Thursday, February 07, 2008

MayDay Botnet

MayDay botnet is the newest peer-to-peer botnet causing havoc for thousands of U.S.-based large enterprises, educational institutions, and customers of major ISPs. MayDay is the potential successor to the Storm trojan. A botnet that infected hundred of thousands of computers late last year.

DarkReading reports that MayDay uses a combination of techniques to communicate with its bots, including hijacking browser proxy settings and It can communicate through an enterprise's secure Web proxy and conduct updates and attack activities.

Tripp Cox, vice president of engineering for Damballa is quoted in the recent DarkReading article "MayDay! Sneakier, More Powerful Botnet on the Loose". He states that "The botnet uses two forms of P2P communications to ensure it can talk to its bots, including the Internet Control Message Protocol (ICMP). "This malware is for multiple protocols and is specifically designed to be successful despite whatever security controls might be in place."

So far anti-virus companies have not been able to find a way for detecting MayDay's malware. It is unknown if it is because of the advanced techniques used in the malware construction or if AV companies can't identify these pieces of malware.

The infection comes in the form of what appears to the victim to be an Adobe Reader executable, but is actually the malware. Damballa is still studying the botnet's delivery mechanisms for the malware, Cox says.

No comments:

Post a Comment

All comments will be moderate for content, please be patient as your comment will appear as soon as it has been reviewed.

Thank you