The worm, dubbed Nugache and classified also as bot software, attempts to infect systems through e-mail, America Online's instant messaging network, and network shares on vulnerable computers. Once it compromises a computer, the program uses a seed list of 22 different Internet addresses to establish connections to other victims' computers in a peer-to-peer network. The program appears to encrypt--or at least obfuscate--the data it sends to other servers, possibly making it harder for intrusion detection systems (IDSs) to detect the program, according to an analysis posted to a security mailing list by university network administrator Brian Eckman. "The 'bot'--for lack of a better term--does not use DNS (the domain name system) to find any (command and control network); it also does not use any human readable string in its communication," Eckman, a security analyst at the University of Minnesota, wrote in his analysis. "Therefore, many IDS measures will not help you detect infected hosts on your network."

The techniques represent the latest improvements for bots--the tools of choice for many online criminals aiming to turn compromised computers into cash. Typically, the programs allow a bot master to control a large network of infected systems--or bot net--by sending commands through an Internet relay chat (IRC) system, the still extant precursors to the major IM networks. This latest variant of bot software shows that--threatened by investigators' ability to tap into command-and-control networks built on top of Internet relay chat--bot masters are looking to peer-to-peer communications, encryption and other technologies to hide their tracks.

The link for this article located at SecurityFocus.com is no longer available.