back to article Botnet agent plays lost sheep to avoid detection

The latest variants of Kraken have thrown up innovations in black hat stealth technology that are making botnets spawned by the malware harder to detect and dismantle. Analysis of the source code of the new variant of the Kraken (AKA Bobax) bot by Australian anti-virus firm PC Tools has revealed a domain name generation …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Pirate

    Eminently bustable

    >"a variable length from seven to 12 characters, followed with one of the domain suffixes: dyndns.org, yi.org, mooo.com, dynserv.com, com, cc or net."

    So if those four providers could be persuaded to co-operate, a simple regex match on their server logs could spot it the moment anyone tries to register one of those names.

    If the controllers are smart enough to hide their tracks, it won't be possible to track them from that, but it would at least be simple to block them (and not register the domain). Or even to set up fake control servers that answer to those names and tell the bot to disinfect.

  2. E

    Obvious, really.

    Not that I would ever write a bot or such, but the innovations described seem quite obvious. It is a surprise that nobody has done these things already.

  3. Steve Evans

    Annoying...

    There is a simple solution to most of this.

    Most botnets are used to send spam, the zombied machine connects to whichever server is the MX for a domain, and pretends to be another email server relaying a message for one of it's users.

    So by default ISP's should restrict connection to SMTP servers so end user machines cannot connect to any SMTP servers apart from the ones owned by the ISP.

    Your run of the mill AOL,Tiscali,BT customer uses the email address that came with the ISP, so they'd be fine. The rest probably use web based systems like gmail/hotmail etc.

    The more techy savvy of us, who lets face it aren't really the big risk when it comes to ending up on a botnet, would of course have some kind of web interface on the ISP so we can permit other SMTP servers, or open it up for all. Please note web interface, not a call centre in India! (Done that once this week already thanks!)

    It's not as if it's a hard thing to spot from an ISP level. They spend so much cash and technology mangling P2P, it wouldn't take 10 minutes to spot zombie behaviour, nobody normal initiates over a thousand SMTP connection in a day for starters. That would be enough to pass on their details to the sales team and send them an internet security package, or at least some advice on protection!

  4. Charles Manning

    Lost sheep and shepherd?

    Dunno about bot sheep, but the meat variety we have here in NZ don't try to find their shepherds. The bastards will avoid you if at all possible. I've spent too many afternoons running up and down hills chasing them. If a sheep willingly approaches you, look for signs of foam about the mouth, or a cameraman lurking in the bush filming a sequel to Black Sheep (something I hope is never made).

  5. Pascal Monett Silver badge

    Impressive

    It's really interesting to follow the evolution of the industry in this domain. The impressiveness of the adaptability and ingenuity of the malware writers is only outdone by the sadness of their quest : to infect even more PCs with spam-sending filth.

    It's kind of like meeting a psychopathic serial killer who is on the verge of discovering faster-than-light travel. You know he's good, but you have to kill him anyway.

    Pity.

  6. Zap
    Heart

    people from Wales and New Zealand and Sheep

    Reply to

    Lost sheep and shepherd?

    So its true what they say about people from Wales and New Zealand and Sheep!

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2021