Major botnet infiltrated

Share this article:

For the first time, a major botnet -- specifically, the insidious Kraken botnet -- has been beneficially infiltrated. And researchers have found a way to shut it down remotely.

Cody Pierce, security researcher at TippingPoint's DVLabs, told SCMagazineUS on Tuesday that “we set out to see how the bot communicates, see how it decides who to contact, and discover what kinds of commands it can execute. The idea was to see if it was possible to infiltrate these things and shut them down.”

The researchers found that the code can be arbitrarily downloaded and executed on zombie hosts. With that knowledge and a little legwork, they found that a measure of the number of infected machines could be estimated.

According to Pierce, “The bot generates dynamic DNS host names. Those names are registered and the ploy will listen for command and control information. We figured out that if we registered a couple of names that came up when a machine first reboots, we would have a good chance of hitting a lot of bots when they report in. From there we could gather statistics about how large the bot network was.”

The bot is not undefeatable. Pierce said, “We found that whoever was controlling the bot could make changes, so that the code could update itself on affected machines. By investigating and using this mechanism ourselves, we devised a way that the bots could be cleansed from the systems they were on.”

 

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

Researcher discovers flaw in Amazon Kindle Library

A security expert discovered a vulnerability in Amazon's Kindle Library that could lead to cross-site scripting attacks and account compromises.

JPMorgan Chase might struggle to patch vulnerabilities quickly enough

This summer's attack on the bank's network might have helped hackers detect subtle vulnerabilities they could exploit in the future.

WikiLeaks makes FinFisher surveillance software available to public

Copies of controversial surveillance software, called "FinFisher," were made available for public scrutiny by WikiLeaks.