Kraken Botnet - Should a Good Worm be used to clean infected PCs?

Posted Wed, Apr 30 2008 21:44 by Harry Waldron

 

The e-Week cartoon above is excellent in illustrating the dangers of using a "good worm" to clean-up perhaps the top botnet infection in the world.  While DV Labs might be able to accomplish this, there are always dangers that the bad guys might be able to manipulate this worm, plus if something were to go wrong with either individual PCs being cleaned there might be unintended consequences, even for a good deed.

A better idea is for DV Labs to work with MSRC and share the Kraken encyption techniques so that it may be included in a future version of MSRT ... And as previously shared, there is no such thing as a good worm Wink 

http://dvlabs.tippingpoint.com/blog/2008/04/28/kraken-botnet-infiltration

QUOTE: We have the ability to provide an 'update' through the existing Kraken protocol that can simply remove the Kraken zombie (again see "Owning Kraken" for a video demonstrating this capability). Is it wrong to do so? Although this discussion is similar to that of writing "good worms" that roam the internet patching vulnerable servers, there is a key difference in that a good worm can't be stopped. Once it has been released it is a self spreading uncontrollable entity. In  our specific case however we have the ability to cease at any point. It is simply a one to one relationship.

 

AVERT Labs notes that Kraken continues to improve it's ability to hide and evade AV detection:

http://www.avertlabs.com/research/blog/index.php/2008/04/29/mailbotf-aka-kraken-gets-stealthier-update/