[ad]
We’ve covered quite a few Storm stories – now it seems there is a new player in town, which could possibly the most advanced malware and botnet instigator so far.
It’s also something I’ve predicted before, peer to peer malware networks running without a command and control server, no single point of failure and much more tricky to take down. The guys writing these things are getting smart, random communications, peers drop and reconnect, everything is encrypted..
Dittrich, one of the top botnet researchers in the world, has been tracking botnets for close to a decade and has seen it all. But this new piece of malware, which came to be known as Nugache, was a game-changer. With no C&C server to target, bots capable of sending encrypted packets and the possibility of any peer on the network suddenly becoming the de facto leader of the botnet, Nugache, Dittrich knew, would be virtually impossible to stop.
“The authors are making these subtle little changes to keep it under the radar, and they’re succeeding,” said Dittrich.
This is the future of malware and it’s not a pretty picture. What it is, is a nightmare: a new breed of malicious software developed, tested and sold by professionals and engineered to change on the fly, adapt to its environment and evade traditional defenses.
It’s definitely going to be interesting watching this one develop and waiting to see what kind of countermeasures come up. Software quality is starting to appear in malware, these are robust and technically competent worms and botnets.
The creators of these Trojans and bots not only have very strong software development and testing skills, but also clearly know how security vendors operate and how to outmaneuver defenses such as antivirus software, IDS and firewalls, experts say. They know that they simply need to alter their code and the messages carrying it in small ways in order to evade signature-based defenses. Dittrich and other researchers say that when they analyze the code these malware authors are putting out, what emerges is a picture of a group of skilled, professional software developers learning from their mistakes, improving their code on a weekly basis and making a lot of money in the process.
It seems like it’s a real cottage industry right now and there are some very talented programmers and security specialists working on these projects.
But then again it’s just like any other industry, where there’s bad there’s good and vice versa..and there is money to be made on both sides of the fence.
Source: SearchSecurity.com
Sir Henry says
This is one of the reasons I stopped reading articles posted on Reddit (not that I will stop reading here, of course); There is a bleak outlook in regard to what is currently going on behind the scenes and only a small portion of the internet population who knows about and understands any of it. I think goodpeople will agree when I say that this is where education about these matters becomes paramount.
In a similar vein (yes, this will remain dichotomous), I once read a question on linkedin about whether to hire “hackers” for your security work. What surprised me was the overwhelming response at how hiring a person who has “hacking skills” is like asking the fox over for tea in the hen house. Such an unfortunate outlook and one wrought with emotional insecurity and a fear for the unknown. My stance is this: In order to fully understand the people who create malware of this calibre, we have think like them and do the things they do. Only then, can we have any sort of chance in creating an offensive to battle such works of intense brilliance. I know, it is a razor thin line and I am certain that thoughts of “The Force” and “The Dark Side” come to ming. The latter is rather apropos, I feel.
I would like to know what others think of the latter ideas.
goodpeople says
Sir Henry,
When I read your first postings here, I immediately realized that you and I would be having some fun discussions here.
I couldn’t agree with you more. As long as we sit back and wait for the next outbreak, we are bound to loose the battle. Only when we are actively developing our software, defenses and mechanisms, do we have a chance to outsmart them.
Sir Henry says
@goodpeople:
I, too, felt the same regarding our discussions. I have found immense intellectual enjoyment and stimulation here.
Trejox says
As a friend of mine would say… “If you want to stop/catch them… Follow The Patterns.” ;)
goodpeople says
@trejox,
Just following the patterns is not good enough. You’ll always be one step behind. We have to get rid of the stance “if it works, don’t fix it”. That might be true for mechanical things, but it’s not good enough for our industry. We have to keep revising our code and programs.
We should strive to get one step ahead of the bad guys.
eM3rC says
I am totally with goodpeople and Sir Henry.
@goodpeople
Even following the pattern might not be the best approach. Although one group of hackers might be caught in their ways of infecting computers or hacking another (new) one might create something completely new (like Nugache) and completely stump white hats.
goodpeople says
@eM3rC,
There will always be challenges. But that doesn’t mean that we can sit back and relax. Maintenance is an ongoing task.
eM3rC says
Back @ goodpeople
Its a never ending battle that will probably be won by neither side. Hopefully the hackers don’t get to far ahead of the white hats.
Sir Henry says
@trejox:
I am going to have to second what goodpeople has stated. Reactionary defenses as a means of security are not going to eliminate the threats and will most certainly not do anything to anticipate the new attacks that are out there. To fight the good fight, people need to anticipate what could potentially happen and form an offensive. Of course, I pity the security engineer who is in charge of that task.
goodpeople says
@Sir Henry,
That is why they pay us the big bucks! :-)
As a teacher I always challenge my students to proof me wrong. I encourage my students to outthink me. My ultimate goal (as should be for every teacher in every field) is for my students to someday be better than I am.
The same principle would apply if I were a software developer. If I had made something, I would want other programmers to look at my code and help me improve it. Constantly!
Good software is never finished. The fact that it works doesn’t mean that it works well, will continue to work well and works well under all circumstances. You can never be sure. That is why I say that software maintenance is an ongoing process. It is never “done”. The only way to stay ahead in this game is to constantly revise the code and not take anything for granted.
eM3rC says
@ goodpeople
I want to have you as a teacher =P
There need to be more teachers like this rather than teaching simply for the money or focusing their course around some test. Its a career and careers should be fun.
goodpeople says
@eM3rC,
That is why they pay ME the big bucks! ;-)
Sir Henry says
They pay me the big bucks, too, but for a different reason. >:)
goodpeople says
@Sir Henry,
uhhm, let me guess.. the Boss’s daughter?
Sir Henry says
Not so much the Boss’s daughter but what he has on his hard drive. ;) Nah, I actually just secured a job as an SE for a well-known PKI/Security company. Actually landed it on Monday, thus my not being around then. I can’t wait to start.
goodpeople says
Then let me be the first one here to concratulate you!
Sir Henry says
Thanks, goodpeople, I am really excited about the new position. My previous (well, current until the end of the month) position was not advertised correctly and my skills were underutilized or blatantly ignored. Talk about a reason to start looking into the internal security. ;)
goodpeople says
So beginning of next month you’ll finally be running Linux? :-)
Sir Henry says
At the beginning of the month, I can run whatever OS I want. ;)
goodpeople says
Any openings for a slightly overweight 43 years old IT security teacher?
Sir Henry says
I am sure that, given your experience and knowledge, there would be some opportunities. I will have to check their EU openings.
goodpeople says
@Sir Henry,
Nah, don’t bother..for now. I guess I’m a spoilt brat with 12 weeks payed vacation per year..
eM3rC says
Congratulations on the new job Sir Henry!
Hope it goes well for you!