Rixstep
	`About \| ACP \| Buy \| Industry Watch \| Learning Curve \| News \| Products \| Search \| Substack`

Home » Learning Curve » Red Hat Diaries

Kraken: The Second Story

Find it between the lines.

Get It

Try It

There's a good story over at Brian Krebs' Security Fix. It's about the controversy surrounding a malware strain known as Kraken. As usual Brian does a top drawer job summarising the story and providing useful comment but there's a second story in there between the lines that's almost more interesting.

If you haven't seen it and read it yet then wander over first and come back afterwards.

Security Fix: Kraken Spawns a Clash of the Titans

'Most of my waking hours on Monday were spent fielding indignant queries from sources in the antivirus industry', begins Brian. 'What I discovered says as much about the steady-as-she-goes state of the antivirus industry as it does the lengths to which an upstart security company will go to upset the apple cart that defines the mainstream computer security marketplace today.'

The story starts at Georgia Tech startup Damballa who've declared war against bot armies. They claim to have discovered that hackers infected more than 400,000 Windows PCs to relay spam. Their story notes that this particular strain of malware 'had heretofore gone undetected by 80 percent of the commercial antivirus tools on the market'.

Damballa reported sighting Kraken in at least 50 Fortune 500 companies and that it is undetectable in over 80% of machines running antivirus software. Kraken appears to be evading detection by a combination of clever obfuscation techniques including regularly updating its binaries and structuring code to thwart static analysis, according to Damballa researcher Paul Royal.

Doyens in the 'security industry' were puzzled how Damballa could know so much but the answer wasn't long forthcoming. Kraken uses a twist on dynamic DNS whereby new site names are found on the fly; and the Damballa researchers cracked the algorithm Kraken's using to generate new site names and have reserved these names ahead of time. Given time all of Kraken's bots will report to servers under Damballa's control - and effectively be 'honeypotted'.

At the end of 2007 Damballa used VirusTotal to scan Kraken against 32 commercial antivirus products. Only 11 (34%) of them saw anything.

A new scan on April Fools showed results were not comfortably better with a mere 16 (50%) of the 32 products sounding an alarm.

The Second Story

The second story - purportedly more interesting than the first - is found in Damballa's explanation for the dismal results by the 'landed gentry of security'.

They're 'slowly slipping into a set of security tools whose time has come and gone', says Paul Royal.

Brian Krebs comments.

'This debate between Damballa and the antivirus industry has happened before and is likely to occur again. That's because the antivirus industry no longer have the luxury of correctly classifying malicious software: they are doing everything they can just to keep up with the glut of malware being released on the net each day and to classify it as malicious.'

And that's the second story. Regardless of the spectre of Kraken, it's mostly an out in the open accepted fact in the security industry today: they can't keep up. No way. Not as long as all the suckers stay on Windows. Abandon Windows and it's another story altogether. Where the 'landed gentry of security' are no longer invited to the party.