Damballa, an internet security company that focuses on targeted threats, announced the findings at the RSA Conference in San Francisco. The Atlanta-based company says it is actively tracking the threat with over 400,000 distinct victims seen daily as compared to Storm's 200,000 victims. Kraken has gone undetected by over 80 percent of computers with anti-virus software installed, the Damballa release says.
“Kraken is the largest army we've seen to date and has an unprecedented presence in enterprise networks. We've observed evidence of Kraken-based compromises in at least 50 of the Fortune 500,” said Paul Royal, principal researcher, Damballa.
Making use of trend data, Damballa forecasts that Kraken will continue to metastasize, eventually reaching 600,000 unique victims per day by mid-April. The majority of attacks are expected to hit enterprise networks. Individual victims of the Kraken BotArmy have already been observed sending 500,000 pieces of spam a day.
Kraken was first observed in winter 2007, but there are suggestions that early variants go as far back as late 2006. Damballa says, "the BotArmy is stealthy, robust and includes redundancy mechanisms that allow the BotMaster to recover his victims in case one or more of the primary command and control (CnC) servers are disabled. Kraken also uses encrypted communications to frustrate attempts at identification and understanding."
Damballa says that indications are that the primary CnC servers are hosted in Russia, France and the United States.
The company believes that Kraken uses a propagation technique based on social engineering, the same technique used by Storm and many other targeted attacks.
"The Kraken malware automatically updates itself and has the flexibility to be used as a general purpose bot for data theft or attack activity," the report states. "Kraken presents itself as an image file, tricking unsuspecting users into compromising themselves when they attempt to view the fake image."
Kraken's primary behavior, the report adds, is spamming, which includes the usual slew of messages offering high interest loans, gambling enticements, male enhancement techniques, pharmacy advertisements, and fake watches for purchase, etc."