Major botnet infiltrated

Share this article:

For the first time, a major botnet -- specifically, the insidious Kraken botnet -- has been beneficially infiltrated. And researchers have found a way to shut it down remotely.

Cody Pierce, security researcher at TippingPoint's DVLabs, told SCMagazineUS on Tuesday that “we set out to see how the bot communicates, see how it decides who to contact, and discover what kinds of commands it can execute. The idea was to see if it was possible to infiltrate these things and shut them down.”

The researchers found that the code can be arbitrarily downloaded and executed on zombie hosts. With that knowledge and a little legwork, they found that a measure of the number of infected machines could be estimated.

According to Pierce, “The bot generates dynamic DNS host names. Those names are registered and the ploy will listen for command and control information. We figured out that if we registered a couple of names that came up when a machine first reboots, we would have a good chance of hitting a lot of bots when they report in. From there we could gather statistics about how large the bot network was.”

The bot is not undefeatable. Pierce said, “We found that whoever was controlling the bot could make changes, so that the code could update itself on affected machines. By investigating and using this mechanism ourselves, we devised a way that the bots could be cleansed from the systems they were on.”

 

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Florida Supreme Court rules warrants a must for real-time cell location tracking

Florida Supreme Court rules warrants a must for ...

The Florida Supreme Court put the kibosh on warrantless real-time tracking using location data obtained from cell phone providers.

Modular malware for OS X includes backdoor, keylogger components

Modular malware for OS X includes backdoor, keylogger ...

The modular malware was named "Ventir," by researchers at Kaspersky.

Fake Dropbox login page nabs credentials, is hosted on Dropbox

Fake Dropbox login page nabs credentials, is hosted ...

Symantec researchers received a phishing email linking recipients to a fake Dropbox login page that is hosted on Dropbox's user content domain and served over SSL.