Researchers infiltrate Kraken botnet, could clean it out

But they won't disinfect remotely, citing 'pretty big can of worms' as reason

A group of security researchers Wednesday said they have infiltrated one of the world's biggest botnets and can snatch control of compromised machines from the hackers.

But while 3Com's TippingPoint researchers say they have the ability to disinfect the systems by eradicating the malware installed on the hijacked PCs, the company has decided against the move, citing liability issues.

Pedram Amini, who leads TippingPoint's security research group, and Cody Pierce, a security researcher who is also part of that team, collaborated on a weeklong project that started with the idea of verifying the size of the "Kraken" botnet but ended with an ethical quandary.

Pierce created a fake Kraken command-and-control server by reverse engineering the list of domain names found in a captured sample of the bot, and then registered some of the sub-domains Kraken looks for. The server essentially acted as a command-and-control honeypot that waited for connections from PCs infected with the bot.

"Stated simply, Kraken infected systems worldwide start to connect to a server we control," Amini said in a post to a company blog.

The two researchers monitored the incoming communications from Kraken bots for seven days, Pierce said. "We listened and collected statistics for a week, and filtered out [for] the IP addresses and then the systems," he said on the telephone Wednesday." He was able to identify each infected machine by using the malware's encryption key, which was unique across the entire botnet.

The total count for the week: about 25,000 infected machines.

Others have estimated Kraken's size at between 185,000 and 600,000 compromised PCs. SecureWorks' Joe Stewart, who uses the moniker "Bobax" rather than Kraken for the botnet, pegged it at the lower number earlier this month based on an in-depth traffic analysis and bot-fingerprinting project.

In other words, TippingPoint had identified between 4 per cent and 14 per cent of the total Kraken botnet.

But the company's research didn't stop there. Pierce wrote code that would let him redirect infected PCs, or better yet, use the bot's built-in update mechanism -- something most malware includes -- to remove Kraken.

There, however, things got sticky. "This is where we got into the ethical discussion," Pierce said. He and Amini wanted to use that capability to clean out Kraken-infected systems. Their boss, David Endler, the director of TippingPoint's DVLabs, disagreed.

"From our point of view, if someone doesn't do something about bots, they'll just continue on and on," Pierce said. "If you have the opportunity to do something, take it."

Join the PC World newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld
Show Comments

Essentials

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?