Got Kraken?

Published: 2008-04-07
Last Updated: 2008-04-07 18:44:39 UTC
by John Bambenek (Version: 1)
1 comment(s)

Out of the RSA Conference, there is news that there is a new botnet in town, over twice the size of the Storm Worm in town called Kraken. Researchers from Damballa have discovered and tracked it the last two weeks and I'm guessing from news reports have presented their findings at RSA. If you have details of this worm, detection mechanisms, malware samples, etc, please send us some.

John Bambenek / bambenek {at} gmail [dot] com

P.S. Humorous note... everytime I hear the word Kraken, I think of Ask A Ninja's review of Pirates of the Carribean. I think it's funny at least. No, you can't have that 5 minutes back.

Keywords: botnet kraken malware
1 comment(s)


I reviewed my SIEM looking for instances of traffic to / from port 447 which I referenced in one of your diary entries. I did find a lot of entries dating back from today to 3/06/08 with consistent attempts to connect to [IP removed], which is an unresolvable host in the Georgia Institue of Technology IP space. Interestingly enough I found this little tidbit on Damballa's website:
"Born out of the College of Computing at the Georgia Institute ofTechnology, Damballa is looking to take on this problem." While there are some other IP addresses that have been contacted, this address is the most consistent and it makes me wonder what's going on at GIT or should I say Damballa Institute of Technology. Is this some clever scheme to dig up customers or are we being snake bit and not really knowing it?

Diary Archives