Nugache – The Next Big Storm?

We’ve covered quite a few Storm stories – now it seems there is a new player in town, which could possibly the most advanced malware and botnet instigator so far.

It’s also something I’ve predicted before, peer to peer malware networks running without a command and control server, no single point of failure and much more tricky to take down. The guys writing these things are getting smart, random communications, peers drop and reconnect, everything is encrypted..

Dittrich, one of the top botnet researchers in the world, has been tracking botnets for close to a decade and has seen it all. But this new piece of malware, which came to be known as Nugache, was a game-changer. With no C&C server to target, bots capable of sending encrypted packets and the possibility of any peer on the network suddenly becoming the de facto leader of the botnet, Nugache, Dittrich knew, would be virtually impossible to stop.

“The authors are making these subtle little changes to keep it under the radar, and they’re succeeding,” said Dittrich.

This is the future of malware and it’s not a pretty picture. What it is, is a nightmare: a new breed of malicious software developed, tested and sold by professionals and engineered to change on the fly, adapt to its environment and evade traditional defenses.

It’s definitely going to be interesting watching this one develop and waiting to see what kind of countermeasures come up. Software quality is starting to appear in malware, these are robust and technically competent worms and botnets.

The creators of these Trojans and bots not only have very strong software development and testing skills, but also clearly know how security vendors operate and how to outmaneuver defenses such as antivirus software, IDS and firewalls, experts say. They know that they simply need to alter their code and the messages carrying it in small ways in order to evade signature-based defenses. Dittrich and other researchers say that when they analyze the code these malware authors are putting out, what emerges is a picture of a group of skilled, professional software developers learning from their mistakes, improving their code on a weekly basis and making a lot of money in the process.

It seems like it’s a real cottage industry right now and there are some very talented programmers and security specialists working on these projects.

But then again it’s just like any other industry, where there’s bad there’s good and vice versa..and there is money to be made on both sides of the fence.


Posted in: Malware

, , , , , ,

Latest Posts:

Socialscan - Command-Line Tool To Check For Email And Social Media Username Usage Socialscan – Command-Line Tool To Check For Email And Social Media Username Usage
socialscan is an accurate command-line tool to check For email and social media username usage on online platforms, given an email address or username,
CFRipper - CloudFormation Security Scanning & Audit Tool CFRipper – CloudFormation Security Scanning & Audit Tool
CFRipper is a Python-based Library and CLI security analyzer that functions as an AWS CloudFormation security scanning and audit tool
CredNinja - Test Credential Validity of Dumped Credentials or Hashes CredNinja – Test Credential Validity of Dumped Credentials or Hashes
CredNinja is a tool to quickly test credential validity of dumped credentials (or hashes) across an entire network or domain very efficiently.
assetfinder - Find Related Domains and Subdomains assetfinder – Find Related Domains and Subdomains
assetfinder is a Go-based tool to find related domains and subdomains that are related to a given domain from a variety of sources including Facebook and more.
Karkinos - Beginner Friendly Penetration Testing Tool Karkinos – Beginner Friendly Penetration Testing Tool
Karkinos is a light-weight Beginner Friendly Penetration Testing Tool, which is basically a 'Swiss Army Knife' for pen-testing and/or hacking CTF's.
Aclpwn.Py - Exploit ACL Based Privilege Escalation Paths in Active Directory Aclpwn.Py – Exploit ACL Based Privilege Escalation Paths in Active Directory is a tool that interacts with BloodHound< to identify and exploit ACL based privilege escalation paths.

23 Responses to Nugache – The Next Big Storm?

  1. Sir Henry January 2, 2008 at 3:40 pm #

    This is one of the reasons I stopped reading articles posted on Reddit (not that I will stop reading here, of course); There is a bleak outlook in regard to what is currently going on behind the scenes and only a small portion of the internet population who knows about and understands any of it. I think goodpeople will agree when I say that this is where education about these matters becomes paramount.

    In a similar vein (yes, this will remain dichotomous), I once read a question on linkedin about whether to hire “hackers” for your security work. What surprised me was the overwhelming response at how hiring a person who has “hacking skills” is like asking the fox over for tea in the hen house. Such an unfortunate outlook and one wrought with emotional insecurity and a fear for the unknown. My stance is this: In order to fully understand the people who create malware of this calibre, we have think like them and do the things they do. Only then, can we have any sort of chance in creating an offensive to battle such works of intense brilliance. I know, it is a razor thin line and I am certain that thoughts of “The Force” and “The Dark Side” come to ming. The latter is rather apropos, I feel.

    I would like to know what others think of the latter ideas.

  2. goodpeople January 2, 2008 at 4:51 pm #

    Sir Henry,

    When I read your first postings here, I immediately realized that you and I would be having some fun discussions here.

    I couldn’t agree with you more. As long as we sit back and wait for the next outbreak, we are bound to loose the battle. Only when we are actively developing our software, defenses and mechanisms, do we have a chance to outsmart them.

  3. Sir Henry January 2, 2008 at 5:03 pm #


    I, too, felt the same regarding our discussions. I have found immense intellectual enjoyment and stimulation here.

  4. Trejox January 5, 2008 at 6:14 am #

    As a friend of mine would say… “If you want to stop/catch them… Follow The Patterns.” ;)

  5. goodpeople January 6, 2008 at 11:38 am #


    Just following the patterns is not good enough. You’ll always be one step behind. We have to get rid of the stance “if it works, don’t fix it”. That might be true for mechanical things, but it’s not good enough for our industry. We have to keep revising our code and programs.

    We should strive to get one step ahead of the bad guys.

  6. eM3rC January 6, 2008 at 9:38 pm #

    I am totally with goodpeople and Sir Henry.


    Even following the pattern might not be the best approach. Although one group of hackers might be caught in their ways of infecting computers or hacking another (new) one might create something completely new (like Nugache) and completely stump white hats.

  7. goodpeople January 7, 2008 at 12:55 pm #


    There will always be challenges. But that doesn’t mean that we can sit back and relax. Maintenance is an ongoing task.

  8. eM3rC January 8, 2008 at 3:12 am #

    Back @ goodpeople

    Its a never ending battle that will probably be won by neither side. Hopefully the hackers don’t get to far ahead of the white hats.

  9. Sir Henry January 8, 2008 at 5:20 pm #


    I am going to have to second what goodpeople has stated. Reactionary defenses as a means of security are not going to eliminate the threats and will most certainly not do anything to anticipate the new attacks that are out there. To fight the good fight, people need to anticipate what could potentially happen and form an offensive. Of course, I pity the security engineer who is in charge of that task.

  10. goodpeople January 9, 2008 at 12:21 am #

    @Sir Henry,

    That is why they pay us the big bucks! :-)

    As a teacher I always challenge my students to proof me wrong. I encourage my students to outthink me. My ultimate goal (as should be for every teacher in every field) is for my students to someday be better than I am.

    The same principle would apply if I were a software developer. If I had made something, I would want other programmers to look at my code and help me improve it. Constantly!

    Good software is never finished. The fact that it works doesn’t mean that it works well, will continue to work well and works well under all circumstances. You can never be sure. That is why I say that software maintenance is an ongoing process. It is never “done”. The only way to stay ahead in this game is to constantly revise the code and not take anything for granted.

  11. eM3rC January 9, 2008 at 3:06 am #

    @ goodpeople

    I want to have you as a teacher =P
    There need to be more teachers like this rather than teaching simply for the money or focusing their course around some test. Its a career and careers should be fun.

  12. goodpeople January 9, 2008 at 5:29 pm #


    That is why they pay ME the big bucks! ;-)

  13. Sir Henry January 9, 2008 at 5:33 pm #

    They pay me the big bucks, too, but for a different reason. >:)

  14. goodpeople January 9, 2008 at 5:54 pm #

    @Sir Henry,

    uhhm, let me guess.. the Boss’s daughter?

  15. Sir Henry January 9, 2008 at 5:57 pm #

    Not so much the Boss’s daughter but what he has on his hard drive. ;) Nah, I actually just secured a job as an SE for a well-known PKI/Security company. Actually landed it on Monday, thus my not being around then. I can’t wait to start.

  16. goodpeople January 9, 2008 at 5:59 pm #

    Then let me be the first one here to concratulate you!

  17. Sir Henry January 9, 2008 at 6:10 pm #

    Thanks, goodpeople, I am really excited about the new position. My previous (well, current until the end of the month) position was not advertised correctly and my skills were underutilized or blatantly ignored. Talk about a reason to start looking into the internal security. ;)

  18. goodpeople January 9, 2008 at 6:22 pm #

    So beginning of next month you’ll finally be running Linux? :-)

  19. Sir Henry January 9, 2008 at 6:30 pm #

    At the beginning of the month, I can run whatever OS I want. ;)

  20. goodpeople January 9, 2008 at 6:38 pm #

    Any openings for a slightly overweight 43 years old IT security teacher?

  21. Sir Henry January 9, 2008 at 6:39 pm #

    I am sure that, given your experience and knowledge, there would be some opportunities. I will have to check their EU openings.

  22. goodpeople January 9, 2008 at 7:17 pm #

    @Sir Henry,

    Nah, don’t bother..for now. I guess I’m a spoilt brat with 12 weeks payed vacation per year..

  23. eM3rC February 7, 2008 at 2:46 am #

    Congratulations on the new job Sir Henry!

    Hope it goes well for you!