back to article Move over Storm - there's a bigger, stealthier botnet in town

This story was updated to correct information about detection of Kraken. 20 percent of PCs using anti-virus products detect the malware, not 20 percent of anti-virus products, as erroneously reported earlier. Researches have unearthed what they say is the biggest botnet ever. It comprises over 400,000 infected machines, more …

COMMENTS

This topic is closed for new posts.

Page:

  1. Ash
    Alert

    "disguised as an image file"

    So, it relies on a bug in an image decoder to run? Does it pretend to link to a hosted image, but redirect to an executable? Is it a "Ch3ck ou7 my h0t scr33ns4v3r p1kturez!11" link with a .scr file?

    Something that's interested me is if these malformed image files actually display an image.

  2. Neil

    Which one

    So which anti-virus product DOES detect and remove it?

  3. Anonymous Coward
    Anonymous Coward

    @Ash

    I think it's more of an image.jpg.exe thang.

  4. Mat Diss

    ISP's could help?

    Surely sending a large amount of spam mail from an infected machine generates an abnormal amount of upload traffic for the average connection.

    If the ISP's could monitor the upload traffic and warn users whose traffic exceeds normal use, then at least the user might be alerted to the fact that something is running that shouldn't be. Most of the time, no one would notice that upload traffic was being generated.

    Let the flames begin....

  5. Anonymous Coward
    Anonymous Coward

    Surely...

    >> "It raises the question of whether this basically

    >> has been authored specifically with anti-virus evasion in mind," Royal added.

    Err, wouldn't that normally be the case with these things?

    Hardly any point, unless these people take some effort not to get caught, surely?

  6. lennie
    Thumb Down

    useless!!!

    so which os is bring comprised? is it OS specific? is it XP, vista, or both? is macs in the mix too? how bout linux? which AV detects the worm? which doesn't? without bits of info like that this article is virtually useless.

  7. Anonymous Coward
    Anonymous Coward

    And OS affected

    Or perhaps several.

  8. Anonymous Coward
    Dead Vulture

    @Ash

    Yes, it's usually a photo of a chick using an Asus Eee PC on the beach.

  9. Pete Mallam
    Pirate

    Particularly nasty beast too...

    I had this appear on a customers site. The first indicator was Symantec advising the user that an email he was trying to send was rejected... Okay, so we're looking at an impossible stream of these alerts! I had to kill the alerter service just so I could look at the machine. A multitude of SMTP connections could be seen in Netstat.

    Following that, 2 AV products failed to identify it, though one could tell something was in memory. Post reboot, back it comes.

    In the end, AVG was successful in identifying and eradicating it... But in being plenty cautious I rebuilt the machine and pointed the user in the direction of AVG as this seemed to be the only thing that was able to detect it.

    Nasty wee beastie! I can see how this is a huge botnet... The SMTP connections simply hammer the network connection and although there are no entries in Task Manager, the effect on both the AV and the system caused by it are noticable.

  10. Joel

    ISP's could help?

    "If the ISP's could monitor the upload traffic and warn users whose traffic exceeds normal use, then at least the user might be alerted to the fact that something is running that shouldn't be"

    The only problem with this is that the majority of users would not have any idea how to deal with the problem, or even understand that there is a problem.

  11. Anonymous Coward
    Linux

    "Evading security used by enterprise"

    ... well that is not all that hard to be honest.

    I am 'priviledged' user on most commercial networks i work with (due to being contract staff). Often i will not have admin rights on the machine, so soon enough this is enabled to help me install development tools etc.

    This approach makes a big fat hole in enterprise security.

    Today i had to role back IE7 to IE6 (as this company does not plan to upgrade for at least 12 months), and Kapersky told me everytime it was trying to remove a reg entry, with an allow or deny option.

    This was pointless as i could only click allow 1000 times. Instead i turned off Kapersky as i did not have rights to configure reg alerts.

    SO... until the whole user permission thing is sorted on windows PCs and networks, then there is very little "canonical defense techniques that the enterprises use".

  12. Anonymous Coward
    Pirate

    Re: ISP's could help?

    I used to work with broadband and people would raise faults of slow connection. Checking the amount of data in and out would sometimes show a lot more out than in. Based on the premise that many people don't keep up their anti-virus subs or even update from time to time - the machine said it was protected when they bought it, what's the problem - there was a possibility that their machine was being rather busy behind their backs.

    I'd always ask the ISP's to find out (tactfully) if their customers were aware of this and hopefully the ISP would advise them on best practice.

    Oddly enough, those a little higher up the food chain than me thought it was nonsense despite being shown stuff about botnets and DoS attacks and the like.

    But then, I'm not an expert, so I know f#@k all.

  13. Anonymous Coward
    Boffin

    Enterprise security

    "It should be caught by IDSes, IPSes and firewalls and it's not."

    Enterprise sized companies only run this stuff on their servers. Not desktops.

    Desktop machines are usually locked down using Windows 'policies' which stops most updates to the registry - although often this is done so crudely so that a large chunk of users have to get 'admin' rights enabled on their machine for their applications to work correctly (see Jeremy's comment above) which nullifies most defenses.

  14. Gordon Fecyk
    Gates Halo

    Authored with AV evasion in mind... well, duh.

    "It raises the question of whether this basically has been authored specifically with anti-virus evasion in mind."

    Thank-you, Captain Obvious.

    Need I say how my clients evaded this thing long before the fact? How do I know? I've seen this kind of footprint on a firewall log from some non-client's network and I don't see it on any of my clients' networks.

  15. b shubin
    Boffin

    Canonical defense

    two options immediately occur (other than removing the user and automating their job).

    [1] deploy thin clients that allow no installs and a limited range of whitelisted applications; clients have no local storage, boot off a remote image only (95% of the staff in corporate will be just fine doing their jobs, as long as the needed apps are available).

    [2] use the Canonical defense: switch to Ubuntu (or Edubuntu, if you want to combine [1] with [2]), and deny users sudo privs.

    otherwise, it's only a matter of time before Kraken (or similar) gets you.

  16. Anonymous Coward
    Flame

    It's not on my Macs or Solaris Box

    But that's rather obvious.

    To all the people running Windows PCs and especially those using Internet Explorer, I salute you. (Please please keep visiting dodgy sites, clicking on links and downloading stuff; read all e-mails in Outlook and Outlook Express and accept all attachments.)

  17. Sean M

    More details

    Unlike Storm and Nugache, the Kraken botnet does not use a peer-to-peer architecture. The code includes a list of domains in which the C&C server might be located, and once a new machine is infected it begins looking through that list to find the current location.

    The Kraken code arrives in a file disguised to look like a typical image file, such as a JPEG or a PNG, but with a hidden extension of .exe

    I believe this means that only Windows is affected.

    Damballa plans to publish a subset of the list of infected IP addresses it has seen within the next week or so. Damballa also plan to reveal more details at the RSA conference in San Francisco, which started today.

  18. Anon Koward
    Alert

    @ Jermey "Evading security used by enterprise"

    Typical Enterprise Security has a number of respective layers, the more business critical the system, (or higher risk such as public facing kiosks etc) the higher the respective security with an internal users desktop being near the tail end. (broad generalisation and not always the case)

    Furthermore as a developer most IT support/operations/administrations departments will generally allow full access on a PC as it is the path of least resistance, the better approach is to either completely sandbox dev environments and PC's with a staged release into prod environments (for both PC's and servers)

    Last point, if this utilises SMTP connectivity back out I would have expected most corporate firewalls to block outgoing SMTP from desktops?

  19. Anonymous Coward
    Alert

    re: Canonical defense

    thin clients only solve the problem if ur locked down

    - server (for example eliminate user writeable and executable directories, access to run perl and similar etc etc)

    - clients (as above + usb disable except for mouse/keyboard, vlan, bios etc etc)

    Ubuntu still needs locked down....(not my personal fav either)

    What we need is:

    1. monitor outbound traffic - do all machines really need direct outbound access (not via a proxy) and if so on all ports?

    2. Can you believe ISPs still aren't using Spamhaus or equivalent - either for inbound mail or checking (and limiting access if part of a botnet) their own customer netblocks.

    3. Edu-marketing - People need to know NOT to buy from spammers.

  20. Christoph

    Can't they detect the outgoing?

    Why are the firewalls that the big corporates run not noticing those huge numbers of outgoing SMTP connections and screaming to the sysops?

  21. Brian Miller

    Monitor the traffic, spot the problem

    Once upon a time I wrote a small, effective Perl script to monitor network traffic. It captured activity for everything and printed out a nice little report. Took less than 50 lines to do it. I could see everything everyone did, and nothing could escape my notice.

    Why aren't the companies monitoring their network traffic??

  22. RW
    Heart

    What's needed is canonical intelligence

    So this botnet exists thanks to listings of img.jpg.exe not showing the extensions. Now, let's see...what large software company thought that one up? And how long ago? And now that it's proven to be a source of problems over and over and over again, why haven't they changed their sinful ways?

    Ditto for doing the user a favor by auto-executing program files such as the concealed img.jpg.exe.

    Admitting the error of one's ways is "canonical intelligence", a commodity that seems to be in short supply in a certain Seattle suburb. Hubris is the speciality there, it seems.

    Heart, because AV & security companies *love* Redmond for giving them so much lucrative work! Ditto for the spammers; without MS, they'd have to go earn an honest living, I guess.

  23. Gordon Fecyk
    Thumb Down

    @Anon Koward, re: IT people allowing full access (not!)

    "Furthermore as a developer most IT support/operations/administrations departments will generally allow full access on a PC as it is the path of least resistance."

    What products do you develop? I want to pre-emptively add them to the Anti-Windows Catalog so security-thoughtful people can avoid them.

    Developers that make such gross misassumptions contribute to the botnet problem in a big way. They don't let users make the choice to defend themselves.

  24. b shubin
    Pirate

    Uncommon knowledge

    @ Christoph

    because they are not set up for it. many firewalls in corporations are configured to forward any outgoing traffic and allow established connections back in, as a path of least resistance, after repeated flames from management.

    like it or not, that's the way it is.

    the last firewall i administered full-time, allowed no outgoing SMTP connections except between our email server and MessageLabs, but i know what i'm about (and i scared the pants off the management).

    @ Brian Miller

    because they'd have to hire and retain knowledgeable people, whose job it would be to deliver bad news and tell people "no, you can't have the shiny".

    also, because ignorance was once the same as absence of liability, but managers are ignorant, so they haven't realized that THINGS HAVE CHANGED.

  25. Anonymous Coward
    Anonymous Coward

    Hidden file extension

    That simple old trick my god have we not gone beyond that yet. An oldie but a goody apparently still works really well.

  26. Richard Kilpatrick
    Jobs Halo

    Darnedest thing

    But I searched everywhere in all the usual and likely places to see the sort of images this might be concealed in, and yet my computer remains uninfected.

    Perhaps Apple will release a Security Update to ensure I can enjoy this functionality in the future.

  27. Christoph

    @ b shubin

    Surely it's possible to tell a firewall to allow a machine to make SMTP connections up to some limit? Anything that's sending tens of thousands of emails (other than specified list servers) triggers an alarm.

  28. phix8
    Flame

    OK not bad but...

    It's not as cool (to hear about, I don't think getting turned in to a zombie by a worm is fun) as the STORM botnet - that has its own featured article on wikipedia. Not only that, but it attacked websites trying to research it, presumably at the guidance of some russian blackhat but some (not me) think it was programmed to do that itself.

    Some people online seem to believe its alive! Also the upper boundaries on estimates of infected computers for storm is much higher than 400,000 - some think several million - so whose figures do we listen to?

    OH and like most stories about botnets - thanks for not giving us any useful information about knowing if we're infected, knowing what systems it infects or anything to avoid the monster.

    For the record a decapitated-head-of-medusa program should be able to freeze the kraken botnet in its tracks.

  29. James Dean Kirby
    Unhappy

    And this helps because...

    ZOMG!! git duk tape n plstk on ur wndwz, quik! teh intarwebs got alqaada!

    Seriously, other than fanning the flames of panic, how does this help those of us who are in charge of stopping such shenanigans?

    It seems the Reg is becoming less and less of a mag for IT pros and more and more of a Enquirer/Daily Mail rag for anyone who can spell "IT".

  30. Anonymous Coward
    Anonymous Coward

    Re: And this helps because...

    James,

    Correct me if I am wrong, but you seem to be putting forward the "oxygen of publicity" argument. We do not subscribe to this point of view. How could we?

    The Register is an IT news site and this is an interesting IT news story, covered elsewhere, I see. I am sure more IT security sites will be joining in as the day goes on.

  31. b shubin
    Boffin

    No need

    @ Christoph

    sure, but why?

    for individuals, if one has ipcop installed (why wouldn't one?), the IDS will flag the anomalous traffic, so no need to screen outgoing to that extent at the firewall (except the desktop sw firewalls on Windows boxes, which should certainly be set up to log, if not block, all manner of stuff, and even rotate the logs, assuming the user or admin is even aware of such things).

    for organizations, the email server is there for email (set up properly, with anti-malware and junk-filtering, and maybe even routing outgoing email through MessageLabs or similar), so why allow outgoing SMTP from clients at all?

  32. Robert Armstrong
    Coat

    So if we turn off the default setting in Windows that hides "well known" extensions?

    I know most do not want to be bothered seeing all those 3 character file extensions that MS Windows versions for many years now turn off by default. Whenever I set-up a PC, I always turned off the default setting that hides the extension allowing exe, doc, png and other fine file extensions to be fully observed. Even then, I had users still click on those attached pictures in email that fascinated them so. I even pointed out to those fine folks that the file they clicked on had .exe in their email client and was contrary to the training and reminders we send out quarterly to all who use our network. Given that the most egregious violators of our simple "Do not click on stuff in email" policy were senior management, I could not follow my manager's recommendation to take them all outside and shoot them although I was very willing to execute his order.

    Back to the bunker for some haggis and single malt, cheers!

  33. b shubin
    Pirate

    And you're what came running

    @ Michael

    my point was that, if one provides technically ignorant people the means to alter their systems, the systems will break; therefore the thin-client solutions or the locked-down installs proposed. this is true of any OS, but is most often seen in Windows environments.

    to be fair, you'd have to read and understand the post. based on your response, this didn't happen for you. when it comes to morons, you really know your subject, or perhaps, yourself.

  34. James Gibbons
    Linux

    EXE attachments

    Our ISP mail provider shut off EXE type attachments a long time ago for both send and receive. Why is ANYONE allowing EXE attachments in this day and age?

    LINUX because it won't run them!

  35. Anonymous Coward
    Anonymous Coward

    Re: ISP's could help?

    A former prof. of mine told me that in a previous job w/ a major ISP, he had attended a few upper level management meetings on this subject and that it was ultimately determined that the costs associated with notifying infected customers, and then dealing with the subsequent customer support for it was not worth it to fix the problem.

  36. Anonymous Coward
    Anonymous Coward

    @ "Enterprise Security"

    "Enterprise sized companies only run this stuff on their servers. Not desktops."

    I don't know what your operation is like but the operation I work has no sense of humor when it comes to malware.

    application blacklisting & white listing ingress & egress filtering, dedicated probes that monitor traffic flow, antivirus/malware on servers AND desktops, that do periodic scans, dedicated boxes just to monitor incoming and outgoing SMTP traffic.

    It's not fool proof and it does take a lot of work, but the end result is worth it.

    The only caveat is that there is no single bullet solution for every problem, which is what people believe they have...

  37. Daniel B.

    So that's the "I am naked in these pics" worm...

    its been like 2 or 3 years now, but I've been bombarded every now and then by some people in my contact list (MSN Messenger) with "Check out my pics!" followed by some suspicious-looking zip file.

    I get them in English, Spanish and Portugese. This last one is a dead giveaway, as not a single person I know talks Portugese! Sad to say, there are still a looot of people that mindlessly click to download/open these files, and end up being 0wned.

    I'm not surprised this thing has gone on growing, even more so now that chain-letters are being made on powerpoint, further enticing users to "click-and-forget" files...

  38. heystoopid
    Linux

    So

    So tell me what percentage is that again of the multi billion net users again is it?

    The old story of sabre rattling strikes again !

  39. Christoph

    @ b shubin

    Well, quite, they shouldn't allow SMTP from individuals in big firms - but they do, and this malware is using it. If this is because management insist on it so they can send whatever they like when they like and hang security, then it should be possible to set the firewall (or something) to flag when the traffic exceeds what the most pointy-haired manager has ever sent - then you can identify the infected machine.

    Of course it will belong to the top manager, who demands the right to click on whatever he wants however many times he's got infected - but at least you'll know about it.

  40. Anonymous Coward
    Boffin

    @Why aren't the companies monitoring their network traffic??

    Because I will have to kill you if you find out that I'm visiting Care Bears fan forums during my working hours.

  41. Steven Swenson
    Boffin

    Hidden extension isn't the only way.

    Even if you have the extension hiding turned off, it has been revealed that unicode left-to-right and right-to-left control characters' effects are rendered in Vista filenames. I could easily make a [right-to-left]gpj.[left-to-right]hot_picture.exe that would render as hot_picture.exe.jpg, or an s[right-to-left]iva.exe that would render as sexe.avi

    There's good news for Windows users though. It doesn't work on XP.

  42. Anonymous Coward
    Thumb Up

    @Gordon Fecyk

    So what did the 'foot print' look like in the logs?

  43. Anonymous Coward
    Anonymous Coward

    Jpeg exploit.

    It can be a number of different exploits. There is an exploit (now patched in XP, but may exist in earlier versions), where you could pad the real extension with lots of spaces, and the OS will recognise the file only as img.jpg, but when executed (which in the sense of picture files is just opening) it will execute the real file contents i.e. the exe although you don't get a picture. There was also a couple of cases with the windows image viewer, where you could (simply speaking) embed an exe at the end of the image, so the user would get the real picture, but opening the image would again execute the program, once more without the user being any wiser.

    >>Royal says he's still trying to figure out how the bot is managing to horn its way on to so many machines, many of which are behind well-fortified networks of some of the world's biggest companies.

    There's nothing to figure out - it is simply that these networks are not as well-fortified as they claim to be! I work in a FTSE 100 company as a programmer for the IT security team and we run an inhouse custom-built firewall that doesn't even let a bit pass through it without it being checked in numerous ways. We even run a custom piece of software that sits on every PC that is connected to the network to ensure that there is next to no chance of an exploit appearing from within the network. Not to say our network is unhackable, but at the moment we've had no successful hacks (that we know about!), fingers crossed it will stay that way!

    According to some of my friends in other large companies in a similar position to my own, the BOFH stories can be quite accurate. The money movers aren't willing to pay for developers or for the good hardware to secure the networks until something goes wrong!

  44. James O'Shea
    Pirate

    Outgoing connections

    Errm... perhaps I'm missing something, but isn't this sort of thing _exactly_ the sort of thing which is supposed to be blocked by a properly set up firewall? Only certain apps should have permission to make _any_ kind of connection, including SMTP; apps not on the permitted list get blocked. And all desktop OSes I know of (Windows, Macs, Linux distros) _ship_ with some method of monitoring network activity. (On the Mac this is being typed on, that's, well, 'Activity Monitor', if you want the nice GUI interface, 'netstat -a' if you like command lines...) How hard is it to keep track of network activity and _see_ when there's a problem? And, well, if all those SMTP connections are being made, shouldn't someone notice that the machine is, well, _slowing down_ as CPU time is used to process the spam, and that the hard disk is active when it shouldn't be?

    Shouldn't the activities of the botnet zombies be, well, bloody obvious?

  45. Anonymous Coward
    Coat

    Re: ISP's could help?

    ISPs cannot help. They do not earn the amount of money it will cost to provide support to end users.

    The ISPs have the technical means to help and can do it if forced by appropriate legislation. That however, will jack up the prices for broadband by at least 30-50%. Also, our dear parilament critters seem hellbent on nasorectally interfacing with the media moguls instead of actually worrying about the possible effect of worms of this magnitude on security and economy. One day someone in the so called "terrorist organisations" or "rogue states" will manage take over a botnet of this size and use it to do real damage (like take the inland revenue system offline for a month for example). That is probably the only way to make the idiots sitting under Big Ben sit up and take notice.

    Per-KB pricing on broadband will solve this outright as well. If any worm or infection bites the user in the wallet the user will sort out his security straight away. This once again will indirectly jack up the prices by making the "have nots" abandon broadband and the Internet altogether.

    So as far as the industry is concerned for the time being it is a "lose - lose" situation. There is no economical drive for them to do anything.

    While I would like to help there is no choice but to get me coat here.

  46. Anonymous Coward
    Paris Hilton

    @ Anonymous Coward

    "It should be caught by IDSes, IPSes and firewalls and it's not."

    "Enterprise sized companies only run this stuff on their servers. Not desktops."

    FYI - Your talking utter BS. I definately would not have you provide IT security for my company!

    Paris - She looks down on you because your less intelligent.

  47. Anonymous Coward
    Anonymous Coward

    Per-KB pricing on broadband

    That'd solve a lot of problems, I blame trading standards for ignoring the "unlimited" deals.

    Surely a virus killer that is set up for checking email will flag an .exe attachment?

  48. Ayrin
    Happy

    male-enhancement techniques

    "male-enhancement techniques"... a wonderful euphemism :D

  49. Trygve Henriksen

    Enterprise sized companies...

    We have around 5000 - 6000 PCs in my organisation...

    They are all locked down tighter than BillG's fashionsense...

    Some of us DO have admin privileges, but then we need to log in with a special account, or preferably use 'Run as...'

    If software or drivers is shown to require 'write privileges' to the Program files folder, special parts of the registry, or God forbid, the Windows System folders during normal running, we PACK THE CRAP UP AND RETURN IT.

    It's not FIT FOR PURPOSE, or even fit for the 'designed for WinBlows' logo someone accidentally slapped on the box...

    Remember Blaster? That fun-loving little program?

    It infected 3(yes 3) of our computers. Two of them were laptops which got the infection while on unsecure home networks, the third was infected by one of the first two.

    The firewall is administered with a simple rule, 'if it isn't needed, it's closed'. (actually, there are multiple firewalls and 'zones' )

    Anti-virus...

    No user can disable the real-time scanner on his PC.

    Email is scanned by a product from another supplier, and of course, dangerous file-types are deleted automatically.

    Websurfing goes through a proxy(http-traffic is only allowed through that proxy.) which scans everything, in realtime, for virii and other nastyness.

    Our ISP monitors traffic and alerts us if suspicious traffic is spotted.

    PCs are set up with password-protected screensavers.

    (Not a popular decision, but it was mandated from the top)

  50. Anonymous Coward
    Unhappy

    They make it sound like coporate security is some sort of technological fort knox

    I worked for a placement year doing tech support for the civil service, and every single user of the thousands in our department is given local admin rights on the PC they use, so any time any idiot clicks on omg_look_at_me.jpg.exe expecting the latest celebrity on a beach or their friend with a silly hat on, the program can do whatever the hell they want and we have to go in and clean up the mess.

    Oh, and they refuse to upgrade from IE6 and usually wait around 6 months before "testing" and deploying windows updates, so any kind of new exploit will work on them for ages. It's ridiculous.

Page:

This topic is closed for new posts.

Other stories you might like