Hi,

Security researchers say this change, which has been occurring gradually in
the last couple of years, has made life much more difficult for them. While
it's a simpler task to find a C&C server when it's one of a hundred or so,
taking the server offline if much less effective than it used to be.
Researchers in recent months have identified and cleaned hundreds of domains
being used by the Gumblar botnet, but that's had little effect on the
botnet's overall operation.

Recent research has shown that the botnets has still thousand compromised
servers in its network And, Gumblar has the advantage of having both client
machines and servers at its command, giving it tremendous flexibility and
firepower. In a presentation at the Kaspersky Lab Security Analyst Summit
here, Vitaly Kamluk, a security researcher in Kaspersky's Tokyo office, who
has been following Gumblar since its appearance, discussed the intricacies
of the botnet, its infection mechanism and resistance to analysis.

Gumblar relies heavily on encryption and obfuscation, and researchers have
found it difficult to track down the group behind the botnet. What they've
found, though, are indications that the team behind Gumblar is not only
monitoring the activities of researchers who are keeping tabs on the botnet,
and changing their tactics over time to stay a step ahead of the game.

As researchers have continued to identify infected Gumblar servers and help
remove them, attackers have stepped up their assaults, reinfecting the same
machines multiple times and finding thousands of new servers vulnerable to
attack.The Gumblar creators, as well as the operators of other recent
botnets, take pains to encrypt portions of their malware and heavily
obfuscate the code used to infect Web sites, but they're not that worried
about one of their infected servers or clients being discovered.

They'll simply launch another mass infection campaign the next day. In fact,
many servers that are identified and disinfected are compromised again
within a day or two, researchers say. More infected servers means a more
distributed infrastructure and less chance of a full takedown or disruption
of the botnet.

-- 
You received this message because you are subscribed to the Google Groups 
"nforceit" group.
To post to this group, send an email to [email protected].
To unsubscribe from this group, send email to 
[email protected].
For more options, visit this group at 
http://groups.google.com/group/nforceit?hl=en-GB.

Reply via email to