April 7th, 2008, 06:39 PM
A Bigger Botnet
New Massive Botnet Twice the Size of Storm - Dark Reading
Weighs in at 400,000 bots. Nice knowing you, Storm...
The so-called Kraken botnet has been spotted in at least 50 Fortune 500 companies and is undetectable in over 80 percent of machines running antivirus software. Kraken appears to be evading detection by a combination of clever obfuscation techniques, including regularly updating its binary code and structuring the code in such a way that hinders any static analysis, says Paul Royal, principal researcher at Damballa.
"It's easy to trace but slow to get antivirus coverage. It seems to imply [the creators] have a good understanding of how AV tools operate and how to evade them," Royal says.
April 7th, 2008, 07:11 PM
Great. Just what we needed. We need to start executing the few authors of such things that we catch.
April 7th, 2008, 07:52 PM
April 7th, 2008, 08:44 PM
So, it IS detectable in 20% of infected machines?!
What AV apps are picking it up? How else is it being
detected? I'm curious...
“Everybody is ignorant, only on different subjects.” — Will Rogers
April 7th, 2008, 08:50 PM
I agree. I'm not concerned with the rights of criminals, it's the erroneously suspected innocents whose rights concern me.
April 7th, 2008, 10:42 PM
I wonder if the IDes are picking up the activity?
April 8th, 2008, 05:03 PM
I have been trying to find info on how this is detected.....
anyone have any links as what type of traffic to look for
> found this http://isc.sans.org/diary.html?storyid=4256
Last edited by morganlefay; April 8th, 2008 at 05:05 PM.
How people treat you is their karma- how you react is yours-Wayne Dyer
April 8th, 2008, 05:33 PM
First of all, I'd like to formally say, "I told you so." LOL. All of these products are useless in today's threat landscape.
"Somehow, this thing is evading the canonical defense techniques that the enterprises use," such as intrusion detection systems and intrusion prevention systems, he said. "It should be caught by IDSes, IPSes and firewalls and it's not."
Second, the reason these things aren't catching the traffic is because it's inserted into "normal" traffic streams via customized protocol sets developed by the developer(s). Is anyone truly surprised by this?
Morganlefay, see here:
While no headers are available (yet) you can look for this 8 byte payload data string which is reported to be fixed (perhaps a session string) for this bot:
4d f4 d5 17 dc 04 c1 2e
Of course this will be process intensive at large organizations. I've currently setup a packet filter rule looking for the above string. Nothing has come across my drag net....yet.
Or you can grab some rules that others have written here:
Last edited by thehorse13; April 8th, 2008 at 05:47 PM.
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
By Egaladeist in forum Security News
Last Post: October 24th, 2005, 06:47 AM
By White Scorpion in forum Other Tutorials Forum
Last Post: February 13th, 2005, 09:44 PM
By ali1 in forum Spyware / Adware
Last Post: April 22nd, 2004, 10:56 PM
By dwcnmv in forum Programming Security
Last Post: October 8th, 2003, 12:27 AM
By Spyder32 in forum Cosmos
Last Post: December 23rd, 2002, 08:25 PM