Kraken Botnet

Notification Date: April 11, 2008
Notification Version: 1.0
   
Name:

Kraken Botnet
Public disclosure/
In the wild date:		 late 2007, possibly late 2006
Aliases:

Orderdor (Microsoft & BitDefender), Spakrab (Symantec), and possibly Bobax
Risk: Low
Distribution: Low
CME: none
Description:

Kraken is a botnet that may be a not-so-distant relative of the Bobax botnet.  The malware used by this botnet appears to share code or be a variant of previous malware.  Although some samples may evade antivirus technologies, the majority of samples are detected with behavior-based detection.  The main purpose of the Kraken bot appears to be spam relay. 

Recent unverified reports have claimed that the Kraken botnet has infiltrated 10% of Fortune 500 companies.  Although X-Force has not verified this information, we have analyzed Kraken samples and would like to advise our customers that the antivirus technologies in our host and network products have detected all of the samples we have collected as of 4/11/2008 9 AM EST.  In addition to antivirus coverage, Proventia ADS has specific botnet detection capabilities for Kraken.
Research Credits: Detailed description provided by Jose Nazario at Arbor Networks

 

ISS Coverage

Product

Content Version

Proventia Desktop
Proventia Multifunction
Proventia Mail

 base version (with antivirus enabled)

Propagation
Techniques

ISS Protection

Available

email/spam 

Mal/Generic-A (Proventia-M signature av)
Mal/EncPk-CK (Proventia-M signature av)
Mal/EncPk-Y (Proventia-M signature av)

Backdoor.Oderoor.G (desktop signature AV)
Backdoor.Oderoor.BM (desktop signature AV)
Trojan.Obfuscated.GY (desktop signature AV)
Backdoor.Oderoor.BN (desktop signature AV)
Trojan.Agent.AHNY (desktop signature AV)

Jan 8, 2008
Feb 21, 2007
Jul 7, 2007

tbd

Detection Techniques

ISS Detection

Available

Network bot detection

Proventia Content Filtering technologies

ADS Active Threat Feed - ATF-2008-202
IDS coverage TBD

Antispam and Web-filtering Malware categories can block potential infections through these vectors

Detailed Description
Description:

Kraken is a spam Trojan, also known as Oderoor. Infected hosts form a botnet, receiving spam templates and recipient lists from a list of control nodes. It sends out spam from an infected machine and might also download other malicious files onto the infected machine.

Hosts become infected with Kraken (or Oderoor) through Trojan downloads over instant messaging or peer-to-peer links. We have also seen at least one IRC botnet used to distribute this malware.

On startup, the malware first tries to resolve a list of hostnames hardcoded into the binary to discover the current Kraken server IPs. Once hostname resolution is complete, the malware sends a UDP datagram  to the Kraken servers on destination port 447 to identify the victim machine. Depending upon the malware variant, the payload size for the datagram is between 24 and 74 bytes. The infected host then gets the spam template and starts sending out spam based on that command. Periodically, the malware makes connections to the Kraken servers on UDP/TCP port 447, possibly to get new templates.

Once it infects a machine, the Kraken malware creates a binary file in the %SYSTEM32% directory with a random name. This filename is a string of lowercase letters between 2 and 20 characters long and is not based on any dictionary words. It then modifies the following registry entry to ensure that the malware is always running:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "" =
C:\WINDOWS\system32\[%random_name%].exe
"" =C:\WINDOWS\system32\[%random_name%].exe

After this, it tries to open a series of services and, ultimately, creates a service with the file pointing to the file created above.

Affected Platforms:
  • Windows 2003
  • Windows XP
  • Windows 2000
  • Windows NT
  • Windows 98
  • Windows 95

References
Arbor http://asert.arbornetworks.com/2008/04/busy-day-kraken-new-storm-run-and-msft-bulletins/

Revision History
Apr 11, 2008 Initial release.


About IBM Internet Security Systems
IBM Internet Security Systems is the trusted security advisor to thousands of the world's leading businesses and governments, providing pre-emptive protection for networks, desktops and servers. An established leader in security since 1994, the IBM Proventia® integrated security platform is designed to automatically protect against both known and unknown threats, helping to keep networks up and running and shielding customers from online attacks before they impact business assets. IBM Internet Security Systems products and services are based on the proactive security intelligence of its X-Force® research and development team – the unequivocal world authority in vulnerability and threat research. The Internet Security Systems product line is also complemented by comprehensive Managed Security Services and Professional Security Services. For more information, visit the Internet Security Systems Web site at www.iss.net or call 800-776-2362.