infiltration of major enterprises is a wakeup call that bots aren't just a consumer problem. Damballa and other botnet experts over the past few months have seen an unsettling rise in bot infections in enterprises.
Royal says like Storm, Kraken so far is mostly being used for spamming the usual scams -- high interest loans, gambling, male enhancement products, pharmacy advertisements, and counterfeit watches, for instance. "But given that it updates its binary, there's no reason it couldn't update itself to a binary that does other things," Royal says. "I'm wondering where this thing is going to go." Damballa predicts that even now that Kraken has been outed, it will continue growing at least in the near-term -- up to at least 600,000 new bots by mid-April. Its bots are prolific, too: The firm has seen single Kraken bots sending out up to 500,000 pieces of spam in a day.
No comments:
Post a Comment