Kraken legitimate threat or antivirus vendor 'solution'?
Researchers at Damballa Solutions have uncovered evidence of a powerful new botnet they've nicknamed Kracken. The company estimates that Kraken has infected 400,000 systems, which would make it twice the size of Storm during that botnet's hayday. (The final size of Storm's botnet is disputed; Damballa estimates Storm infected up to 200,000 machines).
Specific details on the newly discovered botnet are still hard to come by, but rhetoric isn't. Damballa currently predicts that Kraken will continue to infect new machines (up to 600,000 by mid-April). Compromised systems have been observed sending up to 500,000 emails a day, and 10 percent of the Fortune 500 are currently infected. The botnet appears to have multiple, redundant CnC (Command and Control) servers hosted in France, Russia, and the United States. Damballa has been in secret negotiations with the French servers, which have agreed to deactivate themselves at the first sign of attack a workable antivirus detection system.
Like its mythical monstrous counterpart, Kraken enjoys long walks on the beach, sunsets, and tearing sailors into tasty snacks. When not ravaging the ocean, Damballa suspects Kraken is spreading itself via common social engineering techniques, and is advertising the same types of herbal products, gambling sites, and financial deals commonly found in this type of attack vector. The worm purportedly infects the system after the user clicks on a specific image file, though again, exact details aren't available at this time.
One of the problems hampering the investigation at this point is a lack of adequate antivirus detection; the few antivirus programs that currently detect Kraken list it as a generic "suspicious file." This, combined with Damballa's growth predictions, make the Kraken worm seem ominous-but there's a chance the beast could slip beneath the waves within short order. Earlier this year, we saw the Mega-D worm burst on to the scene, quickly exceed Storm's original size, and fade away within short order thanks to a ten day shutdown of the botnet's CnC servers. At this point, Kraken could become the terror of the sea... or a drop in the bucket.
It should also be noted that Damballa is in the business of providing anti-botnet solutions. This doesn't mean that Kraken isn't a potential threat-the SANS Internet Storm Center has already seen traffic from the worm-but keep this firmly in mind when evaluating Damballa's predictions.