The "Kraken" - a botnet bigger than Storm
Researchers from security company Damballa have reported at the RSA Conference on a relatively recent botnet by the name of Kraken. Its 400,000 bots make it twice the size of the Storm botnet. It is thought to have already infected computers in 50 of the Fortune 500 companies.
The malware that has infected these computers apparently arrives in disguised as an image file. It uses obfuscation tactics to avoid detection by antivirus software and it regularly updates its binary code. The bots communicate with the Command and Control (C&C) server via customized UDP- and TCP-based protocols and can generate new domain names if a C&C server is disabled. The payload itself is encrypted, say the Damballa experts.
So far, the botnet has been used mainly for spamming the usual scams – online pharmacies, male enhancement, online casinos and high-interest loans. The researchers have observed individual long-lived Kraken bots sending out up to 500,000 items of spam in a day. Since the malware is capable of updating itself, it could also equip itself to do other things.
The Damballa researchers initially thought they had discovered a variant of the Storm worm botnet but further investigation revealed that the botnets are completely unrelated. The network was discovered at the end of last year, although earlier variants of the malware appear to date back to late 2006.