-
April 7th, 2008, 06:39 PM
#1
A Bigger Botnet
New Massive Botnet Twice the Size of Storm - Dark Reading
Weighs in at 400,000 bots. Nice knowing you, Storm...
The so-called Kraken botnet has been spotted in at least 50 Fortune 500 companies and is undetectable in over 80 percent of machines running antivirus software. Kraken appears to be evading detection by a combination of clever obfuscation techniques, including regularly updating its binary code and structuring the code in such a way that hinders any static analysis, says Paul Royal, principal researcher at Damballa.
"It's easy to trace but slow to get antivirus coverage. It seems to imply [the creators] have a good understanding of how AV tools operate and how to evade them," Royal says.
[via Slashdot]
-
April 7th, 2008, 07:11 PM
#2
Great. Just what we needed. We need to start executing the few authors of such things that we catch.
-
April 7th, 2008, 07:52 PM
#3
-
April 7th, 2008, 08:44 PM
#4
So, it IS detectable in 20% of infected machines?!
What AV apps are picking it up? How else is it being
detected? I'm curious...
“Everybody is ignorant, only on different subjects.” — Will Rogers
-
April 7th, 2008, 08:50 PM
#5
I agree. I'm not concerned with the rights of criminals, it's the erroneously suspected innocents whose rights concern me.
-
April 7th, 2008, 10:42 PM
#6
I wonder if the IDes are picking up the activity?
-
April 8th, 2008, 05:03 PM
#7
I have been trying to find info on how this is detected.....
anyone have any links as what type of traffic to look for
MLF
> found this http://isc.sans.org/diary.html?storyid=4256
Last edited by morganlefay; April 8th, 2008 at 05:05 PM.
How people treat you is their karma- how you react is yours-Wayne Dyer
-
April 8th, 2008, 05:33 PM
#8
"Somehow, this thing is evading the canonical defense techniques that the enterprises use," such as intrusion detection systems and intrusion prevention systems, he said. "It should be caught by IDSes, IPSes and firewalls and it's not."
First of all, I'd like to formally say, "I told you so." LOL. All of these products are useless in today's threat landscape.
Second, the reason these things aren't catching the traffic is because it's inserted into "normal" traffic streams via customized protocol sets developed by the developer(s). Is anyone truly surprised by this?
Morganlefay, see here:
http://isc.sans.org/diary.html?storyid=4256&rss
While no headers are available (yet) you can look for this 8 byte payload data string which is reported to be fixed (perhaps a session string) for this bot:
4d f4 d5 17 dc 04 c1 2e
Of course this will be process intensive at large organizations. I've currently setup a packet filter rule looking for the above string. Nothing has come across my drag net....yet.
Or you can grab some rules that others have written here:
http://doc.emergingthreats.net/bin/view/Main/OdeRoor
--TH13
Last edited by thehorse13; April 8th, 2008 at 05:47 PM.
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
Similar Threads
-
By Egaladeist in forum Security News
Replies: 0
Last Post: October 24th, 2005, 06:47 AM
-
By White Scorpion in forum Other Tutorials Forum
Replies: 3
Last Post: February 13th, 2005, 10:44 PM
-
By ali1 in forum Spyware / Adware
Replies: 62
Last Post: April 22nd, 2004, 10:56 PM
-
By dwcnmv in forum Programming Security
Replies: 9
Last Post: October 8th, 2003, 12:27 AM
-
By Spyder32 in forum Cosmos
Replies: 15
Last Post: December 23rd, 2002, 09:25 PM
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|