Researchers infiltrate Kracken botnet, could clean it out
But they won't disinfect remotely, citing 'pretty big can of worms' as reason
Computerworld - A group of security researchers today said they have infiltrated one of the world's biggest botnets and can snatch control of compromised machines from the hackers.
But while 3Com Corp.'s TippingPoint researchers said they have the ability to disinfect the systems by eradicating the malware installed on the hijacked PCs, the company has decided against the move, citing liability issues.
Pedram Amini, who leads TippingPoint's security research group, and Cody Pierce, a security researcher who is also part of that team, collaborated on a week-long project that started with the idea of verifying the size of the Kracken botnet but ended with an ethical quandary.
Pierce created a fake Kracken command-and-control server by reverse-engineering the list of domain names found in a captured sample of the bot. He then registered some of the subdomains that Kraken looks for. The server essentially acted as a command-and-control honeypot that waited for connections from PCs infected with the bot.
"Stated simply, Kraken infected systems worldwide start to connect to a server we control," Amini said in a post to a company blog.
The two researchers monitored the incoming communications from Kracken bots for seven days, Pierce said. "We listened and collected statistics for a week and filtered out [for] the IP addresses and then the systems," he said on the telephone today. He was able to identify each infected machine by using the malware's encryption key, which was unique across the entire botnet.
The total count for the week: about 25,000 infected machines.
Others have estimated Kracken's size at between 185,000 and 600,000 compromised PCs. Joe Stewart, director of malware research at SecureWorks Inc., who uses the moniker "Bobax" rather than Kracken for the botnet, pegged it at the lower number earlier this month based on an in-depth traffic analysis and bot-fingerprinting project.
In other words, TippingPoint had identified between 4% and 14% of the total Kracken botnet.
But the company's research didn't stop there. Pierce wrote code that would let him redirect infected PCs, or better yet, use the bot's built-in update mechanism -- something most malware includes -- to remove Kraken.
There, however, things got sticky. "This is where we got into the ethical discussion," Pierce said. He and Amini wanted to use that capability to clean out Kracken-infected systems. Their boss, David Endler, the director of TippingPoint's DVLabs unit, disagreed.
"From our point of view, if someone doesn't do something about bots, they'll just continue on and on," Pierce said. "If you have the opportunity to do something, take it."
But Endler had the last word. In a comment attached to Amini's initial blog post, Endler put it plainly. "Cleansing the systems would probably help 99% of the infected user base," he said. "It's just the 1% of corner cases that scares me from a corporate liability standpoint."
"That's the other side," Pierce said. "It's not our property, and it's not up to us" to disinfect bot-infected machines. When asked who it was up to, he answered quickly: "I don't know. I wouldn't know the answer to that."
Corporate liability is the stumbling block, he acknowledged. "I think most people have the same opinion [as Amini and I do]," Pierce said. "You have to reduce the number of bots out there, whether that's infiltration or by the operating system or at the ISP. Something needs to be done.
"But corporate liability, everybody agrees on that," he noted. "Cleaning the bots would be opening up a pretty large can of worms."
Most of the TippingPoint blog readers who logged comments took Pierce's side. "Clean them. If you don't, a rival bot net owner will," said one anonymous user.
Others, however, agreed with Endler. "You not only face a moral dilemma, but updating a computer without authorization is illegal in the U.S.," said a user identified as Roan. "I fall on the side of proactive patching, but there is more than just the moral decision to decide upon before taking action."
In the U.S., the Computer Fraud and Abuse Act prohibits unauthorized access to others' PCs. In addition, state antispyware laws have been regularly used to prosecute people who have accessed machines without permission.
Pierce has posted a video (Flash file) of the fake Kracken server connecting with, then cleaning, a system infected with the bot in the lab.
Read more about Security in Computerworld's Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Gartner Report: A Guide to Gartner's Enterprise Mobile Security Self-Assessment Gartner introduces a model and a Toolkit intended to help mobility and security IT leaders assess their enterprise mobility programs from a security...
- Gartner Report: Containing Mobile Security Risks With the 80/20 Rule IT planners can deliver better mobile protection with higher user satisfaction by segmenting users into risk groups before committing to specific management or...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts