Security experts doubt bot code's advanced programming

Two NZ security experts dissect the most sophisticated botnets

Owen 'Akill' Walker's bot code is considered among the most advanced bot programming encountered by international cybercrime investigators, according to the police summary of facts.

The code had some special features, such as protection from discovery, the ability to spread automatically and the ability to identify and destroy rival bot code.

But two local security experts are not convinced of the superiority of this particular botnet or of its creator.

University of Auckland cyber security guru Peter Gutmann says that based on the information he has found, Walker used an existing bot, Akbot, and added some of his own code to it. Gutmann adds, however, that it has been difficult to find accurate information about Akill and the activities he was involved in.

Akbot is a quite primitive bot that was state-of-the-art about five years ago, says Gutmann. It is controlled via IRC (internet relay chat) systems, which was also common a few years back.

There are sophisticated bot-herders out there who are very difficult to track down, says Christian Seifert, a computer security PhD student at Wellington's Victoria University. These botnets are not controlled via the traditional IRC channel, in which bots listen to one central IRC channel to be controlled, says Seifert, who also runs the local chapter of the Honeynet Project, a nonprofit security research organization.

Instead, these well-hidden botnets have peer-to-peer-like structures in which the bots use encryption and trusted relationships to communicate, he says.

"These are much more difficult to track down and analyze, and the bot-herder is not likely to be identified," he says.

Gutmann says he has not seen it mentioned anywhere in statements about Akbot that it can remove other bots, but even if it is capable of doing this, this feature is not very rare. He says one example of a quite remarkable way of finding and destroying other malware was a few years back when the SpamThru bot used a pirated copy of Kaspersky's anti-virus software to get rid of rival malware.

The tactic of destroying rival malicious code is so common that malware authors occasionally go to war over it, says Gutmann. In mid-2007 the authors of Storm and Mpack briefly turned their malware on each other in retaliation for the other side removing the malware from their machines, he adds.

Seifert is not impressed either. That bot code is encrypted and difficult to detect by anti-virus software is rather the norm today, he says.

A recent study conducted by Victoria University and the University of Washington revealed that anti-virus detection accuracy was 69 percent on a sample of malware pushed by drive-by-downloads.

"Every time malware writers compile their malware it looks different to the anti-virus engines and it often goes undetected," says Seifert.

A large number of different botnets exist today, for example, Kraken, Srizbi and Nugache, he says.

"The fact that 'Akill' was one of the few caught makes me believe [that] he was not very careful about his operation," he says.

The distributed denial-of-service attack that hit a server at the University of Pennsylvania, an attack which Walker has pleaded guilty to, also shows that he wasn't very careful, says Seifert.

DDoS attacks and massive worm outbreaks were common a few years ago, he says. Today, cybercrime operations have gone underground.

"Malware sits hidden on thousands of machines and silently collects information that can be used for financial gain," he says.

Join the newsletter!

Error: Please check your email address.

More about CreatorKasperskyKasperskyVIAVictoria UniversityVictoria University

Show Comments

Market Place

[]