Home         News     Support     References     Sitemap      Search     Contact & Route
Hardware Solutions
Videowall Solutions
Software Solutions
Services
 
Botnet Worm Builds P2P Nets

May 2, 2006

By Michael Hall

A malicious bot spreading over AOL Instant Messenger (AIM) is relying on p2p technology and encryption to send instructions to infected hosts. Security researchers say the bot signals "a new generation" in botnet development.

Identified by security company Symantec as "Nugache" http://www.sarc.com/avcenter/venc/data/w32.nugache.a@mm.html, the bot affects Windows systems dating back to Windows 95 and NT. According to the company, it spreads through e-mail, network shares and instant messages, and opens a backdoor on infected hosts.

Once Nugache infects a host, it makes modifications to the system registry and opens a backdoor on TCP port 8. The worm then contacts an IRC server and awaits commands, including performing a denial of service attack, accessing an ftp server and running as a Web server. The worm then sends infected instant messages or e-mail messages composed from a small dictionary of words such as "hey," "sup," "heh," and "lol."

Though much of its behavior is typical for botnet-spreading worms, Nugache relies on a peer-to-peer (p2) inflected variation for its command-and-control channel. Rather than communicating with a specific hard-coded host, Nugache instead connects with infected peers in a p2p network.

"A peer-to-peer command & control channel makes it more difficult to block commands issued to the bot," wrote SANS researcher Scott Fendley, who went on to write "The traffic over this channel also uses obfuscation in an attempt to bypass intrusion detection systems."

The author of the advisory Fendley based his own report on noted that the obfuscation used by the bot leaves flow analysis and network monitoring tools such as tcpdump as the best way to detect Nugache on a network.

Though security companies are already responding to the worm with updates to their filters and software, Fendley noted that the approach Nugache's authors used is a sign of things to come:

"I [...] expect that this is a signal that the botnet writers are entering a new generation of development and capabilities. Those of us that are tasked with defending our various networks will need to find a new and better game plan to spot and counter these encrypted/p2p based botnets," he wrote.

Source: http://www.instantmessagingplanet.com/security/article.php/3603326
Unique: 67 Second: 74