Sorry for the delay in the pings lately. I am in the middle of re-locating, and it took two days to drive here, and another two days to get kinda settled into work. I'm also looking for an apartment here in town.
Posted on 04/07/2008 7:34:34 PM PDT by Gomez
Researches have unearthed what they say is the biggest botnet ever. It comprises over 400,000 infected machines, more than twice the size of Storm, which was previously believed to be the largest zombie network.
Machines from at least 50 Fortune 500 companies have been observed to be running the malicious software that's at the heart of "Kraken," the botnet that security firm Damballa has been tracking for the last few weeks. So far, only about 20 percent of the anti-virus products out there are detecting the malware. Just as a con artist might throw off detectives by changing his hair color or other physical characteristics, Kraken's ability to morph its code base has allowed it to evade the majority of malware detectors.
"Kraken, despite being on all these people's computers, has such low anti-virus coverage," said Paul Royal, principal researcher at Atlanta-based Damballa. "Anti-virus companies can't keep up with the arms race because of the number of variants and the frequency of the updates."
In addition, the code inside the executable file that infects a PC has been arranged in a way that makes it hard for malware analysis tools to accurately disassemble the malicious program.
"It raises the question of whether this basically has been authored specifically with anti-virus evasion in mind," Royal added.
Kraken most likely spreads by tricking end users into clicking on a malicious file that's disguised as an image. When it's executed, the program automatically copies itself to the hard drive in a slightly altered format. In the event AV programs are eventually able to recognize the original file, Kraken can use the altered file to reinfect the machine. Moreover, zombie machines regularly update themselves as an additional measure to prevent detection.
Kraken's primary activity is sending spam that advertises high-interest loans, male-enhancement techniques, fake designer watches and gambling opportunities. Damballa has observed as many as 500,000 pieces of junk mail being sent from a single zombie.
Estimates have varied wildly for the number of bots belonging to the Storm network. While some researchers have said millions of machines have been compromised, MessageLabs in February put the number of nodes at just 85,000. Whatever the number - Damballa estimates Storm has 200,000 victim - it was believed to be the biggest.
Until now, that is. It has clearly been eclipsed by Kraken, which on March 25 was observed to have compromised 409,912 unique IP addresses during a 24-hour period. Royal predicted the number will grow to more than 600,000 in the next two weeks.
Royal says he's still trying to figure out how the bot is managing to horn its way on to so many machines, many of which are behind well-fortified networks of some of the world's biggest companies.
"Somehow, this thing is evading the canonical defense techniques that the enterprises use," such as intrusion detection systems and intrusion prevention systems, he said. "It should be caught by IDSes, IPSes and firewalls and it's not."
Windows ping! LOL!
"Royal says he's still trying to figure out how the bot is managing to horn its way on to so many machines, many of which are behind well-fortified networks of some of the world's biggest companies.
"Somehow, this thing is evading the canonical defense techniques that the enterprises use," such as intrusion detection systems and intrusion prevention systems, he said. "It should be caught by IDSes, IPSes and firewalls and it's not."
Wow that's interesting. For an 'owned' machine to call home from behind a firewall and evade IDSs is interesting. I wonder if it uses port 80, or runs some scan to find an available port to hop onto. Of course such a scan would cause any IDS to raise red flags. This will be worth watching to see how it unfolds.
GRRRR! Is this why Comcast gives me a gazillion warnings a day that “Your computer is not protected”—no matter how many scans I do?
How does Comcast get that message to you?
I don’t know a whole lot about these things. But do you think it is possible that someone could hire a botnet to run up the number of views/visits they have on a myspace account or a vid on youtube? And if so, do you think this happens much?
Such things absolutely do happen. A spammer will setup a website with nothing but ads from paid sponsors. They will setup a botnet to do nothing but query the site and the user with an infected computer is invaded with all of the popups and banners from the site. To the sponsor this will look like hits on their ad, and the spammer gets money. Botnets can be very profitable in that regard.
It pops up on my toolbar. It’s an excamation point in a yellow circle.
I forgot to say I have McAfee virus protection with automatic updates. That’s where the message comes from.
That sounds like a Windows security alert of some kind. Are you sure it's from Comcast? Windows will show a shield icon with an exclamation point.
The key is to stay away from clicking on stupid ads and porn websites. Change your email address if you have to.
You are the main cause to your computers problems.
I appreciate the advice. It certainly is a novel approach to use no anti-virus program at all, but in light of these recent botware attacks, it may be a good solution.
I never click on porn ads—I hate the stuff. I avoid FORWARDS, even from my best friends. I am as proactive as I can be.
But for 50 bucks a month, Comcast should figure out a way to keep this stuff from ever reaching my inbox.
Sorry for the delay in the pings lately. I am in the middle of re-locating, and it took two days to drive here, and another two days to get kinda settled into work. I'm also looking for an apartment here in town.
where is “here”?
Ahh—sorry. Houston.
Just move into a foreclosed property. Just stay away during the day, and don't leave your stuff laying around.
LOL! I can’t leave my stuff laying around anyway. This is an interesting city.
Yeah, me too, except for my crashbox (which is intended for wider-open testing use).
> The key is to stay away from clicking on stupid ads and porn websites. Change your email address if you have to. You are the main cause to your computers problems.
Not everybody can do that. You and I, maybe, and only because we know how to be careful to the point of obsession. But even I run a scan occasionally using AVG to prove that I'm running clean.
> ...no malicious software on any box.
Just as in sex, running without protection is only going to work if you also practice abstinence, except for known clean and trusted partners. But in a world where even trusted websites get compromised and hacked daily, whom do you really trust???
That is, how do you KNOW you have "no malicious software on any box" unless you check from time to time? And that requires some form of A-V.
Can you demonstrate or prove your claim?
bookmarking.
Dude, I grew up south of Houston in Seabrook. I feel sorry for the summer you are about to get to experience :-)
BUMP.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.