MayDay! Sneakier, More Powerful Botnet on the Loose
Peer-to-peer MayDay botnet is stealthier and more powerful than Storm, researchers say
February 4, 2008
A new peer-to-peer (P2P) botnet even more powerful and stealthy than the infamous Storm has begun infiltrating mostly U.S.-based large enterprises, educational institutions, and customers of major ISPs.
The MayDay botnet can evade leading antivirus products, and so far has compromised thousands of hosts, according to Damballa, which says 96.5 percent of the infected machines are in the U.S., and about 2.5 percent in Canada. Damballa first hinted of this potential successor to Storm late last year. (See The World's Biggest Botnets .)
MayDay uses a combination of techniques to communicate with its bots, including hijacking browser proxy settings, says Tripp Cox, vice president of engineering for Damballa. He says, "It can communicate through an enterprise's secure Web proxy and conduct updates and attack activities" -- a unique method for a botnet.
The Web proxy approach also demonstrates that this is no random bot infection: "Designing bot malware to specifically use Web proxies is a clear indicator that it's targeting [specific] enterprise systems," Cox says.
The botnet uses two forms of P2P communications to ensure it can talk to its bots, including the Internet Control Message Protocol (ICMP). "This malware is for multiple protocols and is specifically designed to be successful despite whatever security controls might be" in place, Cox says.
Cox says Damballa is not sure why AV engines aren't detecting MayDay's malware. "Is it because of the advanced techniques it's using in how the malware is constructed? Or have AV companies not been able to identify these pieces of malware?"
The infection comes in the form of what appears to the victim to be an Adobe Reader executable, but is actually the malware. Damballa is still studying the botnet's delivery mechanisms for the malware, Cox says.
As for Storm, researchers are now looking at whether another spam-spewing botnet, called Mega-D, is somehow related to Storm. Researchers from U.K.-based security vendor Marshal over the weekend blogged about Mega-D overshadowing Storm in spam delivery, with 32 percent of all spam they caught in their filters versus only 2 percent from Storm, which they say previously had accounted for 20 percent of the spam. Mega-D mostly spams male sexual enhancement drugs, according to Marshal.
"There's a chance the Storm folks have taken their lessons learned and made a new subset of it... we've observed that the traffic on Storm has gone way down," says Glen Myers, a sales engineer for Marshal, who noted that a connection between Mega-D and Storm is just speculation for now.
Damballa says Storm and Mega-D are unrelated. "Our research indicates that it's distinct from Storm," Cox says. "Each compromised host can send thousands of [spam] email addresses with random subject lines. It's clearly capable of sending out huge amounts of spam."
Size doesn't always matter with botnets. MayDay is not nearly as large as Storm, but Damballa says it could potentially do more damage due to its more sophisticated and targeted approach. "MayDay is unique because it has the ability to communicate from within the inside of the enterprise," Cox says. "It's powerful in the damage it could do when orchestrated for a common purpose. It could potentially be more powerful because of the types of networks it's successfully compromised."
So far, MayDay is mostly ordering its bots to send spam runs, he says. It also sends accounting information back to the command and control servers on the success of the spam runs, so it appears relatively businesslike.
Meanwhile, Damballa is working on reverse-engineering the ICMP communications, which are encrypted, Cox says.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.
About the Author
You May Also Like