Original URL: http://www.theregister.co.uk/2006/05/02/nugache_worm/
Hackers control bot client over P2P
Security watchers are warning of a new worm that's propagating over instant messenger networks run by both AOL and MSN. Nugache-A is also spreading (albeit modestly) as an infected email that uses a variety of well-known Windows exploits to infect vulnerable Windows PCs.
If successful, the worm opens a back door that leaves compromised PCs as zombies under the control of hackers. The command and control channel technique used by the worm is unusual. Instead of a static list, the worm connects to infected peers, web security firm Websense reports. The SANS Institute's Internet Storm Centre (ISC) adds that the bots talk to each other via port 8/TCP over an encrypted P2P channel.
"A peer-to-peer command and control channel makes it more difficult to block commands issued to the bot. The traffic over this channel also uses obfuscation in an attempt to bypass intrusion detection systems," Websense reports. Additional information on the worm, and how to guard against attack, can be found in ISC's advisory here. ®