Threat Level: green Handler on Duty: Russ McRee

SANS ISC: Got Kraken? - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Got Kraken?

Out of the RSA Conference, there is news that there is a new botnet in town, over twice the size of the Storm Worm in town called Kraken. Researchers from Damballa have discovered and tracked it the last two weeks and I'm guessing from news reports have presented their findings at RSA. If you have details of this worm, detection mechanisms, malware samples, etc, please send us some.

--
John Bambenek / bambenek {at} gmail [dot] com

P.S. Humorous note... everytime I hear the word Kraken, I think of Ask A Ninja's review of Pirates of the Carribean. I think it's funny at least. No, you can't have that 5 minutes back.

John

248 Posts
ISC Handler
I reviewed my SIEM looking for instances of traffic to / from port 447 which I referenced in one of your diary entries. I did find a lot of entries dating back from today to 3/06/08 with consistent attempts to connect to [IP removed], which is an unresolvable host in the Georgia Institue of Technology IP space. Interestingly enough I found this little tidbit on Damballa's website:
"Born out of the College of Computing at the Georgia Institute ofTechnology, Damballa is looking to take on this problem." While there are some other IP addresses that have been contacted, this address is the most consistent and it makes me wonder what's going on at GIT or should I say Damballa Institute of Technology. Is this some clever scheme to dig up customers or are we being snake bit and not really knowing it?
Anonymous

Sign Up for Free or Log In to start participating in the conversation!