[ad]
We wrote a while back about a new wave of sophisticated botnets, which were predicted to overtake Storm and become the largest infectors online.
It seems like it’s come true, after extensive research Damballa has uncovered the biggest botnet ever, which at present has over 400,000 unique IPs (in a space of only 24 hours) which is more than double that of storm.
Imagine the kind of traffic that could produce in a concentrated DDoS attack?
Researches have unearthed what they say is the biggest botnet ever. It comprises over 400,000 infected machines, more than twice the size of Storm, which was previously believed to be the largest zombie network.
Machines from at least 50 Fortune 500 companies have been observed to be running the malicious software that’s at the heart of “Kraken,” the botnet that security firm Damballa has been tracking for the last few weeks. So far, only about 20 percent of the anti-virus products out there are detecting the malware. Just as a con artist might throw off detectives by changing his hair color or other physical characteristics, Kraken’s ability to morph its code base has allowed it to evade the majority of malware detectors.
“Kraken, despite being on all these people’s computers, has such low anti-virus coverage,” said Paul Royal, principal researcher at Atlanta-based Damballa. “Anti-virus companies can’t keep up with the arms race because of the number of variants and the frequency of the updates.”
It’s a sad fact that only 20% of AV products actually detect the malware part of the infection. Kraken morphs its’ codebase which certainly makes it more difficult to recognise. It’s also frequently updated and seem to evade even the more advanced security protection that companies use like firewalls with AV capability, IDS and IPS.
Kraken’s primary activity is sending spam that advertises high-interest loans, male-enhancement techniques, fake designer watches and gambling opportunities. Damballa has observed as many as 500,000 pieces of junk mail being sent from a single zombie.
Estimates have varied wildly for the number of bots belonging to the Storm network. While some researchers have said millions of machines have been compromised, MessageLabs in February put the number of nodes at just 85,000. Whatever the number – Damballa estimates Storm has 200,000 victim – it was believed to be the biggest.
Until now, that is. It has clearly been eclipsed by Kraken, which on March 25 was observed to have compromised 409,912 unique IP addresses during a 24-hour period. Royal predicted the number will grow to more than 600,000 in the next two weeks.
It’s sending out a scary amount of spam…with 500,000 being sent from a single IP and there being 400,000 unique IPs in the network, that’s a hell of a lot of junk mail that can be sent out in one day.
It seems like the guys doing this have a lot to gain financially so they are getting more and more advanced, more for us to fight against eh?
Source: The Register
zupakomputer says
How does that actually hijack someone’s IP? I’d thought initially it being a worm it was stealing bandwidth and using something like a torrent or share to distribute the spam mails; is it actually setting up a mailing client in the infected computers?
How come the network monitors aren’t seeing all those outgoing packets & increase in bandwidth usage, or did they notice and that’s how it’s been caught in the act?
fever says
it hijacks the computer itself not the ip only. using the computer to send the spam mail, and spread itself.
net admins have got a lot of computers to watch and one or two users increasing there usage might not be of particular concern to them. as far as on could tell by just glancing at it, it is a mere increase in usage and nothing more. that is what it is designed to appear to be, you would have to start reading packets in order to figure out what is going on.
James C says
For an other point of view http://www.sophos.com/security/blog/2008/04/1278.html here too http://isc.sans.org/diary.html?storyid=4250#comment
zupakomputer says
I don’t know, I’d feel like a terrible admin if someone suddenly began sending 500,000 emails and I put it down to a mere increase in usage.
There’s got to be a great backstory to this whole area; I’m just after deleting a spam mail that promised ‘hard to get meds’ in it’s subject line – I actually looked at it, and all it said was something like ‘you can increase your PE’ then linked a blog; now, I’ve read about one of these before, and the link in it (meant to be selling prescription pills, the one area of spam mails that’d actually interest me, except none of those sites sell the pills / meds I’m interested to buy in anyway..) didn’t even exist.
I’m so interested in how genius coders manage to pair up with what can only be described as the worlds lamest brains.
James, cheers for the link, I will give that a read.
zupakomputer says
Damn, turns out it’s one of those bad-java sites that shows up blank (header graphic is ok, but zero text and scrollbars locked / frames unusable) here.
I’ve had a few of those over the weeks; they should use the W3C error-checker before rolling out their sites.
James C says
There’s no java or frame’s on that page!
zupakomputer says
Sorry – javascript. I always shorten it & forget they’re different. By frames I mean when they put text controlled by dodgy javascript inside of some graphical box (frame).
James C says
That page pass’s the W3C validation test http://validator.w3.org/check?uri=http%3A%2F%2Fwww.sophos.com%2Fsecurity%2Fblog%2F2008%2F04%2F1278.html&charset=%28detect+automatically%29&doctype=Inline&group=0&verbose=1
zupakomputer says
That’d be a first, I’ll have a look.
How did you edit your previous response to include the second link?
zupakomputer says
It does indeed pass – but it still doesn’t show up properly. First time I’ve seen one of those pass the validator. They usually show up as having literally hundreds of errors when there’s funny javascript.
Not sure why it isn’t showing up, the page source shows the text ok & it doesn’t seem to have the page stored in more than one location (eg the header validates as ok, but the rest of the page is actually a different url/i).
James C says
@zupakomputer
When I forget something in a post I just make another post, and darknet been ever helpful will merge the two.
zupakomputer says
Hoooooooo-K.
Darknet: how do you know what posts he wants merged and what are intended as different posts?
J. Lion says
How does one test if a machine has been infected? Does AV do that?
zupakomputer says
If AV flagged it then I guess it wouldn’t be a problem. Maybe people find out their IP is hijacked once they get 1000s of irate replies calling them for everything because they sent out spam, or they get pinged to death by angry spam-recipients.
fever says
so hard to tell. according to some experts half of the computers connected to the internet are infected with bots of some sort so the average user probably won’t know unless something is obviously wrong. my dsl modem has activity lights on the front which allows me to sort of monitor activity on my connection (lights blink with activity) so if i am not doing anything on the internet at all and the lights are going nuts than i know that their is something fishy going on. i suppose not everybody pays attention to this kind of thing though.
everybody should keep comps up to date in order to reduce the number of vulnerabilities through which an attacker might infect your machine with a bot. use av and anti spam software in conjunction with a very good firewall. this is about all one can really do to keep computer safe in the wilds of the internet today.
Bogwitch says
@J. Lion
If the machine is infected before the AV has a detection for it, it will either hide itself from the AV, rootkit style, possibly disabling the AV altogether or even subverting the DNS or HOSTS file to point the update subroutine to a different or non-existent site.
Naturally, if the AV has a detection rule for the malware at the point of download, it should prevent it’s execution. The problem is that a lot of the malware being distributed, more so for the malware that is created for the super botnets such as storm, etc, is that it has some polymorphic capability making it much harder for AV companies to keep signatures up to date.
@zupakomputer
Do spam recipients really moan to the originating IP address? For a home computer, would the owner be running their own SMTP server to receive such complaint email? The most you’re likely to be able to do would be to complain to the users’ ISP and do they give a toss? Pinging them to death isn’t going to achieve much – most are on dynamic IP addresses and therefore will simply disconnect-reconnect, get a new IP address and then some poor innocent gets pinged!
@fever
I’ve fixed many, many infected computers. Most users are not even aware there is a problem unless there is some kind of inconvenience to them, usually a nagging ‘Your computer is infected, download this product to fix it!!!’ type of stuff. The only other time a user is aware there is a problem is when their system is so choc full of kak that it is actually slowing things down. Many users will accept a degree of slowdown, stating ‘It’s Windows’. Many systems have huge amounts of memory, a lot of it wasted on a ‘standard’ user that they can host quite a bit of malware without affecting their performance too much.
My router sits under my settee, I can’t see the lights. I have a graphical bandwidth meter on my Windows desktop to monitor activity. It’s not foolproof but very little is. I have anto-virus, anti-spyware, I don’t have anti-spam, I have other methods of dealing with spam.
What would you define as a ‘very good firewall’?
zupakomputer says
I was going on what the reports said about these trojan programs using networks they hijacked to mail out spam;
true, they may indeed also mask the networks they are using, in which case the originating IP will show up as spoofed anyway, so your hate-mail gets returned to you then! ‘undeliverable’
Home users often do have dynamic IPs, but from the reports this infector seems to be taking over whole networks, so they likely have mail servers in place already (I presume it is using those?) as well as dedicated IP blocks internally, their servers have static IPs, and usually they’d have static IP gateways.
I’m not sure if they would bother using a home machine to send out that amount of mails? Maybe they would, it’s just that without a dedicated mail server, how do they send the e-mails without the clients mail composer being activated (outlook express or whatever equivalent)?
To beat the polymorphing, a firewall or bg scanner is going to have to be monitoring bg processes. It should know what ones are required, and flag anything that shouldn’t be there running.
As long as logs are kept, it should also be easy enough to match up the date the unwanted process / exe was installed, with what was downloaded at that time match, and where it came from.
If it’s altered the likes of it’s installation stamps then it’s a bit trickier to identify – but still, a good bg scanner would be able to tell you when it was first id’d so you could go from that time and check the logs.
Also, a good firewall should be monitoring any downloads from the internet, so it should also flag you when you are downloading anything anyway.
I think cookies and the likes (dodgy adverts for example) are getting around some of the security measures. I’ve noticed many a time that (because I flag cookies that I haven’t invoked by way of signing up for something) when I want to sign up for something I obviously have to let this browser know I am ok taking cookies off that site – however, I get loads of cookies from other sites and I never told it they were ok. They just bypass the settings…..whereas like I said, I know the settings work because I have to tell it to accept cookies for sites I want to have an account at, or it doesn’t accept them!
(as an aside, one reason I’m not keen on automated registry & web history type cleaners is that they delete all cookies……it’s a very good security idea to retain cookies that stamp you as the account creator and verifier. And because it’s also easier now to have your browser settings portable (via a pendrive etc) it means that you’re not even limited to being on the same computer in terms of verifing yourself as the same continous user of accounts you log into.)
Bogwitch says
Whether static or dynamic IPs are in use is pretty much a moot point, as you say, it is possible to obfuscate the point of origin anyway.
When you think about the average home user installation, you’ll see an outbound bandwidth of, generally, 256k. That’s a fair amount of spam squirting out from a machine. The spammer doesn’t much care if the affected system is a home machine or a corporate system, it all adds to their spam-net. As for the mail client/ server, trojans that spam generally have a simple SMTP engine built into them therefore negating the need to discover the IP address of the systems associated SMTP server.
You mention process monitoring. For security/ system aware folks that’s all fine and dandy but Ill bet your average user wouldn’t have a clue what should and shouldn’t be running. You can look at the processes but with a MS Windows machine for example, you can have a genuine process that has a malicious DLL attached that is doing the dirty. That isn’t going to jump out at anyone but the most proficient admin!
A software firewall monitoring your inbound AND outbound connections can be useful but also gives a potential attacker another point of attach, after all, it is likely to be running with full system privs and hooked into the TCP stack.
A separate firewall will be hard pushed to differentiate between legitimate traffic and malicious traffic.
As for cookies, I haven’t found a problem with cookies. I allow cookies for the sites I trust/ need and block the rest. There is a slight PITA associated but it’s a fairly simple risk vs. benefit calculation.
fever says
i would define a good firewall as one that offers users the ability to choose the software that is allowed to access the internet. (personally i use zonealarm firewall from checkpoint it offers complete listing of all programs that try to or have tried to access the internet. it will even kill a process before it gets a chance to start. which can be very useful with a very determined program.) complete rejection of all others or trust levels you can set yourself.
Bogwitch says
I am not a fan of ZoneAlarm. I was put off the software a long time ago. Back in the days of Windows 95 (I was using 95 athough 98 was out) I had a Linux dial-up box (that long ago!) with a Win95 box behind that.
I configured ZA with the ‘I’m on a network’ option and told it not to check for updates.
On reboot, just after supplying my username/ password, there was some activity on my hub and the system hung for 60 seconds before allowing me in. Further investigation revealed that there was an encrypted packet trying to get out onto the Internet. It hung the machine because my Linux box was disconnected at the time and no response was received. If the Linux box was connected the login was as rapid as it was before. I have no idea what was in the packet as it was encrypted but all I had supplied was my logon credentials…
I removed ZA and changed my password. I have never installed ZA since.
I have played with software firewalls, I was particularly keen on AtGuard and was sad to see it being sold to Norton. Now, I have no software firewall. Ont he off chance that my Windows machine picks something up, I have a bandwith meter to give me an immediate indication that something bad is happening but I don’t do dangerous things with my Windows box, that’s what Linux is for.
Pantagruel says
With Bogwitch.
The software firewalls for windows (XP/Vista) have never been my favored options, mainly due to software incompatibility or stupid little network troubles (they simply block the most basic stuff and will send you on a wild goose chase to solve the problem).
Like Bogwitch I employ a dedicated linux firewall, you could argue it’s just another ‘software’ firewall but it definitely works better than the likes of ZA.
Darknet says
‘Desktop’ firewalls and a linux box at your gateway onto the net are two totally different things addressing totally different issues. The linux box is an ingress filter, it doesn’t know what application is doing what – it works on ports and packets only. The software firewalls is an egress filter and can filter by application on the top layer of the ISO stack, ideally you should have both…the linux box won’t stop your machine sending out tonnes of spam. The software/desktop firewall will – check out Outpost.
Bogwitch says
Hehe – I should have made myself clearer. :)
I use Linux as a client for surfing to the more dangerous areas. Like I said, AtGuard was the best of breed software firewall for me. I have yet to find a software firewall that matches it for functionality OR smallness of memory footprint.
zupakomputer says
Agreed that everyday users aren’t likely to know much about what processes should and shouldn’t be running, but that’s what app’s address anyway when they’re bg scanners and firewall packages.
If something has gotten in already and installed itself, then it’s possible it will be able to hide even from process scans – but if the system is being properly monitored to begin with then the initial attempt by the trojan rootkit etc to install itself will be noticed, because it will need to either just install, or it begins to alter the core kernal settings so it is not monitored once it’s installed.
Another thing that could be useful is to have a system resources display, that shows percentages of resources used per process – then you can compare those in total to the overall respurces used. If it’s significantly higher use for overall than the known processes total, then you have hidden processes running.
Again – if these are in packaged app’s then it’s up to the coders and interface designers to be specific about the basic settings and configurations, if their target customers are folks that aren’t interested in having to read a whole book just to secure their system.
I don’t know that a firewall can’t tell the difference between unwarranted downloads or not? That’s not very difficult to spot. In general, if it’s not from the same url (and its IP) you’re visiting then it shouldn’t allow it (that should include ad’s and links on the page!), also even if it is from that url it should flag it prior to download.
Rogue packets can be spotted that way too, because they won’t cohere with the legit websites packet numbering;
related to that would be more of what I’d meant about how cookies can be a way in – some of them are pretty large, and even ones that aren’t can combine in various ways (depending on what they are written to do) once they are in.
I’m not too up on how an individual machine can be hijacked to mail out spam, without invoking a mailer client of some kind (which means a bg or obvious process has to run). Other than using bandwith from it, in which case the mail isn’t actually coming from the IP or the machine itself, it’s that the machine has become part of a zombie botnet that is sharing its bandwidth with the spammers mail servers.
But with this kracken one it’s saying the networks IPs are being used to mail the spam out – isn’t the point there that it needs to use IPs that are recognised as legit, that’s how its spam gets through the filters.
Darknet says
zupak the mail is sent from a simple smtp server process on the client machine, most likely hidden from any process view programs by normal rootkit behaviour. This is exactly the reason why many corporate mail servers don’t accept mail from dynamic IP address pools. The mail is sent directly from the machine for exactly that reason too, to avoid black lists on IP addresses known for sending spam, if the spammers used a centralised mail service it would be easily blocked. By infecting random machines and chopping up batches and sending them from each the mails are coming from a variety of smtp servers.
My favourite firewall ever was Conseal back in the Win98 days, it was excellent!
zupakomputer says
lol, zupak, makes me sound like a hip-hop star :-p
Do they know if the SMTP server uses any ports outgoing, or does it always use the SMTP port?
Why not have a system that blocks outgoing mail by protocol (and port), and only except it when/if you happen to use that protocol to do any mailings; then you can still accept incoming SMTP or any other mail types.
fever says
@ Bogwitch
Thanks for the input on fwalls
However,
ZA has advanced significantly since the 95 and 98 days (you know 10 years) i would suggest you give it a second chance. it has saved me on more than one occasion. granted it isn’t perfect but no fwall is, there is always a way around, it’s pretty close though.
zupakomputer says
Does anyone else think it’s funny there’s a Kraken vs Damballah theme here? Cthuhlu vs Giga Cobra…..it’s like a Stomp Tokyo! movie.