|
Written by Matt Jonkman
|
|
Monday, 07 April 2008 |
Whatever it turns out to be, we have some test sigs for it. References below to a Dambala release of the new 400k node botnet. Appears to be an existing well known one not nearly that large.
2008103 through 2008110 are out for it, initial draft type sigs.
The bot uses port 447 UDP mostly to communicate, but also seems to once in a while do a large transfer on TCP 447. This port is reserved for ddm-dfm Distributed File Management. Very rarely used as far as we can tell. The signatures above count on the fact that even if this is used it's likely not used over public networks. Please let us know if this isn't true. If you do use this protocol locally please consider a pass or suppression rule until we get better sigs.
References:
http://www.incidents.org/diary.html?storyid=4256
http://isc.sans.org/diary.html?storyid=4250
http://www.darkreading.com/document.asp?doc_id=144919 (May be FUD)
http://www.theregister.co.uk/2008/04/07/kraken_botnet_menace/ (also may be FUD)
Wiki at http://doc.emergingthreats.net/bin/view/Main/OdeRoor
Please report any falses at all!
|
