International Telecommunication Union   ITU
 
 
Site Map Contact us Print Version
 Tuesday, January 15, 2008

A new-generation worm-botnet known as Nugache, according to Dave Dittrich, might be the most advanced worm/botnet yet. It has no C&C server to target, has bots capable of sending encrypted packets and has the possibility of any peer on the network suddenly becoming the de facto leader of the botnet. However, despite numerous worms, viruses, bots and Trojans over the years having one or two of the features that Storm, Nugache, Rbot and other such programs possess, none has approached the breadth and depth of their feature sets. Rbot, with more than 100 features that users can choose from when compiling the bot, enables two different bots compiled from an identical source have nearly identical feature sets, yet look completely different to an antivirus engine.

A disturbing concern, experts say, is that there are several malware groups out there right now that are writing custom Trojans, rootkits and attack toolkits to the specifications of their customers, who are in turn using the malware not to build worldwide botnets like Storm, but to attack small slices of a certain industry, such as financial services or health care. A popular example of this is Rizo, a variant of Rbot. Like Nugache and Storm, Rizo has been modified a number of times to meet the requirements of various different attack scenarios. "Within the course of a few weeks, different versions of Rizo were used to attack customers of several different banks in South America. Once installed on a user's PC, it monitors Internet activity and gathers login credentials for online banking sites, which it then sends back to the attacker. It's standard behavior for these kinds of Trojans, but the amount of specificity and customization involved in the code and the ways in which the author changed it over time are what have researchers worried."

To read the full article on Nugache, click here.
More security related news at Schneier on Security.