In the beginning of the month, there was a lot of discussion when a new botnet was discovered that claimed to be bigger and more dangerous then Storm Worm: The Kraken botnet. But soon afterwards, the discussion fell silent as all attention went back to Storm Worm in it's video codec spam wave. So, how is Kraken doing today? Quite well it seems. Here is some news from Threatexpert.com:
A new variant of Kraken/Bobax bot, firstly seen in the wild on 14th April 2008, seem to be gaining a bit of power: over the last week-end, our ThreatExpert system has received around 50 of unique samples of it, and we're still getting them at the same pace - 20-25 of new samples a day.
...
In some way, we may call this new feature of the bot as an "Artificial English Word Generator", that follows English grammar rules and produces words that look like most of other words. For example, compare "confusulent" or "pritation" with something like "ktjptrca".
What is it for? Probably, to evade SPAM filters, or any other algorithms that can distinguish a random word by locating weird or non-common combinations of characters. If no rule or algorithm can be built to distinguish such word, then it cannot be detected, and therefore, blocked.
The bot constructs an HTTP package with the encrypted contents that is MIME-encoded and is presented as a random MIME-type archive in the HTTP header.
Kraken/Bobax POSTs that HTTP package to its C&C servers (with the pseudo-random URLs), thus making it non-trivial to detect and block such traffic, as not much is left to "hook" in it.
...
As demostrated above, the new factor of "randomness" in this bot makes it extremely dangerous considering how serious is its effort in concealing its traffic in order to flow with no obstruction imposed by the firewalls.
The backdoor component is left intact in the new variant - its code was copy-and-pasted from the previous variant: the same commands, the same responses.
The SPAM engine and the email collector module are also identical to the previous variant.
Virustotal.com results are not very good considering only 9 out of 32 AV scanners (28.12%) can detect this threat, among which only two can actually identify this threat explicitly.
Read the full report.
Previous articles:
Security4all Blog
Twitter
Slideshare
Facebook
Digg
Flickr
0 comments:
Post a Comment