Threat Level: green Handler on Duty: Pedro Bueno

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Kraken Technical Details: UPDATED x3

Published: 2008-04-07
Last Updated: 2008-04-09 00:40:48 UTC
by John Bambenek (Version: 1)
0 comment(s)

Information has just started flowing on the Kraken diary from earlier. As of this moment, I still don't have a sample of this particular malware, but I do have some packet captures of the control traffic.

C&C sends UDP/447 to the victim with packet lengths varying between 66, 115, 116 and 117 bytes. There does not appear to be an obvious pattern in the payload itself. Right now there are about 100 or so hostnames associated with this from dyndns and yi.org.  I will publish a list and update this post with that information shortly. According to some malware we believe to be associated with Kraken, it will also use TCP 447 and encode data in some unknown way. (For those with malware zoos, look for MD5s 31b68fe29241d172675ca8c59b97d4f4 and c05eb75e00d54a041a057934979fed6d. Allegedly, MD5 1d51463150db06bc098fef335bc64971 is associated as well). Some other related bins (c1d078b93df31d032cea89f25dc56362, 3a8bd37f9b33de4d29198d125030f587, b0e7ac28f0a899afa0fcdda5f1252675, 1c6d6f727ee55a5797c369f7aa4a0f38, f43bebf91ae2f5cf1f2ad5168bf9d202, ffc2e41d8e729c7b8622a8420767cfb5)

Word on the street is that this may already be detected and it looks like it is just part of the Bobax family of malware related to this article on Dark Reading from last year. It appears that this malware is what Kraken malware is using to infect machines to based on the work of others.

Here are some sample packets (this is payload data only, no header):

0000   4d f4 d5 17 dc 04 c1 2e 31 77 aa 1b 9f 38 a0 8c  M.......1w...8..
0010   84 22 24 64 68 9e 4c 48                          ."$dh.LH

0000   4d f4 d5 17 dc 04 c1 2e d3 87 b7 0a 47 7c 9c e1  M...........G|..
0010   23 03 96 ed 57 ab 5c ea                          #...W.\.

0000   4d f4 d5 17 dc 04 c1 2e fe dd e2 19 b8 a5 0a df  M...............
0010   9e fc 0d 71 66 d6 b2 15                          ...qf...

0000   4d f4 d5 17 dc 04 c1 2e db 88 1d 13 ec 3f 86 36  M............?.6
0010   d5 26 51 9c 60 11 5d f2                          .&Q.`.].

You'll notice that the first 8 bytes are the same, those first 8 vary between different IP addresses, but the packets coming from the same IP all have that same first 8 bytes. This looks like some sort of session ID / signature that is used throughout the session.

<Begin Commentary>

If you are going to be in the malware / security research business, it is nice to let the security community know when you find what you believe to be new malware.

</End Commentary>

UPDATE: The md5 that Damballa is saying is associated with this malware is MD5: 1d51463150db06bc098fef335bc64971.  I'm working with a copy from Project Malfease and will have an analysis later. A Virus Total scan of this binary came back as 5/32 (with the 5 that did detect doing so in non-descript ways like "suspicious file").

UPDATE 2 (4/8/2008 - 13:29 UTC): First things first, Emerging Threats has some test signatures to detect this botnet C&C traffic. You can see them here.

There are some Threat Expert reports on related malware that should give you a good list of hostnames to work with for right now.

http://www.threatexpert.com/report.aspx?uid=83128ea3-453a-46fe-884b-71d05677d3ed

http://www.threatexpert.com/report.aspx?uid=e32f00bb-6b26-477f-a0d6-307000a31924

http://www.threatexpert.com/report.aspx?uid=2b65a341-7f74-413c-9854-a6aca09450f5


http://www.threatexpert.com/report.aspx?uid=c431073f-4321-4bc0-a219-832a10f4f3a0


http://www.threatexpert.com/report.aspx?uid=d04fcd5b-b221-43d0-8dad-95e64ba57145

http://www.threatexpert.com/report.aspx?uid=63606940-900b-4e26-87d9-7453a1518ed6

http://www.threatexpert.com/report.aspx?uid=52accf15-a173-4f90-9482-b2634c151d87

UPDATE 3: (4/9/08 - 0030 UTC)

First, Brian Krebs has some good coverage of the Kraken incident and some of the back story going on between Damballa and some AV vendors. It also covers some neat technical details of how Damballa got the information on this botnet. Also, Threat Expert has a pretty good write-up on what they have for Kraken.  They see that the initial "phone home" is over TCP/447, and subsequent communication is UDP/447. The detection is still look for port 447 traffic crossing your perimeter. That port was used by an old IBM OS for some database stuff. It doesn't appear to have been used in years. Emerging Threats has some sigs (see above), and the UDP packets seem to be pretty consistently 66, 115, 116, or 117 bytes for the *entire packet*.

 

--
John Bambenek / bambenek \at\ gmail {dot} com

 

Keywords: botnet kraken malware
0 comment(s)

Network Solutions Technical Difficulties? Enom too

Published: 2008-04-07
Last Updated: 2008-04-07 19:20:11 UTC
by John Bambenek (Version: 1)
0 comment(s)

It appears that Network Solutions is having some troubles.  Their website is intermittently available and people are having trouble logging in to managed network solutions services (like webmail). Their phone lines have a recorded message confirming the problem. No other information as available at this point. Stay tuned.

Additionally, enom.com is reporting that they are having "unscheduled maintenance".

Digg is also saying that are "experiencing several known issues at the moment" but the site itself is up.

--
John Bambenek / bambenek \at\ gmail (dot) com

0 comment(s)

Got Kraken?

Published: 2008-04-07
Last Updated: 2008-04-07 18:44:39 UTC
by John Bambenek (Version: 1)
1 comment(s)

Out of the RSA Conference, there is news that there is a new botnet in town, over twice the size of the Storm Worm in town called Kraken. Researchers from Damballa have discovered and tracked it the last two weeks and I'm guessing from news reports have presented their findings at RSA. If you have details of this worm, detection mechanisms, malware samples, etc, please send us some.

--
John Bambenek / bambenek {at} gmail [dot] com

P.S. Humorous note... everytime I hear the word Kraken, I think of Ask A Ninja's review of Pirates of the Carribean. I think it's funny at least. No, you can't have that 5 minutes back.

Keywords: botnet kraken malware
1 comment(s)

HP USB Keys Shipped with Malware for your Proliant Server

Published: 2008-04-07
Last Updated: 2008-04-07 18:44:15 UTC
by John Bambenek (Version: 1)
0 comment(s)

A loyal ISC reader pointed us to this note from AUSCERT. The basic story is that HP has optional "floppy USB keys" for some of their Proliant servers. The 256 KB and 1 GB versions include a batch that also came with 'W32.Fakerecy' or W32.SillyFDC'  designed to infect your machine if you insert them. The interesting note is that these keys seem only to be shipped for Proliant servers which could indicate an attempt to "target" by the attackers or that they just hit some factory and got lucky. Either way, with the prolific trail of stories of USB devices shipping with malware pre-installed, it is now an attack vector that we need to be concerned about. Here are some steps to protect yourself against USB-based (and Fireware, which isn't immune from these stunts) malware:

1) Take the vendor who made the device and do a google news search on it. Odds are you aren't the first to buy it and if it comes with badware it may be news. If you see a story about it, check the vendor webpage and see if you can compare serial numbers of infected/non-infected versions. If not, return it and get something similar. Additionally, you can check the vendor page, sometimes (but shamefully not enough) they do the right thing and let their customers know what to do.

2) Every time you get a USB device scan it for malware before you use it with your anti-virus software's latest DATs. This includes picture frames, USB keys, SD Cards, USB/Fireware harddrives, iPods, MP3 players, everything. If it can store data, you should scan it. Most (if not all) anti-virus software I've seen and used allows you to scan an entire drive. Every time you take a new trinket out of the box, scan it. Even if the vendor is reputable because you don't know what factory it came from.

3) If you do receive a malware hit, let us know via our contact page. Fair, this isn't the most important step, but also let the store know where you got it and the manufacturer of the device know. Depending on what product we are talking about, it may not be easy to find contact information, we can work on that too. We like malware samples, if you feel comfortable and know how to do it, send them to us. We will analyze and forward them on to our list of anti-virus vendors.

4) Even if you do not see any malware, there is a possibility you are not safe. If you notice "odd" behavior of your machine (connections to a random machine you don't know, changing your default homepage, etc), be wary. Update your DATs and scan again, or check mailing lists (or with us) to see if anyone else is having problems.

5) If you are a manufacturer/vendor of external data storage (USB, Fireware, etc), outsourcing may still make sense for you. But just because a business model meets the cost-benefit equation doesn't mean you can go "Baghdad Bob" about the risks (or costs) associated with outsourcing. Whatever is done outside your control is... outside your control. When you have a factory make these devices for you, scan them yourselves and examine them for signs of badware *before* you ship to the consumers. The extra QA step may cost you money up front, but build consumer good will. Consumers like companies that look out for them.

6) Turn off "autorun" software on your operating system. It makes life less convenient, but it saves you from automatically running software that you don't want. If you want complete safety and it doesn't void your warranty/ability to return the device or make the device irrelevant (such as USB keys provided by vendors of servers and appliances for updating software) format the drive completely using a data shredder or other tool to torch every single byte that is on the device.

I recommend that if you get a malware hit on a USB device to simply return it and get something else (unless there is no alternative). I don't see a point in keeping hardware that came preinstalled with malware, there is no telling what else is on there that isn't detected and you know it's already be tampered with. It's generally best practice to do a complete reinstall of an infected machine, I would posit the best practice for the purchase of an infected device is simply to return it while your window of return is still open. There are plenty of product chooses of picture frames, USB memory sticks, SD cards, USB/Fireware harddrives, etc that have not gotten hit with malware to worry about cleaning a compromised device.

UPDATE: It's not the first time USB keys for "targetted" victims has been found. CheckPoint recently got hit with some of their USB keys for "reset to factory default" devices to plug into some of their firewalls.

--
John Bambenek / bambenek \at\ gmail {dot} com

0 comment(s)
Diary Archives