02 January 2008 | 3,702 views

Nugache – The Next Big Storm?

Check For Vulnerabilities with Acunetix

We’ve covered quite a few Storm stories – now it seems there is a new player in town, which could possibly the most advanced malware and botnet instigator so far.

It’s also something I’ve predicted before, peer to peer malware networks running without a command and control server, no single point of failure and much more tricky to take down. The guys writing these things are getting smart, random communications, peers drop and reconnect, everything is encrypted..

Dittrich, one of the top botnet researchers in the world, has been tracking botnets for close to a decade and has seen it all. But this new piece of malware, which came to be known as Nugache, was a game-changer. With no C&C server to target, bots capable of sending encrypted packets and the possibility of any peer on the network suddenly becoming the de facto leader of the botnet, Nugache, Dittrich knew, would be virtually impossible to stop.

“The authors are making these subtle little changes to keep it under the radar, and they’re succeeding,” said Dittrich.

This is the future of malware and it’s not a pretty picture. What it is, is a nightmare: a new breed of malicious software developed, tested and sold by professionals and engineered to change on the fly, adapt to its environment and evade traditional defenses.

It’s definitely going to be interesting watching this one develop and waiting to see what kind of countermeasures come up. Software quality is starting to appear in malware, these are robust and technically competent worms and botnets.

The creators of these Trojans and bots not only have very strong software development and testing skills, but also clearly know how security vendors operate and how to outmaneuver defenses such as antivirus software, IDS and firewalls, experts say. They know that they simply need to alter their code and the messages carrying it in small ways in order to evade signature-based defenses. Dittrich and other researchers say that when they analyze the code these malware authors are putting out, what emerges is a picture of a group of skilled, professional software developers learning from their mistakes, improving their code on a weekly basis and making a lot of money in the process.

It seems like it’s a real cottage industry right now and there are some very talented programmers and security specialists working on these projects.

But then again it’s just like any other industry, where there’s bad there’s good and vice versa..and there is money to be made on both sides of the fence.

Source: SearchSecurity.com



Recent in Malware:
- Twitter Patents Technique To Detect Mobile Malware
- ParanoiDF – PDF Analysis & Password Cracking Tool
- Windows Registry Infecting Malware Has NO Files

Related Posts:
- The World’s Biggest Botnets – Peer to Peer
- Storm Worm Descends on Blogspot
- Storm Worm Spreading Some Holiday Cheer

Most Read in Malware:
- Nasty Trojan Zeus Evades Antivirus Software - 77,326 views
- Hospital Hacker GhostExodus Owns Himself – Arrested - 47,473 views
- US considers banning DRM rootkits – Sony BMG - 44,933 views

Advertise on Darknet

23 Responses to “Nugache – The Next Big Storm?”

  1. Sir Henry 2 January 2008 at 3:40 pm Permalink

    This is one of the reasons I stopped reading articles posted on Reddit (not that I will stop reading here, of course); There is a bleak outlook in regard to what is currently going on behind the scenes and only a small portion of the internet population who knows about and understands any of it. I think goodpeople will agree when I say that this is where education about these matters becomes paramount.

    In a similar vein (yes, this will remain dichotomous), I once read a question on linkedin about whether to hire “hackers” for your security work. What surprised me was the overwhelming response at how hiring a person who has “hacking skills” is like asking the fox over for tea in the hen house. Such an unfortunate outlook and one wrought with emotional insecurity and a fear for the unknown. My stance is this: In order to fully understand the people who create malware of this calibre, we have think like them and do the things they do. Only then, can we have any sort of chance in creating an offensive to battle such works of intense brilliance. I know, it is a razor thin line and I am certain that thoughts of “The Force” and “The Dark Side” come to ming. The latter is rather apropos, I feel.

    I would like to know what others think of the latter ideas.

  2. goodpeople 2 January 2008 at 4:51 pm Permalink

    Sir Henry,

    When I read your first postings here, I immediately realized that you and I would be having some fun discussions here.

    I couldn’t agree with you more. As long as we sit back and wait for the next outbreak, we are bound to loose the battle. Only when we are actively developing our software, defenses and mechanisms, do we have a chance to outsmart them.

  3. Sir Henry 2 January 2008 at 5:03 pm Permalink

    @goodpeople:

    I, too, felt the same regarding our discussions. I have found immense intellectual enjoyment and stimulation here.

  4. Trejox 5 January 2008 at 6:14 am Permalink

    As a friend of mine would say… “If you want to stop/catch them… Follow The Patterns.” ;)

  5. goodpeople 6 January 2008 at 11:38 am Permalink

    @trejox,

    Just following the patterns is not good enough. You’ll always be one step behind. We have to get rid of the stance “if it works, don’t fix it”. That might be true for mechanical things, but it’s not good enough for our industry. We have to keep revising our code and programs.

    We should strive to get one step ahead of the bad guys.

  6. eM3rC 6 January 2008 at 9:38 pm Permalink

    I am totally with goodpeople and Sir Henry.

    @goodpeople

    Even following the pattern might not be the best approach. Although one group of hackers might be caught in their ways of infecting computers or hacking another (new) one might create something completely new (like Nugache) and completely stump white hats.

  7. goodpeople 7 January 2008 at 12:55 pm Permalink

    @eM3rC,

    There will always be challenges. But that doesn’t mean that we can sit back and relax. Maintenance is an ongoing task.

  8. eM3rC 8 January 2008 at 3:12 am Permalink

    Back @ goodpeople

    Its a never ending battle that will probably be won by neither side. Hopefully the hackers don’t get to far ahead of the white hats.

  9. Sir Henry 8 January 2008 at 5:20 pm Permalink

    @trejox:

    I am going to have to second what goodpeople has stated. Reactionary defenses as a means of security are not going to eliminate the threats and will most certainly not do anything to anticipate the new attacks that are out there. To fight the good fight, people need to anticipate what could potentially happen and form an offensive. Of course, I pity the security engineer who is in charge of that task.

  10. goodpeople 9 January 2008 at 12:21 am Permalink

    @Sir Henry,

    That is why they pay us the big bucks! :-)

    As a teacher I always challenge my students to proof me wrong. I encourage my students to outthink me. My ultimate goal (as should be for every teacher in every field) is for my students to someday be better than I am.

    The same principle would apply if I were a software developer. If I had made something, I would want other programmers to look at my code and help me improve it. Constantly!

    Good software is never finished. The fact that it works doesn’t mean that it works well, will continue to work well and works well under all circumstances. You can never be sure. That is why I say that software maintenance is an ongoing process. It is never “done”. The only way to stay ahead in this game is to constantly revise the code and not take anything for granted.

  11. eM3rC 9 January 2008 at 3:06 am Permalink

    @ goodpeople

    I want to have you as a teacher =P
    There need to be more teachers like this rather than teaching simply for the money or focusing their course around some test. Its a career and careers should be fun.

  12. goodpeople 9 January 2008 at 5:29 pm Permalink

    @eM3rC,

    That is why they pay ME the big bucks! ;-)

  13. Sir Henry 9 January 2008 at 5:33 pm Permalink

    They pay me the big bucks, too, but for a different reason. >:)

  14. goodpeople 9 January 2008 at 5:54 pm Permalink

    @Sir Henry,

    uhhm, let me guess.. the Boss’s daughter?

  15. Sir Henry 9 January 2008 at 5:57 pm Permalink

    Not so much the Boss’s daughter but what he has on his hard drive. ;) Nah, I actually just secured a job as an SE for a well-known PKI/Security company. Actually landed it on Monday, thus my not being around then. I can’t wait to start.

  16. goodpeople 9 January 2008 at 5:59 pm Permalink

    Then let me be the first one here to concratulate you!

  17. Sir Henry 9 January 2008 at 6:10 pm Permalink

    Thanks, goodpeople, I am really excited about the new position. My previous (well, current until the end of the month) position was not advertised correctly and my skills were underutilized or blatantly ignored. Talk about a reason to start looking into the internal security. ;)

  18. goodpeople 9 January 2008 at 6:22 pm Permalink

    So beginning of next month you’ll finally be running Linux? :-)

  19. Sir Henry 9 January 2008 at 6:30 pm Permalink

    At the beginning of the month, I can run whatever OS I want. ;)

  20. goodpeople 9 January 2008 at 6:38 pm Permalink

    Any openings for a slightly overweight 43 years old IT security teacher?

  21. Sir Henry 9 January 2008 at 6:39 pm Permalink

    I am sure that, given your experience and knowledge, there would be some opportunities. I will have to check their EU openings.

  22. goodpeople 9 January 2008 at 7:17 pm Permalink

    @Sir Henry,

    Nah, don’t bother..for now. I guess I’m a spoilt brat with 12 weeks payed vacation per year..

  23. eM3rC 7 February 2008 at 2:46 am Permalink

    Congratulations on the new job Sir Henry!

    Hope it goes well for you!