Inner workings of Kraken botnet analysed
The Kraken botnet attracted attention at the RSA security conference because of its size – estimated at some 400,000 drones. In early April it was reported that so far the botnet is mostly used to send out spam – the usual fare of promos for online pharmacies, penis extension, online casinos, loans, and the like. Several security companies have analysed the bot software. They have reverse engineered the algorithms used to create arbitrary domain names for the command and control server (C&C) and to encrypt and decrypt communication, and even made these available for download.
McAfee has observed increasingly refined cloaking techniques in the Kraken drones. While older variants of the virus communicated with other drones using UDP port 447, the new versions use randomly selected UDP ports as well as TCP ports 80 and 443 for communication. That allows the drones to evade protection mechanisms on corporate networks, where the only open ports are those used for HTTP and HTTPS traffic.
Michael Hale Ligh and Greg Sinclair have reverse engineered the encryption algorithm of the C&C traffic. They explain the packet format in a blog entry and have posted the source code in C++ for encryption and decryption for download. They also want to release an analysis module for Wireshark, but so far they have only offered a command line tool to analyse intercepted botnet traffic.
The Kraken drones search for their C&C server under randomly generated domain names. Researchers at PCTools have studied the algorithms that the drones use to generate these domain names. They have used this to program a variant in C++ that interested users can download.
The results of this analysis make it easier to identify new variants of the Kraken bot and to adapt antivirus recognition routines and signatures to them. So maybe the botnet can be hit where it hurts – Thorston Holz and his researchers at the University of Mannheim have already succeeded in demonstrating on the Storm worm botnet that this can be done.
- Mailbot.f (a.k.a “Kraken”) gets stealthier - Update, Entry in McAfee's security blog
- Kraken Encryption Algorithm, Entry in the mnin blog by Michael Hale Ligh
- Kraken is Finally Cracked, Entry in the PCTools security blog