Kraken: The biggest, baddest botnet yet

Damballa, an Internet security company has some "not so good news." The title of their article pretty much tells it all: Kraken BotArmy—Twice as Big as Storm; Evades over 80% of Installed Antivirus Software.

At the recent RSA 2008 gathering Damballa, an Internet security company devoted solely to researching botnet technology, is reporting some "not so good news." In the article, "Kraken BotArmy-Twice as Big as Storm; Evades over 80% of Installed Antivirus Software" (pdf) Ashley Vandiver of Damballa explains:

This new BotArmy, named "Kraken," is twice as big as Storm, with over 400,000 distinct victims observed daily as compared to Storm's 200,000 victims. Kraken has gone undetected on 80% of computers with antivirus software installed.
Remember Storm botnets?

For those not familiar with Storm, up until now it had the honor of being the largest and most notorious botnet to date. Experts consider the Storm botnet to be powerful enough to knock entire countries off the Internet. The Wikipedia entry "Storm botnet" gives an accurate accounting of how the Storm Worm -- a trojan horse that spreads through e-mail -- is used to recruit infected computers (zombies) into the Storm botnet. Estimates have the number of zombies to be around 200,000. The Wiki entry also does a nice job of explaining what a botnet is and how it can be such a threat.

Some very sophisticated coding goes into botnet programs. For example, servers controlling the botnet automatically change the software code at pre-determined times to avoid detection by antivirus applications. On top of that, all botnet management traffic is encrypted and uses peer-to-peer control techniques, which make monitoring and disabling the botnet very difficult.

On that same Wiki entry there is a very interesting quote from IBM researcher Joshua Corman:

"This is the first time that I can remember ever seeing researchers who were actually afraid of investigating an exploit. Researchers are still unsure if the botnet's defenses and counter attacks are a form of automation, or manually executed by the system's operators. If you try to attach a debugger, or query sites it's reporting to, it knows and punishes you instantaneously. Over at SecureWorks, a botnet DDoS-ed a researcher."
Kraken builds on Storm

Both Storm and Kraken rely on social engineering to propagate. Damballa believes that the preferred attack venue is to have the malware appear as an image file. When a user attempts to view the file, it's all over. For those wondering if they may be infected, Damballa lists compromised public IP addresses on its Web site that it updates regularly. If perchance, you find a public IP address on the list that you are concerned about, Damballa has remediation instructions that explain how to identify the process and remove the malware.

What's different about Kraken?

Instead of using peer-to-peer techniques to control the botnet, Kraken uses command and control (C&C) servers that are located in different parts of the world. Each infected computer has a list of the C&C servers. If the current C&C server is disabled, the zombies check in with the next server on the list. Using this approach eliminates the problem of having a portion of the botnet go down if one of the peers is taken off-line.

Now the scary stuff

It appears that infected computers don't just belong to what researchers like to call the non-tech-savvy computer users. At last count, 50 Fortune 500 companies have compromised computers. Paul Royal, principal researcher at Damballa commented that Damballa is trying to figure out how the bot infestation is getting past the perimeter defenses of some of the best-protected networks in the world:

"Somehow, this thing is evading the canonical defense techniques that the enterprises use, such as intrusion detection systems and intrusion prevention systems. It should be caught by IDSes, IPSes and firewalls and it's not."

Final thoughts

For now, it appears that the Kraken botnet is just delivering massive amounts of spam. Damballa claims to have seen some infected machines sending over 500,000 spam messages per day. I do not even want to think about what a half a million infected machines sending 500,000 messages per day would do to most anti-spam services.