The Nugache Worm/Botnet

I’ve already written about the Storm worm, and how it represents a new generation of worm/botnets. And Scott Berinato has written an excellent article about the Gozi worm, another new-generation worm/botnet.

This article is about yet another new-generation worm-botnet: Nugache. Dave Dittrich thinks this is the most advanced worm/botnet yet:

But this new piece of malware, which came to be known as Nugache, was a game-changer. With no C&C server to target, bots capable of sending encrypted packets and the possibility of any peer on the network suddenly becoming the de facto leader of the botnet, Nugache, Dittrich knew, would be virtually impossible to stop.


Nugache, and its more famous cousin, the Storm Trojan, are not simply the next step in the evolution of malware. They represent a major step forward in both the quality of software that malware authors are producing and in the sophistication of their tactics. Although they’re often referred to as worms, Storm and Nugache are actually Trojans. The Storm creator, for example, sends out millions of spam messages on a semi-regular basis, each containing a link to content on some remote server, normally disguised in a fake pitch for a penny stock, Viagra or relief for victims of a recent natural disaster. When a user clicks on the link, the attacker’s server installs the Storm Trojan on the user’s PC and it’s off and running.

Various worms, viruses, bots and Trojans over the years have had one or two of the features that Storm, Nugache, Rbot and other such programs possess, but none has approached the breadth and depth of their feature sets. Rbot, for example, has more than 100 features that users can choose from when compiling the bot. This means that two different bots compiled from an identical source could have nearly identical feature sets, yet look completely different to an antivirus engine.


As scary as Storm and Nugache are, the scarier thing is that they represent just the tip of the iceberg. Experts say that there are several malware groups out there right now that are writing custom Trojans, rootkits and attack toolkits to the specifications of their customers. The customers are in turn using the malware not to build worldwide botnets a la Storm, but to attack small slices of a certain industry, such as financial services or health care.

Rizo, a variant of the venerable Rbot, is the poster child for this kind of attack. A Trojan in the style of Nugache and Storm, Rizo has been modified a number of times to meet the requirements of various different attack scenarios. Within the course of a few weeks, different versions of Rizo were used to attack customers of several different banks in South America. Once installed on a user’s PC, it monitors Internet activity and gathers login credentials for online banking sites, which it then sends back to the attacker. It’s standard behavior for these kinds of Trojans, but the amount of specificity and customization involved in the code and the ways in which the author changed it over time are what have researchers worried.


“I’m pretty sure that there are tactics being shared between the Nugache and Storm authors,” Dittrich said. “There’s a direct lineage from Sdbot to Rbot to Mytob to Bancos. These guys can just sell the Web front-end to these things and the customers can pick their options and then just hit go.”

See also: “Command and control structures in malware: From Handler/Agent to P2P,” by Dave Dittrich and Sven Dietrich, USENIX ;login:, vol. 32, no. 6, December 2007, and “Analysis of the Storm and Nugache Trojans: P2P is here,” Sam Stover, Dave Dittrich, John Hernandez, and Sven Dietrich, USENIX ;login:, vol. 32, no. 6, December 2007. The second link is available to USENIX members only, unfortunately.

Posted on December 31, 2007 at 7:19 AM23 Comments


J.D. Abolins December 31, 2007 9:14 AM

FWIW, the article’s mention “With no C&C server to target…” for the new malware struck me as coding in “leaderless resistance” concept of decentralised command.

Some info on the “leaderless resistance” concept from an essay by Simson Garfinkel:

Nothing surprising per se, but still an interesting development in code paralleling human organisational practices.

Anonymous December 31, 2007 9:18 AM


In a certain way this is old news, having being discussed since early March… guess you had been spending too much time reading about Homeland security. 🙂

It was obvious that all serious botnet developers would move quickly to encrypted P2P communications, and as the mentioned target notes, that botnets would move to a “professional development cycle”

This was smartly addressed on a Blackhat Europe 2007 presentation by 3 Brazilian guys.

Indeed few of their predictions are already fact:

Encrypted P2P;
XML messaging;
OTP communications for C&C.

I strongly recommend the reading. It’s not the best paper ever but worths the time, the thing is almost like a crystal ball. 🙂

Dom De Vitto December 31, 2007 10:19 AM

Hmmm, the referenced article bothers me – it seems to be written more for the press than anyone else. High on FUD, low on facts.

Googling Nugache brings up the Symantec pages, which have a lot more ‘nitty-gritty’, which isn’t as ‘high level’ as Dave’s article, but comparing the vague strategies of several bits of malware isn’t very enlightening – especially when the thrust of the article underlines that the malware and white-hats are in a continual war of attrition.

I the fact that malware authors actually develop malware, and don’t just wrote one and never wrote another, is obvious.
The fact that malware authors examine their [malware] competitors performance, is also obvious. Personally I think it’s very unlikely that the developers share ideas willingly – they are, after all, in fierce competition with each other – unless their is proof of a ‘co-op’ regime?

“…would be virtually impossible to stop.” Pah. That’s not a very scientific statement. e.g. blocking all forms of executable entering your network would sort this out, as would tight sandboxing (HIDS) etc. etc. etc. Their are lots of countermeasures, and many can be applied at the ISP level.

I’d really like to see someone do a proper ‘Morris worm’ [aka ‘Internet Worm’ !!!] reverse-engineering job on such beasts, as this would start to properly undercover the (100+) available attack vectors, and therefore possible countermeasures, or at least areas to heavily monitor.

I know that Dave is smart, I just think this article is too heavily dumbed-down. I think his time would have been better spent writing about expected malware strategies for 2008/2009, than this piece. 🙁

Bruce Schneier December 31, 2007 12:12 PM

“Hmmm, the referenced article bothers me – it seems to be written more for the press than anyone else. High on FUD, low on facts.”

I know. The :login; articles are better.

Orclev December 31, 2007 1:57 PM

More and more things like this make me want to work on creating a new OS. I’ve been tossing the idea around for a while, and I’ve come up with a number of things I’d like to see incorporated into it, with the primary focus being on security (things like a randomly generated private key used to sign all apps that’s generated when you install the OS). If I could just take a year or two off and work only on that project I’m sure I could come up with something usable.

amanfromMars December 31, 2007 2:03 PM

“but the amount of specificity and customization involved in the code and the ways in which the author changed it over time are what have researchers worried.”

Worried because they fail to counter with Beta Creative Code?

That would suggest all that they need is a Beta Creative Code XXXX Writer with AI Network for InterNetworking Myriad CyberIntelAIgently Designed Information Feeds……. AI VXXXXine against Binary Shenanigans, no less.

I Kid U Not. Bots B AI Ware. Alien Territory Dead aHead.

It is unreasonable to think to manage Knowledge as Secrets to Hide away whenever the Solution is to Traffic them so that they can Evolve and Grow and Generate ControlLed Power

Orclev December 31, 2007 2:13 PM

… wow, amanfrommars made the leap from theregister to here. Is this his first time, or has he been on this site before? I must confess I don’t read the comments much, so maybe this is just the first time I’ve seen him on here.

Shimniok January 1, 2008 11:38 AM

Am I the only one that’s surprised it took so long for them to get to this point? Anyway, perhaps it has finally become clear that fighting an unending arms race isn’t the answer to the current malware/spam/phishing underground problem?

Sure, we can try to improve laws and do better enforcement, increasing the risk to the bad guys, but the real issue is their reward. Sending spam works. Stealing credit card numbers and other identity info works. Apparently very well. Just like selling illegal drugs–or booze during the prohibition.

Rather than focusing on the next escalation of technology to combat the problem tactically, perhaps all the bright minds should be thinking about how to tilt the risk vs reward equation in a more favorable direction by focusing on the reward side of things. Not that I’ve spent a lot of time thinking about this but probably some big (read infeasible) changes are required.

Crazy, off the cuff example: suppose that using a credit card required some dynamic, unpredictable info, like one time password? Point being, if static info about the credit card wasn’t sufficient to use it, how might the CC# black market fare, I wonder? With this source of funding throttled, I wonder where else they’d turn…

Aw heck, it’s probably hopeless.

PasiK January 2, 2008 1:30 AM

These botnets and their herderds are challenging adversaries. However, they don’t seem to introduce any new innovative technologies themselves. We’ve seen only semi-smart use of technologies that are many years old and already there. When did P2P come up first time? Yep, it’s been there for a long time.

.. or is it so that they are really not that smart anyway?

Tiernan January 2, 2008 5:43 AM

Yeah, I was also surprised to see him and had to double check what site I was on. :-\ Not that I am complaining as his writing as often illegible as it is, is usually entertaining.

What was the lineage Dittrich was talking about between them, I didn’t think some of them were related?

supersnail January 3, 2008 7:17 AM


Good luck to you on your quest to create a new OS….

But the number of OSes is shrinking rapidly.
e.g. IBM used to support abiut 38 OSes but now suipport about 7 (plus support for two Lini although they werent written by them!).

Very few of the recently written OSes have taken off, and some excellent attempts (BeOS, Plan 9 etc. ) have bitten the dust.

Even the Mighty MS is struggling to get VISTA out of the door.

Like I said Good Luck.

Jad' January 3, 2008 8:01 AM

About developping better OSes…
A must read paper from 2002: “Thirty Years Later: Lessons from the Multics Security Evaluation” (
Or how 30 years change nothing in security!

And, yes, there is no hope in the future of security as long as people don’t want security at all: they want sexy GUI and highly reconfigurable system with ease of use. They want confort, not something that interfere with their work and forbide then to do what they want!


Anonymous January 3, 2008 5:07 PM

New threats like Nugache and Storm do seem like the next level in malware. Since they adapt and are relentless (and since ‘the next generation’ is overused) maybe they should be called Borg class malware. Good luck to all of us fighting these things.

Swift January 10, 2008 9:36 AM

What vectors are these Trojans usings for compromising a system? Are they all in essence stemming from some kind of social engineering weakness? (hey stupid user…click here…download me…)…or is there a specific software vulnerability thats being exploited? (Activ X controls…new XMLHttpRequests()…MSMxml2.XMLHTTP…or Microsoft.XMLHTTP….) What kind of encryption are they using? give us some specifics…
What about using Geotracking…

Cyn January 18, 2008 3:51 PM

Regarding the secure OS mini thread, why not just use OpenBSD? And, if you think that something in it needs changing or tweaking you could just change or tweak it and re-compile.

network scanner November 26, 2009 7:22 PM

“…attack toolkits to the specifications of their customers.”

I always thought that virus/worm propagators are lonely programmers out to attract much ‘wanted’ self attention. From, the statement in quotes above, they now look more like assassins for hire. Now that’s scary.

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.