A Bigger Botnet
Results 1 to 8 of 8

Thread: A Bigger Botnet

  1. #1
    Senior Member phernandez's Avatar
    Join Date
    Aug 2003

    A Bigger Botnet

    New Massive Botnet Twice the Size of Storm - Dark Reading

    Weighs in at 400,000 bots. Nice knowing you, Storm...

    The so-called Kraken botnet has been spotted in at least 50 Fortune 500 companies and is undetectable in over 80 percent of machines running antivirus software. Kraken appears to be evading detection by a combination of clever obfuscation techniques, including regularly updating its binary code and structuring the code in such a way that hinders any static analysis, says Paul Royal, principal researcher at Damballa.

    "It's easy to trace but slow to get antivirus coverage. It seems to imply [the creators] have a good understanding of how AV tools operate and how to evade them," Royal says.
    [via Slashdot]

  2. #2
    Senior Member JPnyc's Avatar
    Join Date
    Jan 2005
    Great. Just what we needed. We need to start executing the few authors of such things that we catch.

  3. #3
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    United Kingdom: Bridlington
    To be honest with you guys, I say it is time to follow the money, and £$%^%^&*&^.... "entrapment".

    Hell, if I have a nuke, I have something illegal, so who should care how the FEDs found out?............. it is illegal "per se", so you don't need any of that "law & order" TV crap............. just shoot the bastards..... or as second prize, "rendition" them .............. there is a kitty litter tray in my garage

  4. #4
    Dissident 4dm1n brokencrow's Avatar
    Join Date
    Feb 2004
    Shawnee country
    So, it IS detectable in 20% of infected machines?!

    What AV apps are picking it up? How else is it being
    detected? I'm curious...
    “Everybody is ignorant, only on different subjects.” — Will Rogers

  5. #5
    Senior Member JPnyc's Avatar
    Join Date
    Jan 2005
    I agree. I'm not concerned with the rights of criminals, it's the erroneously suspected innocents whose rights concern me.

  6. #6
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Redondo Beach, CA
    I wonder if the IDes are picking up the activity?
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  7. #7
    AOs Resident Troll
    Join Date
    Nov 2003
    I have been trying to find info on how this is detected.....

    anyone have any links as what type of traffic to look for


    > found this http://isc.sans.org/diary.html?storyid=4256
    Last edited by morganlefay; April 8th, 2008 at 05:05 PM.
    How people treat you is their karma- how you react is yours-Wayne Dyer

  8. #8
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Washington D.C. area
    "Somehow, this thing is evading the canonical defense techniques that the enterprises use," such as intrusion detection systems and intrusion prevention systems, he said. "It should be caught by IDSes, IPSes and firewalls and it's not."
    First of all, I'd like to formally say, "I told you so." LOL. All of these products are useless in today's threat landscape.

    Second, the reason these things aren't catching the traffic is because it's inserted into "normal" traffic streams via customized protocol sets developed by the developer(s). Is anyone truly surprised by this?

    Morganlefay, see here:

    While no headers are available (yet) you can look for this 8 byte payload data string which is reported to be fixed (perhaps a session string) for this bot:

    4d f4 d5 17 dc 04 c1 2e

    Of course this will be process intensive at large organizations. I've currently setup a packet filter rule looking for the above string. Nothing has come across my drag net....yet.

    Or you can grab some rules that others have written here:

    Last edited by thehorse13; April 8th, 2008 at 05:47 PM.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

Similar Threads

  1. A new botnet is making the rounds.
    By Egaladeist in forum Security News
    Replies: 0
    Last Post: October 24th, 2005, 06:47 AM
  2. Intermediate C tutorial
    By White Scorpion in forum Other Tutorials Forum
    Replies: 3
    Last Post: February 13th, 2005, 09:44 PM
  3. what is a bigger problem?viruses or spyware?
    By ali1 in forum Spyware / Adware
    Replies: 62
    Last Post: April 22nd, 2004, 10:56 PM
  4. How do I get bigger vars? (bigger than 32 bit)
    By dwcnmv in forum Programming Security
    Replies: 9
    Last Post: October 8th, 2003, 12:27 AM
  5. Future WTC Building to be Bigger
    By Spyder32 in forum Cosmos
    Replies: 15
    Last Post: December 23rd, 2002, 08:25 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts