If you're looking for a good reason why security professionals might want to pool their research about botnets and other cyber threats, look no further than findings released earlier this week about a botnet dubbed Kraken. Zombie hunters at Damballa said they were tracking a new bot army that claimed more than 400,000 infected …
Is Kraken a Bobax mutant?
Kraken looks like Bobax when its sending spam.
Kraken isn't controlled like Bobax.
Could Kraken be a rewrite of Bobax so its controllers can get back into the spam business?
Re: Is Kraken a Bobax mutant?
Likely Kraken is run by whomever ran (past tense) Bobax. The reports are that Bobax was taken over recently and has mostly gone dormant. Perhaps the person who ran it lost control of it - or more to the point lost control of the C&C computers. (I doubt s/he had physical control - just pwned a few servers.) If s/he lost those computers then s/he would have to rebuild - and by necessity use a new C&C.
But then again, I might be full of @#$.
On Kraken and Bobax
What makes a botnet distinct? Look at the available data and decide for yourself
What makes a botnet distinct?
This is a pointless argument unless people agree on what they meant by the question.
The *who* matters because all botnets controlled by a given person will probably be used for similar purposes and perhaps co-ordinated. It's a bit like asking who owns the army, navy and air-force.
The *what* matters because if you are going to fight the botnet you had better have appropriate weaponry. It's a bit like asking whether you'll need bullets, shells or missiles.
Who should care if it is the same, a variant, or different? The important thing is to detect, stop, and remove them. (Or better still stop them getting on the PC in the first place.)
I miss him on all the stories about hundreds of thousands of PCs being zombies...
all the more reason...
...for people to switch to a real operating system (GNU/Linux, one of the BSD's etc) and get off of MS's fisher price quality offerings. Seriously. Windows has been shown time and time again to be about as secure as a gingerbread house.
(in before the MS fanboys start going)Yes, a machine is only as secure as its administrator but a default policy of not allowing users to set weak passwords and using password aging to force them choose new ones on a relatively regular basis is just the first of a few simple steps to securing ones machine. It is a trivial matter to ensure your system isn't running non-essential services (anyone remember Solaris's remote root via telnet exploit a while ago? WHO in there right mind enables a telnet server by default?!) and it's well known that Linux distributions have the fastest patch response time.
Let's face it, Windows is the Swiss Cheese of OS's.
Paris cos even she is harder to penetrate than a Windows box.
Reagrds - all the more reason
"...for people to switch to a real operating system (GNU/Linux, one of the BSD's etc) and get off of MS's fisher price quality offerings"
While I agree to some extent with the above statement I think you'll find that the large majority of these zombied pcs are owned by people that don't have the first clue about security threats, let alone what a botnet it. Asking these people to switch from their old Win98/ME boxes to Fedora 8 or whatever is like asking the school nurse to perform brain surgery (no offence to school nurses intended). It ain't gonna happen. Also, like it or not, a large majority of home user apps are Windows only, especially when it comes down to gaming.
IMHO, education is the only way to reduce the infection rate so people understand the risks involved and what to do if they suspect something is wrong. I use Windows XP (as well as Linux) and yet my machine isn't part of a botnet nor is it infected with viruses. I'd argue that's because I know how to secure the system and don't click on anything stupid. People are still going to do stupid things with their machines and get hosed by something unless they understand why they shouldn't open that attachment. People will still send thousands of pounds off to Nigerian scammers, regardless of what operating system they use unless they become aware of how these scams work. Peopel will still fall for phishing expiditions regardless of what email client/webmail they use unless they know what to look for.
Also ISPs could do more. While they seem happy to get into bed with the RIAA regards fileswapping they don't seem too keen on letting their customers know (and possibly advise on patching) when their pc is being used as a spam relay.
Blaming the OS is a tired and short sighted argument.
if they can find the bots...
...then why can't they shut them down?
can't someone write a virus that'll seek out and remove the bots from the infected systems? (because if they're already infected, then the machines are likely easy to compromise, no?)
and if they've done all this research and they can tell how the bot communicates and so on, surely it should be possible to begin compromising the bots themselves and get them to vaccinate their fellow bots (prehaps i've been playing the Infected game too much)
But it seems strange that we know so much about these botnets, yet seemingly there is nothing that can be done about them
or are all these figues of the number of compromised hosts just theoretical based on the affect that can be seen?
I agree that the users are the single biggest security problem for any machine, regardless of OS and also that the average Joe Public is pretty much computer illiterate, what we need is more education from an early level in schools. It'd also be nice to see our Govt get out of bed with MS and actually start making sensible decisions with regards to IT... *OUCH*, sorry just got hit by an airborne porcine....
A rose by any other name would smell as sweet....
What's in a name? This discussion, and the response from Damballa, is really a meaningless exercise in grouping and naming. Alas malware does not lend itself to being precisely named nor grouped.
The history of malware is littered with similar examples of worms that are given new names when a new feature appears, whereas in fact this new feature has simply been added to an existing code base. Is this a new family of malware or an old one? The answer is it doesn't make any difference what the family name is. The divisions between families are all very blurred, the evolution of these things is incremental.
Whether a new feature deserves a completely new name is moot; malware authors share code and the architecture of bots is modular and has been for a very long time. Whether bolting on a new communications module that uses encrypted TCP on port X instead of plain HTTP deserves a new name or not is up to you. Pick what you will, so will everyone else. There will be differences, but in the end it doesn't really make any odds what it's called.
re if they can find the bots...
I totally agree with that. There are tonnes of materials written about Botnets and there's even a whole book on them by syngress publishers.
it doesnt make sense to classify and baptize these menaces with fancy and cartoon like names instead of focusing on how to disinfected infected computers. Sure these researchers, if they are that smart to disassemble and name them, then they should be smart and have the decency to reverse the process.
@@ if they can find the bots...
How is that a good use of their time?? These things aren't easy to remove, they're extremely difficult to remove, they hide themselves and repair themselves and if you've got one you've probably got several. Added to that, if you remove them, you still need to patch the security hole that let them in in the first place, often the patches aren't out, and sometimes the security hole IS the user.
Disinfecting infected machines is closing the stable door after the horse has bolted and the only way to be sure you're rid of the nasties is a FRESH INSTALL. There's malware and rootkits out there that are absolutely UNDETECTABLE by any of the current anti malware programs.
It's up to YOU, as a nerd, to ensure the people you meet and talk to are made aware of general good practice, have some AV and anti-spyware. It's up to you to make sure your kids and your granny are using Ubuntu, or Windows Steadystate or some other system that isn't going to end up pwned within a week of them getting it.
Claiming that researchers are indecent for trying to quantify the scope of the problem instead of turning vigilante and trying to fix Joe Public's shit riddled PC is dumb.
I'm getting fed up of reading this childlike "well if they can detect them why don't they just fix them huh?" argument. We can detect Aids, we can detect Cancer, fixing them IS NOT SO FRICKIN EASY!
- Facebook offshores HUGE WAD OF CASH to Caymans - via Ireland
- Justin Bieber BEGGED for a $200k RIM JOB – and got REJECTED
- Microsoft teams up with Feds, Europol in ZeroAccess botnet zombie hunt
- Review Bigger on the inside: WD’s Tardis-like Black² Dual Drive laptop disk
- Mexican Cobalt-60 robbers are DEAD MEN, say authorities