Nugache – The Next Big Storm?

The New Acunetix V12 Engine

We’ve covered quite a few Storm stories – now it seems there is a new player in town, which could possibly the most advanced malware and botnet instigator so far.

It’s also something I’ve predicted before, peer to peer malware networks running without a command and control server, no single point of failure and much more tricky to take down. The guys writing these things are getting smart, random communications, peers drop and reconnect, everything is encrypted..

Dittrich, one of the top botnet researchers in the world, has been tracking botnets for close to a decade and has seen it all. But this new piece of malware, which came to be known as Nugache, was a game-changer. With no C&C server to target, bots capable of sending encrypted packets and the possibility of any peer on the network suddenly becoming the de facto leader of the botnet, Nugache, Dittrich knew, would be virtually impossible to stop.

“The authors are making these subtle little changes to keep it under the radar, and they’re succeeding,” said Dittrich.

This is the future of malware and it’s not a pretty picture. What it is, is a nightmare: a new breed of malicious software developed, tested and sold by professionals and engineered to change on the fly, adapt to its environment and evade traditional defenses.

It’s definitely going to be interesting watching this one develop and waiting to see what kind of countermeasures come up. Software quality is starting to appear in malware, these are robust and technically competent worms and botnets.

The creators of these Trojans and bots not only have very strong software development and testing skills, but also clearly know how security vendors operate and how to outmaneuver defenses such as antivirus software, IDS and firewalls, experts say. They know that they simply need to alter their code and the messages carrying it in small ways in order to evade signature-based defenses. Dittrich and other researchers say that when they analyze the code these malware authors are putting out, what emerges is a picture of a group of skilled, professional software developers learning from their mistakes, improving their code on a weekly basis and making a lot of money in the process.

It seems like it’s a real cottage industry right now and there are some very talented programmers and security specialists working on these projects.

But then again it’s just like any other industry, where there’s bad there’s good and vice versa..and there is money to be made on both sides of the fence.


Posted in: Malware

, , , , , ,

Latest Posts:

Eraser - Windows Secure Erase Hard Drive Wiper Eraser – Windows Secure Erase Hard Drive Wiper
Eraser is a hard drive wiper for Windows which allows you to run a secure erase and completely remove sensitive data from your hard drive by overwriting it several times with carefully selected patterns.
Insecure software versions are a problem Web Security Stats Show XSS & Outdated Software Are Major Problems
Netsparker just published some anonymized Web Security Stats about the security vulnerabilities their online solution identified on their users’ web applications and web services during the last 3 years.
CTFR - Abuse Certificate Transparency Logs For HTTPS Subdomains CTFR – Abuse Certificate Transparency Logs For HTTPS Subdomains
CTFR is a Python-based tool to Abuse Certificate Transparency Logs to get subdomains from a HTTPS website in a few seconds. - Test SSL Security Including Ciphers, Protocols & Detect Flaws – Test SSL Security Including Ciphers, Protocols & Detect Flaws is a free command line tool to test SSL security, it checks a server's service on any port for the support of TLS/SSL ciphers, protocols as well as recent cryptographic flaws and more.
Four Year Old libSSH Bug Leaves Servers Wide Open Four Year Old libssh Bug Leaves Servers Wide Open
A fairly serious 4-year old libssh bug has left servers vulnerable to remote compromise, fortunately, the attack surface isn't that big as neither OpenSSH or the GitHub implementation are affected.
CHIPSEC - Platform Security Assessment Framework CHIPSEC – Platform Security Assessment Framework For Firmware Hacking
CHIPSEC is a platform security assessment framework for PCs including hardware, system firmware (BIOS/UEFI), and platform components for firmware hacking.

23 Responses to Nugache – The Next Big Storm?

  1. Sir Henry January 2, 2008 at 3:40 pm #

    This is one of the reasons I stopped reading articles posted on Reddit (not that I will stop reading here, of course); There is a bleak outlook in regard to what is currently going on behind the scenes and only a small portion of the internet population who knows about and understands any of it. I think goodpeople will agree when I say that this is where education about these matters becomes paramount.

    In a similar vein (yes, this will remain dichotomous), I once read a question on linkedin about whether to hire “hackers” for your security work. What surprised me was the overwhelming response at how hiring a person who has “hacking skills” is like asking the fox over for tea in the hen house. Such an unfortunate outlook and one wrought with emotional insecurity and a fear for the unknown. My stance is this: In order to fully understand the people who create malware of this calibre, we have think like them and do the things they do. Only then, can we have any sort of chance in creating an offensive to battle such works of intense brilliance. I know, it is a razor thin line and I am certain that thoughts of “The Force” and “The Dark Side” come to ming. The latter is rather apropos, I feel.

    I would like to know what others think of the latter ideas.

  2. goodpeople January 2, 2008 at 4:51 pm #

    Sir Henry,

    When I read your first postings here, I immediately realized that you and I would be having some fun discussions here.

    I couldn’t agree with you more. As long as we sit back and wait for the next outbreak, we are bound to loose the battle. Only when we are actively developing our software, defenses and mechanisms, do we have a chance to outsmart them.

  3. Sir Henry January 2, 2008 at 5:03 pm #


    I, too, felt the same regarding our discussions. I have found immense intellectual enjoyment and stimulation here.

  4. Trejox January 5, 2008 at 6:14 am #

    As a friend of mine would say… “If you want to stop/catch them… Follow The Patterns.” ;)

  5. goodpeople January 6, 2008 at 11:38 am #


    Just following the patterns is not good enough. You’ll always be one step behind. We have to get rid of the stance “if it works, don’t fix it”. That might be true for mechanical things, but it’s not good enough for our industry. We have to keep revising our code and programs.

    We should strive to get one step ahead of the bad guys.

  6. eM3rC January 6, 2008 at 9:38 pm #

    I am totally with goodpeople and Sir Henry.


    Even following the pattern might not be the best approach. Although one group of hackers might be caught in their ways of infecting computers or hacking another (new) one might create something completely new (like Nugache) and completely stump white hats.

  7. goodpeople January 7, 2008 at 12:55 pm #


    There will always be challenges. But that doesn’t mean that we can sit back and relax. Maintenance is an ongoing task.

  8. eM3rC January 8, 2008 at 3:12 am #

    Back @ goodpeople

    Its a never ending battle that will probably be won by neither side. Hopefully the hackers don’t get to far ahead of the white hats.

  9. Sir Henry January 8, 2008 at 5:20 pm #


    I am going to have to second what goodpeople has stated. Reactionary defenses as a means of security are not going to eliminate the threats and will most certainly not do anything to anticipate the new attacks that are out there. To fight the good fight, people need to anticipate what could potentially happen and form an offensive. Of course, I pity the security engineer who is in charge of that task.

  10. goodpeople January 9, 2008 at 12:21 am #

    @Sir Henry,

    That is why they pay us the big bucks! :-)

    As a teacher I always challenge my students to proof me wrong. I encourage my students to outthink me. My ultimate goal (as should be for every teacher in every field) is for my students to someday be better than I am.

    The same principle would apply if I were a software developer. If I had made something, I would want other programmers to look at my code and help me improve it. Constantly!

    Good software is never finished. The fact that it works doesn’t mean that it works well, will continue to work well and works well under all circumstances. You can never be sure. That is why I say that software maintenance is an ongoing process. It is never “done”. The only way to stay ahead in this game is to constantly revise the code and not take anything for granted.

  11. eM3rC January 9, 2008 at 3:06 am #

    @ goodpeople

    I want to have you as a teacher =P
    There need to be more teachers like this rather than teaching simply for the money or focusing their course around some test. Its a career and careers should be fun.

  12. goodpeople January 9, 2008 at 5:29 pm #


    That is why they pay ME the big bucks! ;-)

  13. Sir Henry January 9, 2008 at 5:33 pm #

    They pay me the big bucks, too, but for a different reason. >:)

  14. goodpeople January 9, 2008 at 5:54 pm #

    @Sir Henry,

    uhhm, let me guess.. the Boss’s daughter?

  15. Sir Henry January 9, 2008 at 5:57 pm #

    Not so much the Boss’s daughter but what he has on his hard drive. ;) Nah, I actually just secured a job as an SE for a well-known PKI/Security company. Actually landed it on Monday, thus my not being around then. I can’t wait to start.

  16. goodpeople January 9, 2008 at 5:59 pm #

    Then let me be the first one here to concratulate you!

  17. Sir Henry January 9, 2008 at 6:10 pm #

    Thanks, goodpeople, I am really excited about the new position. My previous (well, current until the end of the month) position was not advertised correctly and my skills were underutilized or blatantly ignored. Talk about a reason to start looking into the internal security. ;)

  18. goodpeople January 9, 2008 at 6:22 pm #

    So beginning of next month you’ll finally be running Linux? :-)

  19. Sir Henry January 9, 2008 at 6:30 pm #

    At the beginning of the month, I can run whatever OS I want. ;)

  20. goodpeople January 9, 2008 at 6:38 pm #

    Any openings for a slightly overweight 43 years old IT security teacher?

  21. Sir Henry January 9, 2008 at 6:39 pm #

    I am sure that, given your experience and knowledge, there would be some opportunities. I will have to check their EU openings.

  22. goodpeople January 9, 2008 at 7:17 pm #

    @Sir Henry,

    Nah, don’t bother..for now. I guess I’m a spoilt brat with 12 weeks payed vacation per year..

  23. eM3rC February 7, 2008 at 2:46 am #

    Congratulations on the new job Sir Henry!

    Hope it goes well for you!