Application security, Malware

Kraken botnet re-emerges 318,000 nodes strong

Kraken, a large and difficult-to-detect botnet that peaked in 2008 and was dismantled by early 2009, is back, and anti-virus solutions are struggling to detect it, according to researchers at Georgia Tech Information Security Center.

The botnet reappeared in April and, as of last week, was made up of more than 318,000 unique IP addresses, or about half its 650,000 maximum size in 2008, Paul Royal, research scientist at the Georgia Tech center told on Wednesday.

Machines infected by Kraken malware primarily are being used to send spam, and a single member of the botnet is capable of sending more than 600,000 unwanted emails in a 24-hour period, he said. All of the spam is promoting male enhancement or erectile dysfunction products.

Kraken malware is being installed onto already compromised computers by another, larger botnet, which uses so-called “butterfly” bot malware to operate, researchers said. The butterfly bot malware, which was also used to construct the Mariposa botnet, is up for sale as a kit on the criminal black market.

It is currently unclear whether those behind the Kraken botnet are the same group as those operating the botnet that installs Kraken, Royal said. Most likely, the groups are different.

Meanwhile, the original Kraken botnet infiltration and takedown was the result of concerted industry effort, Royal said. The hosting provider that Kraken operators were using disrupted the botnet's command-and-control (C&C) domain and by early 2009, all of Kraken's original C&C domains went offline.

“The reuse of Kraken, to me, implies a potential trend of efficient malcode [malicious software code] reuse,” Royal said. “Efficient malcode takes time to develop. Like every piece of software, it has to go through several iterations and as a result, is expensive to replace. So regardless of age, provided the operators can make it appear as benign to AV [anti-virus] tools, they will continue finding uses for it.”

The notorious Storm Worm botnet recently made a similar resurgence.

The Kraken bot malware uses a common technique to avoid detection, known as obfuscation or packing, whereby the malicious portion of the program code has been made to appear as seemingly benign data, Royal said. The technique, used by most modern malware today, is intended to prevent traditional AV from being able to recognize the malicious portion of the code or detect the threat.

Royal said that as of last week, the Kraken bot malware is poorly detected by the top three AV companies, which hold at least 70 percent of the AV market, meaning the majority of users are not protected from this threat even with up-to-date AV software.

Joshua Talbot, security intelligence manager at Symantec Security Response, told in an email Wednesday that the company classifies the botnet as Backdoor.Spakrab and does indeed detect it.

“Symantec's stance is that this botnet never really died out, but has in reality continued to exist and infect users,” Talbot said. “In fact, Symantec updated our signatures for this threat family just a couple of weeks ago.”

Additionally, David Marcus, director of security research and communications at McAfee, told in an email Wednesday that McAfee has had detection for this threat since June 12 and has been keeping it “very current.”

However, Royal said that last week he ran a sample of the malware through VirusTotal's online virus and malware online scanner and it was not detected by either McAfee or Symantec.

“McAfee and Symantec probably detect older versions of Kraken, but the VirusTotal results clearly indicate a dearth of detections for recent Kraken samples,” Royal said.

Symantec's Talbot added that Kraken relies on a large numbers of unique malicious files to evade detection, and is a “prime example” of why traditional signature-based solutions are no longer enough to catch all threats.

“In this case, our reputation-based security technology classifies such malicious files as bad, based on automated feedback gathered from our tens of millions of opt-in end users,” Talbot said. “These malicious files are prevented from running on a user's machine, not necessarily because traditional signatures detected them, but because they had a sufficiently poor reputation rating.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.