Application security

New IM, email bot creates own p2p network

Email and instant messenger users are being warned about a new bot in the wild that creates a peer-to-peer (p2p) network of infected host PCs.

The "Nugache" worm is spreading as both an email attachment and on AOL an MSN instant messenger (IM) networks, according to a warning from Websense Security Labs.

"The command and control channel that is used is unique, as the bot appears to connect to infected peers instead of a static list," warned Websense. "A peer-to-peer command and control center makes it more difficult to block commands issued to the bot."

Helsinki-based vendor F-Secure, which named the bot Backdoor.Win32.SdBot.aqy, said Monday on its website that the bot is unique because it does not create a botnet via internet relay chat (IRC) as do most IM malware. Instead it uses a p2p network, according to Mikko Hypponen, F-Secure chief research officer.

Symantec recommended users turn off unneeded services and keep their patch levels up to date, as well as not opening attachments from users they do not know.

Scott Fendley, a handler on duty for the SANS Institute's Internet Storm Center (ISC), said on the ISC website that he infected a test computer with a binary version of the bot and it tried to connect to port 8 on 22 different IP addresses.

Fendley said the new bot could be a sign of malware to come.

"I expect that this binary will be detected by most anti-virus companies quickly and slow its spread tremendously. However, I also do expect that this is a signal that the botnet writers are entering a new generation of development and capabilities," he said. "Those of use that are tasked with defending our various networks will need to find a new and better game plan to spot and counter these encrypted/p2p based botnets."

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.