As latest botnet scare debated, Storm keeps on blowing.
Recent reports of a massive botnet, apparently sneaking its trojans past security software and far outnumbering better-known infections such as ‘Storm’, have been dismissed as hype by some analysts but firmly upheld by the researchers who first alerted on the threat.
The botnet has been dubbed ‘Kraken’ by researchers at
Damballa
, who have been monitoring bot communications for several months and discussed their findings at the RSA conference currently under way in San Francisco.
Their research implies that the network has infiltrated as many as 400,000 systems, including one in ten of Fortune 500 companies. Several news reports have claimed that the malware behind the botnet was only detected by a small minority of security products, but details released later indicate that detection has improved greatly since the attack was first checked by
Damballa
in late 2007.
Several similar stories of major botnets rivalling the infamous Storm attack have been reported recently, including ‘Mega-Dik’, reported as a major spam source by
Marshall
, and the ‘May Day’ botnet, also alerted on by
Damballa
, both of which emerged in early February.
Much like these two incidents, the ‘Kraken’ announcement has brought several ripostes from other researchers, including claims that the malware in question is in fact well known, possibly the family commonly known as W32/Bobax.
The confusion has once again resurrected the debate on malware naming issues, and also the complexity of measuring the size of an individual botnet – in this case, the
Damballa
researchers apparently hijacked communication servers used by the botnet by predicting names likely to be used and registering them for themselves. They then counted the compromised systems attempting to connect to them.
The size of the Storm botnet has been variously estimated from tens of thousands of systems to several million, fluctuating wildly over time and between sources, while numerous other botnets, such as those spread by the Cutwail/Pandex/Pushdu family and the much more venerable Rbot, have also been reckoned to have similar or even greater penetration. Many analysts have noted a marked inconsistency between the media attention gained by Storm and its actual impact, driven mainly by its highly fluid, innovative and often attention-grabbing social engineering techniques.
As if in response to the Kraken story, Storm has once again changed tack and sent out a wave of messages targeting new victims, picking up a common malware tactic of posing as video-decoding software and this time seemingly playing on its notoriety, cheekily entitling its latest attack the ‘Storm codec’.
Initial news reports on the
Damballa
findings are in
Darkreading
here
and
The Register
here
, with analysis from
Washington Post
blogger Brian Krebs
here
and in more blog entries from
Sophos
here
and
Symantec
here
.
Details of the latest Storm run are at
ESET
here
, at
Sophos
here
and at
Trend Micro
here
.
Posted on 9 April 2008 by
Virus Bulletin
Leave a Reply