By Senthil Venkatachalam, Product Manager, and Tom Le, Director of Research and Development, BT Managed Security Solutions Group

Botnets, in general, are very dangerous and difficult to extinguish.  Within the past several weeks, we’ve learned the Kraken botnet has returned from the dead and is gaining strength yet again.

According to a recent Dark Reading article, the botnet—despite being dismantled last year — has recently compromised more than 318,000 systems.  That is nearly half the number reported at Kraken’s peak!

How does Kraken work?

Kraken came to the fore in 2008, after infecting hundreds of thousands of computers and causing them to send enormous numbers of spam emails.  While the authors of Kraken were arrested in 2009 and the network was disabled, the new Son-of-Kraken seems to be a variation which re-uses Kraken’s malicious code.  This code is propagated by a botnet framework – or butterfly framework – which is known for its efficiency in spreading such malware.  Some of you might remember another famous and large botnet, the Mariposa botnet, which also used the butterfly framework.

Detecting the “classic” Kraken

Botnets are difficult to prevent, and, once a network is infected, are even more difficult to detect.  If you are using anti-virus tools, Kraken is nearly impossible to detect.  AV defenses and anti-malware defenses are often disabled by bots during the original infection.  Therefore, IT professionals must gain network level detection applications.  Suspicious activities that can be used to detect a botnet include:

• DNS lookups to certain domains
• Traffic on unusual (typically high) port numbers
• Connections (or attempts) to IPs in a known range
• Network protocol violation in datagrams or sessions traversing firewall (e.g., encrypted traffic over port 80, or non-SSL over port 443)
• Excessive outgoing emails or other activity not usually associated with business traffic

But to assume you don’t have a botnet infection because there are no visible symptoms is a mistake.  Because bots seek to avoid detection, you need to constantly check firewall and IPS logs to unearth an infection.

Preparation is key

George Hulme said in a recent InformationWeek article, “One thing is certain: current methods of bot detection and remediation are not getting the job done.”

It’s essential that companies ensure they have maximum and continuous early-warning security measures in place to protect the integrity of their assets and mitigate risks.  For BT Managed Security Solutions Group (MSSG) customers, the good news is that a botnet detection module is a standard Managed Secure Monitoring service available to all customers.

BT MSSG has had significant success in using its customers’ firewalls to detect botnets through log analysis and event correlation.  Based on a fundamental understanding of botnet behavior, the BT team reasoned that since every botnet needs to call home at some point in order to be activated, outbound messages traversing a firewall will create detectable patterns of behavior that accurately indicate botnet activity before it has the opportunity to take over your network. 

One question remains — is your company prepared for the Son-of-Kraken?