recent posts

Microsoft Releases Windows XP Service Pack 3
Tech Groups Back Kaspersky in Fight Against Zango
Stepped Up Cyber Role for Spy Agencies
Cyber Justice Chronicles
More Trouble With Ads on ISPs' Error Pages

Stories by Category

Stories By Date

related links

The Archives
Security Fix Live: Web Chats
About This Blog
Password Primer
7 Security Tips
Technology Section

syndicate

About This Blog   |   Archives   |   RSS Feeds RSS Feed   (What's RSS?)

Kraken Spawns a Clash of the Titans

Most of my waking hours on Monday were spent fielding indignant queries from sources in the anti-virus industry who were wondering what I knew about reports of a new family of malicious software that allegedly had managed to infect more than 400,000 computers worldwide seemingly overnight with computer code that hijacked each machine for use in blasting out spam e-mails.

What I discovered says as much about the steady-as-she-goes state of the anti-virus industry as it does the lengths to which an upstart security company will go to upset the apple cart that defines the mainstream computer security marketplace today.

At issue was news that Atlanta-based security firm Damballa had discovered that hackers had infected more than 400,000 Windows PCs with malicious software that forces them to relay junk e-mail. The story noted that this particular contagion had heretofore gone undetected by 80 percent of the commercial anti-virus tools on the market. Spam relays often are referred to as "bots," while large groupings of bots -- remotely controlled by the attackers -- are known as "botnets." Damballa is a startup at Georgia Tech that is trying to build a business around helping companies identify and remove bot infections from their networks.

From the now ubiquitous Dark Reading story about Damballa's discovery:

"The so-called Kraken botnet has been spotted in at least 50 Fortune 500 companies and is undetectable in over 80 percent of machines running antivirus software. Kraken appears to be evading detection by a combination of clever obfuscation techniques, including regularly updating its binary code and structuring the code in such a way that hinders any static analysis, says Paul Royal, principal researcher at Damballa."

Apart from that information, the story left many security professionals hungering for more details. Chief among those were: How exactly does Damballa know so precisely how many bots were involved? And how does the company know whether various anti-virus products detect this spam bot as malicious or not?

In regard to the first question, most botnet masters control their herds of infected PCs by having each report to a specific Web site to receive instructions. But these bots quickly become stranded when security professionals step in and have Internet service providers shutter those sites.

Consequently, many botmasters -- including those who control the Kraken botnet -- have taken to using free so-called "dynamic DNS" services (DNS, short for domain name system, is what helps map human-friendly domain names like example.com into numeric Internet addresses that are easier for computers and Web browsers to route). Dynamic DNS services are great for small mom-and-pop Web sites that may be hosted on a network that frequently changes its numeric Internet address: No matter how many times that address changes, a dynamic DNS service will route a visiting Web browser to the latest address.

In the early days of bot infections, botmasters would have all of their infected PCs report to a particular Internet server to receive updates and instructions on what to spam or whom to attack. But those stationary control servers represent a single point of failure for botmasters: If security professionals can get them taken offline, the botmaster can lose control over his herd of infected machines, as the individual bots no longer know where to go to receive instructions and become stranded indefinitely, sort of like sheep without a shepherd.

As a result, many botmasters have switched to using dynamic DNS because these services eliminate this single point of failure. Using dynamic DNS, the botmaster simply tells his bots to report to a particular domain name he controls, such as example.com, and the dynamic DNS provider takes care of making sure all infected machines know how to find the control server (I wrote about this trend back in February 2006, in an investigative story that followed a young botmaster named 0x80 who controlled a network of more than 13,000 infected PCs using dynamic DNS services.)

Kraken also uses dynamic DNS services, but adds a twist: The authors include in the genetic makeup of the bot hidden instructions for finding brand new Web site names on the fly. Should security professionals or the dynamic DNS provider succeed in shutting down the domain name used to control the botnet, Kraken randomly creates another one, using an encryption routine built into the bot code.

The reason Damballa knows exactly how many bots are infected with Kraken is that its experts managed to work out the mathematical algorithm Kraken uses to generate dynamic DNS names that will be used in the future to control the botnet. With that information, the company can then go reserve those dynamic DNS names ahead of time, and when the botnet gets around to using them, all of the bots will eventually report to servers Damballa controls.

In fact, if you were to visit this link, which describes in exquisite detail how one variant of the Kraken botnet works, you'd see a list of more than 100 dynamic DNS names at the bottom. Investigate that list a bit further, and you'd find that nearly a third of those point to Internet servers hosted at Georgia Tech, home to many of the Damballa researchers, including the company's chief scientist, David Dagon.

At this point, it might appear that Georgia Tech/Damballa is enabling a massive spam botnet. But Damballa's Paul Royal said the none of the bots that connect to its systems ever send any outbound traffic or receive updates from the Kraken botmasters.

A diagram of how Damballa's bot "sinkhole" works.

"If you were to watch the traffic on those servers, what you'd find is that there's only traffic going into them, and no actual traffic coming back out," Royal told Security Fix. He declined to elaborate further on exactly how Damballa manages this -- citing trade secrets. But the reality is that Damballa researchers have been doing this for some time now, and more precise descriptions of how they manage this "sinkhole" approach to botnets is described here, here and here.

So that explains why Damballa knows exactly how many machines are infected with Kraken (and the company says it plans next week to publish a list of Internet addresses infected with the bot). But how does the company know whether various anti-virus firms detect this spam bot as malicious or not?

Damballa says that in late December 2007 it used Virustotal.com to scan the Kraken code against 32 commercial anti-virus products, and that at the time only 11 of them (34 percent) detected it as malicious -- see the results here (PDF). A more recent scan of the bot code on April 1 (PDF) shows that detection of Kraken among the anti-virus industry has increased, but only slightly -- just 16 of 32 (50 percent) of the anti-virus companies now flag it as bad.

Royal said such dismal detection rates show why anti-virus products are "slowly slipping into a set of security tools whose time has come and gone."

Many folks in the anti-virus and broader Internet security space say Damballa is trying to make a name for itself by hyping this threat, and that Kraken is nothing more than a renamed and repackaged "Bobax," a worm of similar lineage and methods that was discovered several years ago (in February, Security Fix wrote about Damballa research suggesting that the indefatigable "Storm" worm got its start by cannibalizing PCs infected with Bobax).

"We've taken a look at this and it seems the Damballa guys are into rebranding, and that they've simply taken Bobax" and presented it as Kraken, said Dmitri Alperovitch, director of intelligence analysis at Secure Computing, also based in Atlanta.

Regardless of who's right here, this debate between Damballa and the anti-virus industry has happened before and is likely to occur again. That's because the anti-virus industry no longer has the luxury of correctly classifying malicious software: They are doing everything they can just to keep up with the glut of malware being released on the 'Net each day, and to classify it as malicious.

As I noted in my recent story Antivirus Firms Scrambling to Keep Up, most anti-virus companies have by necessity moved to classify new threats under far more boring, catch-all names, such as "hacktool.spammer," and "backdoor.trojan," as opposed to anything as scary- and impressive-sounding as Kraken.

For those readers still playing along and wondering what they can do to protect their Windows PCs from the mighty Kraken, the advice is the same: Use anti-virus, but don't depend on it to save you from risky behaviors online. Use a firewall, keep your computer and third-party software up-to-date with the latest security patches. Don't click on links sent to you unexpectedly in e-mail or instant message. But if you do nothing else, configure your computer so that you run it under a limited user account for everyday use.

Update, April. 10, 11:29 p.m.: Joe Stewart, director of malware research for SecureWorks, published a paper listing the top spam botnets by apparent size. Stewart's research references Kraken as another name for Bobax, and suggests the size of that botnet is closer to 185,000 infected machines. Meanwhile, Damballa has put out a white paper on Kraken, defending the company's methods and the reasons it believes Kraken is separate from Bobax and any other previously identified botnet families.

By Brian Krebs |  April 8, 2008; 11:38 AM ET From the Bunker , Latest Warnings , Misc. , Safety Tips
Previous: Social Networking Accounts Prized By Cybercrooks | Next: Microsoft Fixes 10 Security Vulnerabilities

Comments

Please email us to report offensive comments.



Is there some reason WHY Norton and Kaspersky anti-virus programs were noy among those selected for the test on April 1, 2008 ???

Posted by: brucerealtor | April 9, 2008 4:42 AM

@Brucerealtor--- Bruce they are both there, and both detect it (Norton is alphabetical under Symantec).

Posted by: Bk | April 9, 2008 8:26 AM

If I've said it once, I've said it a thousand times. Signature-based anti-virus is dead. The bad guys are just too smart these days and are running rings around the traditional AV products.

The only way to go from here is Software Authentication/Application Control. Only apps that are in a whitelist are permitted to run. Everything else is graylisted or blacklisted. Graylisted apps can be reviewed and permitted if necessary.

I predict that traditional signature-based AV solutions will have disappeared within 3 years or so....and it won't be before time!

And no...I don't work for a vendor who markets & sells one of these products. I'm an IT manager living on my nerves waiting for my Enterprise to be hit by a rootkit/botnet outbreak despite running an AV solution from one of the major vendors.

Nick

Posted by: Nick | April 9, 2008 9:39 AM

> Signature-based anti-virus is dead. <

The same had been predicted for the Catholic Church for centuries and the cemeteries are full of the gloomy prophet's graves, yet the Pope is still in Rome.

A well-established structure with long past and ample resources is not that easy to topple, they have enough inertia to keep them upright in hard times and eventually they adapt.

Damballa will be purchased by a big name AV company if they are any good, so they are hyping left and right to have their going price maximized.

The idea of blacklisting is stupid, because it would take away liberty, which von neumann introduced with his programmable digital computer idea. It would be the end of open source and free software movements as we know it.

Otherwise, the blacklisting companies are struggling, there are 250.000 new binaries from the Big5 software companies per day and the blacklist master database of just the hashes is over 150GB.

The future is apparently about system control (aka HIPS) and traditional AV companies are quite good at it, e.g. F-Secure from Finland.

Posted by: Tamas Feher from Hungary | April 9, 2008 10:13 AM

While I agree that signature-based solutions are not likely to go away in the very near future I do believe that they are NOT the catch-all that the major vendors market them to be.

Just like any strategic defense, AV and other signature based solutions have weaknesses. With that in mind you have to consider using other defense vectors along with signature-based solutions.

Saying that blacklists are "stupid" is stupid. If you really want to be secure then providing for a layered defense strategy is obviously the best way to accomplish that.

Using location-based defense techniques along with signature-based solutions is the best way to this.

Posted by: Ian Dawson | April 9, 2008 11:03 AM

I am guessing this is (once again) a Microsoft Windows problem alone. The article does not state any other operating systems involved that I noticed. I am so glad I use Linux and FreeBSD for my home desktop PCs and business desktop PCs and servers. Since the desktop systems are behind a firewall I never have to worry about mal-ware attacking open services. I *never* *will* worry about other types of attacks since these systems use privilege separation by design (and I do not deliberately break it to do dumb things like using e-mail and web browsing as 'root').

Kudos to Microsoft for giving the anti-malware industry a job.

Posted by: Gene Alexander - blog.eracc.com | April 9, 2008 6:37 PM

Well, we could always complain in hordes to the AV software companies and force them to change.

Has anyone considered counter-botnetting these people or just taking a couple of the world's supercomputers off those more useless projects and having them counter-attack the botnets?

Posted by: Last Stand | April 10, 2008 2:02 AM

I wonder about the next step. How do these companies intend to remove the infection without violating laws governing the spread of a code fix. When botnets first came on the seen and Law enforcement was able to black hole the IPA that served as the command and control center, a series of programs were written for distribution to remove the infections. The distribution was halted because it violated federal law to in essence set a virus loose to attack these machines and strip out the infecting code. Given that the infected machines existed around the world the concern was the the US law enforcement community would in essence be attacking computers in soveriegn nations.

I am impressed that the command and control structure or lines of communication can be over taken but it does not change the fact the the computers are still infected until a patch or fix is sent out. But even after it is sent out, there is no guarantee the whole of the botnet will install the fix.

I personally know of one botherder who maintained a log of all of his infected computers. When the command and control site was black holed, the herder used the log to locate his infected machines and through a backdoor in the infecting code, establish a new command and control location.

My point, technology can only go so far. We need to address the legal clean up as much as we need to address the identification.

Since currently we are unable to legally clean all the infected systems, we need to push user education above all else to stop the infections before they start.

Posted by: E.J. H | April 10, 2008 2:45 PM

Not to be rude but the one defence against things like this that's never mentioned is GET THE F OFF WINDOWS NOW.

Posted by: Rick | April 12, 2008 7:49 PM

@Tamas - whitelists don't necessarily prohibit open-source software. It's easy to sign code, so a place like the Mozilla Software Foundation could have a legitimately recognized signing key that anyone could import into their code signature checking system (or have it enabled by default).

The problem is with folks writing their own software. There's always a reason to avoid the signature check: either it doesn't exist, or you don't currently trust the signing party. In that case, you should be able to self-sign software to allow it to run on your machine. That sounds like a PITA, but software is relatively static on a particular machine. Self-signing during installation should not be a big deal.

Posted by: Chris | April 17, 2008 11:19 AM

Post a Comment

We encourage users to analyze, comment on and even challenge washingtonpost.com's articles, blogs, reviews and multimedia features.

User reviews and comments that include profanity or personal attacks or other inappropriate comments or material will be removed from the site. Additionally, entries that are unsigned or contain "signatures" by someone other than the actual author will be removed. Finally, we will take steps to block users who violate any of our posting standards, terms of use or privacy policies or any other policies governing this site. Please review the full rules governing commentaries and discussions.




 
 

©  The Washington Post Company