Nugache worm kicking up a Storm

Although the infamous Storm worm enters 2008 with a reputation as the world’s most dangerous botnet, security experts say there’s an up-and-comer called Nugache that could give it a run for its money.

Nugache was first sighted about two years ago as a worm designed to work with chat protocols, says Paul Henry, vice president of technology evangelism at Secure Computing. As such, it did not propagate virulently. But last month, hackers believed to be tied to the notorious Russian Business Network online criminal mob gave Nugache  a facelift, copying many of the successful attributes of Storm, such as encryption, a rootkit and the ability to spread as Web-borne malware.

“It’s following the Storm worm,” Henry says. “Nugache now includes the ability to encrypt itself and every version that rolls out is generated a bit differently to obfuscate detection.”

Nugache is now also peer-to-peer controlled to put it under a more decentralized command-and-control structure that makes it difficult to take down the botnet it can construct once it infects desktop machines.

Botnets can be used to send spam messages through compromised machines, among other criminal purposes. The rise of the Nugache botnet appears to already be giving the Storm botnet more competition.

“It’s creating a bargain basement for spam,” Henry says. Prices as low as 1 million spam messages for $100 are being advertised online mainly because of the rise of Nugache, he says.

Business and consumers should be aware that Nugache could attempt to compromise their desktop machines in various ways, particularly through Web-based drive-by downloads. One way it has been seen spreading is through URLs embedded by attackers in blogs.

“It’s not the owner of the blogs doing this,” Henry says. “There’s a program called Xrunner from the black-hat crowd that automates the insertion of URLS for Web-based malware sites for drive-by hacking.” Often, the old “fake video-codec” scam accompanies this ruse by trying to trick users who want to view video segments into downloading the Nugache malware.
Bigtime hacker groups such as the Russian Business network have grown adept into manipulating the Google ratings system to raise their profile in the search-engine display, Henry says.

“They will create the blog entry, then embed hundreds of key words and embed pointers to other blog entries, such as the second blog entry pointing back to the first entry,” Henry says. “Google rates you on how many other people point to your URL. So they’re getting down the science of artificially inflating their position in the search engine. They want these blog postings to show up on the top.”

Henry says Google is aware of the problem and “is doing a fairly good job of policing this.”

Because the refurbished Nugache evades signature-based detection, according to Secure Computing, defenses for this up-and-coming botnet worm need to focus more on a malware blocking and eradication scheme targeting its malicious scripting capabilities.