Major botnet infiltrated

Share this article:

For the first time, a major botnet -- specifically, the insidious Kraken botnet -- has been beneficially infiltrated. And researchers have found a way to shut it down remotely.

Cody Pierce, security researcher at TippingPoint's DVLabs, told SCMagazineUS on Tuesday that “we set out to see how the bot communicates, see how it decides who to contact, and discover what kinds of commands it can execute. The idea was to see if it was possible to infiltrate these things and shut them down.”

The researchers found that the code can be arbitrarily downloaded and executed on zombie hosts. With that knowledge and a little legwork, they found that a measure of the number of infected machines could be estimated.

According to Pierce, “The bot generates dynamic DNS host names. Those names are registered and the ploy will listen for command and control information. We figured out that if we registered a couple of names that came up when a machine first reboots, we would have a good chance of hitting a lot of bots when they report in. From there we could gather statistics about how large the bot network was.”

The bot is not undefeatable. Pierce said, “We found that whoever was controlling the bot could make changes, so that the code could update itself on affected machines. By investigating and using this mechanism ourselves, we devised a way that the bots could be cleansed from the systems they were on.”

 

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Email promises free pizza, ensnares victims in Asprox botnet instead

Email promises free pizza, ensnares victims in Asprox ...

Cloudmark came upon an email that offers free pizza, but clicking on the link to get the coupon ends with victims being ensnared in a botnet.

Report: most orgs lacking in response team, policies to address cyber incidents

In its Q3 threat intelligence report, Solutionary learned that 75 percent of organizations it assisted had no response team or policies and procedures to address cyber incidents.

Flash redirect campaign impacts Carnegie Mellon page, leads to Angler EK

Flash redirect campaign impacts Carnegie Mellon page, leads ...

Malwarebytes found that, since early July, thousands of sites had been targeted in the campaign.