400000 Infected Machines In New Growing Botnet
Researches have uncovered what they say is the biggest botnet ever. It includes over 400,000 infected machines, more than twice the size of Storm, which was previously believed to be the largest zombie network.
“Kraken” is the botnet that security firm Damballa has been tracking for the last few weeks. So far, only about 20 percent of the anti-virus products out there are detecting the malware. Kraken’s ability to morph its code base has allowed it to evade the majority of malware detectors.
Kraken, despite being on all these people’s computers, has low anti-virus coverage. It seems anti-virus companies can’t keep up with the arms race due to the number of variants and the frequency of updates. The code inside the executable file that infects a PC has been arranged in a way that makes it hard for malware analysis tools to accurately disassemble the malicious program. It raises the question of whether this basically has been authored specifically with anti-virus evasion in mind.
Kraken most likely spreads by tricking end users into clicking on a malicious file that’s disguised as an image. When it’s executed, the program automatically copies itself to the hard drive in a slightly altered format. In the event AV programs are eventually able to recognize the original file, Kraken can use the altered file to reinfect the machine. Moreover, zombie machines regularly update themselves as an additional measure to prevent detection.
Kraken’s primary activity is sending spam that advertises high-interest loans, male-enhancement techniques, fake designer watches and gambling opportunities. Damballa has observed as many as 500,000 pieces of junk mail being sent from a single zombie.
Estimates have varied wildly for the number of bots belonging to the Storm network. While some researchers have said millions of machines have been compromised, MessageLabs in February put the number of nodes at just 85,000. Whatever the number – Damballa estimates Storm has 200,000 victim – it was believed to be the biggest. It has clearly been eclipsed by Kraken, which on March 25 was observed to have compromised 409,912 unique IP addresses during a 24-hour period. The number is predicted to grow to more than 600,000 in the next two weeks. This infection is evading the canonical defense techniques that the enterprises use, such as intrusion detection systems and intrusion prevention systems. It should be caught by IDSes, IPSes and firewalls, but it’s not.
More on CyberInsecure:
Leave a Reply
Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.