Nugache P2P Bot

Just as email worms are at their lowest ebb for years, a new threat looms on the horizon – the P2P (peer-to-peer) bot. These insidious creatures worm their way through instant messanging systems (naming no names, but anyone using MSN and AOL products might just be at risk).

Rather than doing the usual email address look-up that is common to most mail worms, this form of malware, of which Nugache is the current threat being popularised by the media, bypasses address books and even circumvents DNS lookup (the tool that converts net addresses into a numeric IP address) and instead scans for other infected machines with which to hook up and create a P2P network. These are not to be confused with the networks that P2P file sharing software uses. Once established, encrypted packets of information can be transferred across the bot network all-but invisible to the usual detection systems.

It looks like most of the antivirus companies have responded with appropriate updates (is it the companies themselves that write these darned things, by the way?) and I’d recommend you do an update immediately, even if it’s not convenient to ensure you’re safe from Nugache at the least.

For those with an interest in the ins and outs of this particular worm, it opens a back door on TCP port 8, and installs a bot to wait for commands from the attacker. The command and control channel it uses is unique and it is difficult to block commands issued to the bot. Anyone looking for the perpetrator would simply see the various peers in the bot network making tracking them down almost impossible.