Nugache the latest in bot-net technology… and why you should care about botnets…



To show you where the threat with bot networks is going there’s a story today on Nugache (Symantec summary) which is a bot that takes advantage of a number of clever tricks to avoid having the whole bot net shut down, allow command and control on an encrypted channel and essentially have no “human readable strings” in any of it’s communications. The encryption of it’s connections makes it harder for IDS to catch it (as they rely on signatures of traffic.


It’s kind of interesting that this “newer, better” bot is making news on the same day that Blue Security’s demise is announced (they were essentially finished off by spammers with a bot net of their own.) What’s really disturbing about the current state of bot net technology is that it’s fairly easy to see how it could be refined and improved to be EVEN more effective at being distributed, being harder to shut down without tracking down EVERY LAST INFESTED machine. Unfortunately, in this arms race the bad guys seem to have a lead.

Of course, that’s been the way since the first computer viruses started spreading. Release it and then there’s a signature to detect it. Of course, when viruses were moving from computer to computer on floppy discs it didn’t exactly spread overnight, but when email became the primary way to distribute viruses, the antivirus companies had to be more on their toes. Updates had to come quickly, but there’s still the lag. AND so many let their antivirus lapse if it came with the pc, or never install it if it didn’t come with the pc. It’s frustrating to see so many people that think. “I don’t keep anything important on my computer, so it doesn’t matter to me if I get a virus.” I suspect that’s one reason that bot nets have grown to be so powerful and plentiful as to be able to force a company off the web. When you can get control of thousands of zombie pcs to do your bidding for maybe a thousand dollars (or less) you have the equivalent of an army ready to either send junk mail, serve up illegal content (child pornography/pirated software), or hold websites hostage for money, or just to “run them out of town.”

Yes, somebody should do something, but then we don’t want the net regulated. That means that WE have to stand up and do something, the netizens have to do more. There are a number of things that ISP’s could do that aren’t being done across the board that could help (NOT just providing free antivirus). It is a balancing act though between security and convenience. There are things that EVERY computer user can do. (Check that they’ve got operating system updates and make sure their antivirus works and is updating.) For that matter they should be aware of what’s “normal” for their pc to be running and if something new happens, FIND OUT WHY.

With the loss of Blue Security I’m afraid that the spammers of the world are going to be emboldened and redouble their efforts to sell viagra and who knows what else to every human being on the planet with an email account. For that matter, I’m sure EVERYONE in the “rent a bot-net” part of the internet has taken notice that they’ve won a major fight against white-hat vigilantes.

By the way, here’s a good detailed step by step of what led up to Blue Security’s demise. And the reality is the attacks that brought Blue Security down are still going on, but after companies that became associated with them in this whole deal. Blue Security had a message posted on their site about their shutting down, but that hasn’t stopped the attacks. There site is out at the moment. Prolexic is a comany they enlisted in recent weeks to help them survive the DDos attacks. Prolexic specializes in defending against that type of attack. However, it looks like the botnet has now targetted UltraDNS, which is Prolexic’s DNS provider. They’ve been targetted with a “reflective DOS” attack. (Or DNS amplification attack). Essentially improperly configured dns servers are used to spoof requests to the target, it’s hard then for the target to filter legitimate traffic and as the attack escalates (more bots spreading the requests across more poorly configured dns servers….) the target chokes on the load.

You recall the attack that took down Akamai hosted services around 2004 (several main big-name sites were offline for a few hours in that attack.) It was big news at the time. That was a similar reflector attack. What’s most disturbing is that attack was not stopped by akamai, but the attackers. In other words, you now know why you should care about botnets and their herders… they have the power to snuff a site off the net.

Make sure your pc’s are clean from “bugs” and help your friends do likewise. Spread the word, we need a “worldwide clean your computer with antivirus and antispyware day” or something like it. (Kind of like the installfests, Linux User groups have only an uninstallfest.)

   Send article as PDF   

Similar Posts