Kraken Technical Details: UPDATED x3
Information has just started flowing on the Kraken diary from earlier. As of this moment, I still don't have a sample of this particular malware, but I do have some packet captures of the control traffic.
C&C sends UDP/447 to the victim with packet lengths varying between 66, 115, 116 and 117 bytes. There does not appear to be an obvious pattern in the payload itself. Right now there are about 100 or so hostnames associated with this from dyndns and yi.org. I will publish a list and update this post with that information shortly. According to some malware we believe to be associated with Kraken, it will also use TCP 447 and encode data in some unknown way. (For those with malware zoos, look for MD5s 31b68fe29241d172675ca8c59b97d4f4 and c05eb75e00d54a041a057934979fed6d. Allegedly, MD5 1d51463150db06bc098fef335bc64971 is associated as well). Some other related bins (c1d078b93df31d032cea89f25dc56362, 3a8bd37f9b33de4d29198d125030f587, b0e7ac28f0a899afa0fcdda5f1252675, 1c6d6f727ee55a5797c369f7aa4a0f38, f43bebf91ae2f5cf1f2ad5168bf9d202, ffc2e41d8e729c7b8622a8420767cfb5)
Word on the street is that this may already be detected and it looks like it is just part of the Bobax family of malware related to this article on Dark Reading from last year. It appears that this malware is what Kraken malware is using to infect machines to based on the work of others.
Here are some sample packets (this is payload data only, no header):
0000   4d f4 d5 17 dc 04 c1 2e 31 77 aa 1b 9f 38 a0 8c  M.......1w...8..
0010   84 22 24 64 68 9e 4c 48                          ."$dh.LH
0000   4d f4 d5 17 dc 04 c1 2e d3 87 b7 0a 47 7c 9c e1  M...........G|..
0010   23 03 96 ed 57 ab 5c ea                          #...W.\.
0000   4d f4 d5 17 dc 04 c1 2e fe dd e2 19 b8 a5 0a df  M...............
0010   9e fc 0d 71 66 d6 b2 15                          ...qf...
0000   4d f4 d5 17 dc 04 c1 2e db 88 1d 13 ec 3f 86 36  M............?.6
0010   d5 26 51 9c 60 11 5d f2                          .&Q.`.].
You'll notice that the first 8 bytes are the same, those first 8 vary between different IP addresses, but the packets coming from the same IP all have that same first 8 bytes. This looks like some sort of session ID / signature that is used throughout the session.
<Begin Commentary>
If you are going to be in the malware / security research business, it is nice to let the security community know when you find what you believe to be new malware.
</End Commentary>
UPDATE: The md5 that Damballa is saying is associated with this malware is MD5: 1d51463150db06bc098fef335bc64971. I'm working with a copy from Project Malfease and will have an analysis later. A Virus Total scan of this binary came back as 5/32 (with the 5 that did detect doing so in non-descript ways like "suspicious file").
UPDATE 2 (4/8/2008 - 13:29 UTC): First things first, Emerging Threats has some test signatures to detect this botnet C&C traffic. You can see them here.
There are some Threat Expert reports on related malware that should give you a good list of hostnames to work with for right now.
http://www.threatexpert.com/report.aspx?uid=83128ea3-453a-46fe-884b-71d05677d3ed
http://www.threatexpert.com/report.aspx?uid=e32f00bb-6b26-477f-a0d6-307000a31924
http://www.threatexpert.com/report.aspx?uid=2b65a341-7f74-413c-9854-a6aca09450f5
http://www.threatexpert.com/report.aspx?uid=c431073f-4321-4bc0-a219-832a10f4f3a0
http://www.threatexpert.com/report.aspx?uid=d04fcd5b-b221-43d0-8dad-95e64ba57145
http://www.threatexpert.com/report.aspx?uid=63606940-900b-4e26-87d9-7453a1518ed6
http://www.threatexpert.com/report.aspx?uid=52accf15-a173-4f90-9482-b2634c151d87
UPDATE 3: (4/9/08 - 0030 UTC)
First, Brian Krebs has some good coverage of the Kraken incident and some of the back story going on between Damballa and some AV vendors. It also covers some neat technical details of how Damballa got the information on this botnet. Also, Threat Expert has a pretty good write-up on what they have for Kraken. They see that the initial "phone home" is over TCP/447, and subsequent communication is UDP/447. The detection is still look for port 447 traffic crossing your perimeter. That port was used by an old IBM OS for some database stuff. It doesn't appear to have been used in years. Emerging Threats has some sigs (see above), and the UDP packets seem to be pretty consistently 66, 115, 116, or 117 bytes for the *entire packet*.
--
John Bambenek / bambenek \at\ gmail {dot} com
 
              
Comments