Memory Stealthiness of Kraken

A new variant of Kraken (v317) demonstrates extremely stealthy memory techniques.

This time, it dynamically decodes the chunks of code and data only when it needs them, leaving no traces behind that could be suitable for generic memory signatures.

The total amount of memory that Kraken consumes was measured with a tool specially built for this purpose. The tool simply checked its total memory consumption every 100ms, from starting the executable untill it reached its active phase. With every check, the tool also scanned the entire scope of its address space (including all modules and heap) by looking for a string "yi.org" which is known from a dynamic analysis of this bot.

The tool produced an interesting result that is shown below:



As the graph suggests, the Kraken executable spends considerable amount of time to "shake off" emulators from its tail. But even when it achieves its active payload phase, it still does not expose its original strings.

The vertical red lines on the chart represent the occurrence of the string "yi.org", which is a part of a dynamic DNS name that it generates. Thus, it pulls the name, works with it, then destroys it, keeping the amount of data suitable for a generic detection as low as possible. Well, if APIs could accept encrypted parameters, it would surely feed them encrypted, but they don't, thus, Kraken has no choice left as to decrypt them only when it calls APIs, and only after it reaches its active payload phase. Pretty impressive stealthiness for memory.

The next image shows the contents of a small heap fragment at the same address, analysed every 100ms:



That narrow "window" is all that Kraken exposes for memory contents analysis, making generic memory signature-based detection unreliable.

Another aspect worth noting is that the new Kraken now has its cryptography based on "LibTomMath", an open-source library.

As for the system info it collects and reports - here is its format, including the Kraken version number:


<info>
  <first>1</first>
  <userdata>oneone</userdata>
  <version>317</version>
  <windowsversion>5.1.2600 Pro</windowsversion>
  <xpsp2>1</xpsp2>
  <connectionlimit>10</connectionlimit>
  <hostname>ComputerName</hostname>
  <upspeed>0</upspeed>
  <countrycode>1</countrycode>
  <language>en</language>
  <hostname>ComputerName</hostname>
  <cpu> Intel(R) Pentium(R) 4 CPU 3.20GHz (3193 MHz)</cpu>
  <memtotal>1024</memtotal>
  <memavailable>256</memavailable>
  <uptime>12686</uptime>
</info>

New Storm on the horizon – now even Microsoft cannot detect it

The new version of Storm that was firstly seen over the last weekend now sends a clear message that the Storm group is not ready to give up, in spite of recent reports that Microsoft has used the power of its auto-updates to roll out the Storm bot killer.

Being very similar to its predecessors, the new variant can be distinguished by its deployment method – and that is, the iframe injections.

An iframe with a link to a remote malicious script can be inserted into a blog post so that every reader of that post may have its browser attempting to execute that script.

In order to do nasty things on a client computer, the remote script needs to elevate its privileges. It attempts to do so by relying on a buggy code that is already running inside the client's browser – the buggy (and therefore, vulnerable) ActiveX applets.

The obfuscated script that attempts to install Storm on the client machines targets 8 different ActiveX vulnerabilities.

• One vulnerability that the Storm script targets, exists in the MySpace ActiveX component that is used to upload images and files. When this vulnerability was discovered 3 months ago, the manufacturer of this component – company Aurigma - mentioned in their reply that their ActiveX uploader was used by hundreds of millions of users over the period of 5 years.
  
  What it means is that those MySpace users who are still running the older MySpace ActiveX component to upload their images and files, are directly exposed to risk of turning their computers into zombies just by visiting legitimate sites that happen to have the injected iframes (e.g. via malformed blog posts).



• Another vulnerability that the Storm deployment script attempts to exploit (CVE-2008-0647) is a stack-based buffer overflow in the HanGamePluginCn18 ActiveX control of Ourgame GLWorld 2.6.1.29 (aka Lianzong Game Platform), caused by passing a long argument to its hgs_startNotify() method.

Other exploits the Storm script relies on are:

• America Online SuperBuddy ActiveX Control Code Execution Vulnerability



• Real Networks RealPlayer ActiveX Control Heap Corruption Exploit



• IE 6/Microsoft Html Popup Window (mshtml.dll) DoS Exploit



• DirectAnimation.PathControl COM object (daxctle.ocx) Exploit



• Exploit that exists in 2 ActiveX HotBar components, by Zango Inc.
  
  (that must be the most unusual deployment method used by Storm)



• MDAC ActiveX Code Execution Exploit

Since last weekend, there were only 5 unique samples of the new Storm seen in the wild. As mentioned above, the new variant is almost identical to the previous builds. As seen in this report, the new Storm now uses filenames libor.exe and gogora.config.

VirusTotal results are low as usual (22%).

Universal CAPTCHA Cracker: a new Deep Blue or "The Turk"?

According to some recent reports, there are cases when the toughest CAPTCHA puzzles are resolved in a matter of dozens of seconds.

The new automated bots were blamed in auto-registering Windows Live Hotmail, Windows Live Mail, Google's GMail, and Google's Blogger accounts, for SPAM/malware distribution and SEO poisoning attacks.

But what CAPTCHA-cracking engine stands behind these automated bots - a new Deep Blue endowed with AI, or the "The Turk"?

• In 1997, Deep Blue has managed to convince the world champion Garry Kasparov that the machine had made a startling move only a human could conceive (he implied that the machine had cheated because the move seemed all too "human.").


• On the other hand, we all know "The Turk" - a legendry chess-playing machine of the late 18th century, that appeared to be able to play a strong game of chess against a human opponent, but later explained as an elaborate hoax.

One website - CaptchaBot.com - allows bot masters to log on and call its web service requesting it to crack CAPTCHA images "of any complexity" on-the-fly.

They charge 3 US cents for every CAPTCHA they crack and guarantee the response time to be less than 90 seconds.

CaptchaBot's "How it works" page contains this scheme:



As seen in the picture, the scheme implies that some mysterious brain stands behind the entire CAPTCHA cracking mechanism, and recognizes images by using OCR.

In the same time, there are some interesting web sites that allow the subscribers to make some cash by resolving CAPTCHA images ("in your spare time or while you work").

One such site - KolotiBablo.com - is interesting in particular as on many forums people actually share their own experience with it.

Some users complain that while KolotiBablo.com still advertises its service as an easy way to make $3 per hour, the real money is getting much less than that because its load is now balanced between a growing number of users, thus making them wait in the queue until they receive the next image to break.

Another site, Grand-Sale-5.com challenges KolotiBablo.com by doubling the money they pay for every manually resolved CAPTCHA.

One user claims he made $15 in 2 months, by resolving around 250 CAPTCHA images every day.

Now try to imagine a kiddo who managed to crack 15,000 CAPTCHAs in 2 months:

"Bobax" the Sheep

Kraken is Finally Cracked

The previous post provided a snapshot of the Kraken code responsible for generating dynamic DNS names.

As it was mentioned, those names are pseudo-random as their original seed remains the same.

ThreatExpert system reports the list of DNS names, but this list is not full.

If Kraken is left “running” by ThreatExpert for a bit longer, it will eventually generate a couple of thousand of unique host names.

What are those names? Are they important? Is it possible to predict them?

Once we have the disassembled code of Kraken and once we know the seed of its randomizer, it’s a trivial task to build our own tool around that code.

This source code is a quick-and-dirty port of Kraken’s DNS name randomizer.

It generates and prints on screen 10,000 dynamic DNS names, that the latest Kraken variant uses to address its C&C servers, but that limit can easily be changed.

The tool can be compiled with any version of VC++.

The text output of this tool is provided here.

Kraken changes tactics

A new variant of Kraken/Bobax bot, firstly seen in the wild on 14th April 2008, seem to be gaining a bit of power: over the last week-end, our ThreatExpert system has received around 50 of unique samples of it, and we're still getting them at the same pace - 20-25 of new samples a day.

In the new variant of Kraken, dumping its c.dll module from the heap of its own process is a bit trickier due to the fact that its PE-header is now wiped out. Thus, restoring the module's imports is not straight-forward. You can still see its strings in the main process module, but to dump its code, look for a heap page that is 0x1B000 bytes in size. Otherwise, all you'll find in the main process module is the code of the packer itself.

For example, look for a page that the packer allocates on the heap and extracts to at the address range of 0x1DF0000-0x1E0B000.

Once the code is located, let's see what it's doing.

To hook itself into the system, the previous variant registered itself as a service with the fixed display name "Print Spooler Service".

The new Kraken randomly chooses its service display name from the following list:

• SolidWorks Licensing Service


• LXCCCustomerConnect


• Wireless Adapter Configurator


• DeepSight Extractor Service for NP08


• Dell Printer Status Watcher


• DigiCtrl


• CMG Shield


• Cognos ReportNet


• CommServer


• Compaq DMI Web Agent


• ActiveSMART Service


• Advanced Networking Service


• Amazon Unbox Video Service


• Ati HotKey


• Aventail VPN Client


• Axon Service


• BlueSoleilCS


• BT Modem Lock


• Creative Labs Licensing


• DQLWinService


• Electronic Arts Licensing Service


• Electronic Arts Licensing

In order to evade host intrusion prevention systems (e.g. firewalls), new Kraken "talks" to its command-and-control servers via HTTP protocol that relies on pseudo-random URLs.

The URLs it builds consist from several parts:

- a host name that is a pseudo-random string with a variable length from 7 to 12 characters; the algorithm that constructs this string was altered in this variant - it is provided below:



- please note that the seed it starts from is always the same; thus, it is possible to use the same algorithm and predict the entire list of its pseudo-random domain names;

- the constructed domain name is then appended with a dot (".") and then it is followed with one of the domain suffixes below (the first three suffixes have twice the chance of being selected than the following four suffixes):

• dyndns.org


• yi.org


• mooo.com


• dynserv.com


• com


• cc


• net

- the dynamically constructed host name is then followed by a random resource name - the first part of this name is constructed from two sets of characters - the code is hopping from one list to another to produce a string with the properly matched vowels and consonants; it has an internal rule that dictates when to hop - that is, when to pick a random vowel and when to pick a random consonant:

"a", "o", "e", "i", "y", "u", "ou", "oo"

and

"w", "r", "t", "p", "s", "d", "f", "g", "h", "j", "k", "l", "z", "c", "v", "b", "n", "m", "qu"

- the second part of the random resource name is a string that the bot picks up from the following list of 33 common English noun, verb, adjective, and adverb suffixes:

• able


• al


• ance


• ate


• dom


• en


• ence


• ency


• er


• ful


• hood


• ible


• ify


• ish


• ism


• ist


• ity


• ize


• less


• list


• ly


• ment


• ness


• or


• ous


• ship


• sion


• tial


• tic


• tion


• tive


• ulent

- the constructed random resource name is then followed by an extension that is randomly chosen from the following list:

• shtml


• asp


• pl


• cgi


• jsp


• php


• ai

As shown above, the random resource name used by the bot combines a random string with the properly matched vowels and consonants that is followed with a valid suffix.

In some way, we may call this new feature of the bot as an "Artificial English Word Generator", that follows English grammar rules and produces words that look like most of other words. For example, compare "confusulent" or "pritation" with something like "ktjptrca".

What is it for? Probably, to evade SPAM filters, or any other algorithms that can distinguish a random word by locating weird or non-common combinations of characters. If no rule or algorithm can be built to distinguish such word, then it cannot be detected, and therefore, blocked.

The bot constructs an HTTP package with the encrypted contents that is MIME-encoded and is presented as a random MIME-type archive in the HTTP header.

Kraken/Bobax POSTs that HTTP package to its C&C servers (with the pseudo-random URLs), thus making it non-trivial to detect and block such traffic, as not much is left to "hook" in it.

The HTTP traffic it generates uses different MIME types that the bot randomly selects from the following list of 22 types:

• ai: application/postscript


• avi: video/x-msvideo


• bin: application/octet-stream


• bmp: image/x-ms-bmp


• eps: application/postscript


• gif: image/gif


• gtar: application/x-gtar


• hqx: application/mac-binhex40


• jpeg: image/jpeg


• jpg: image/jpeg


• mpeg: video/mpeg


• mpg: video/mpeg


• pdf: application/pdf


• png: image/x-png


• ppt: application/ms-powerpoint


• ps: application/postscript


• sea: application/x-stuffit


• sit: application/x-stuffit


• tar: application/x-tar


• uu: application/octet-stream


• wav: audio/x-wav


• zip: application/zip

As demostrated above, the new factor of "randomness" in this bot makes it extremely dangerous considering how serious is its effort in concealing its traffic in order to flow with no obstruction imposed by the firewalls.

The backdoor component is left intact in the new variant - its code was copy-and-pasted from the previous variant: the same commands, the same responses.

The SPAM engine and the email collector module are also identical to the previous variant.

Virustotal.com results are not very good considering only 9 out of 32 AV scanners (28.12%) can detect this threat, among which only two can actually identify this threat explicitly.

ThreatExpert was updated to generically detect the whole Kraken family, as seen in this report.

Crikey, you’ve been Kraken!

Kraken bot, also known as Bobax, Bobic, Oderoor, Cotmonger, Hacktool.Spammer, is a template-based SPAM mailbot that recently got some mass-media attention here and here.

At ThreatExpert site, there is a slight surge in the number of submissions of this threat.

As this bot unpacks its embedded stub onto its own heap (kind of self-injection), the quickest way of analyzing it is to locate a heap page in its own process that has an approximate size of 200Kb and starts with an MZ-header, dump that page and load it into the disassembler.

As seen from the code, the control channel for this bot is established over the TCP port 447:



The backdoor component of this bot allows the following remote commands:

• "info": report bot statistics


• “version”: report bot version


• “windowsversion”: report Windows version of the compromised system (as reported by GetVersionExA() API)


• "hostname": report the local host name


• "upspeed": report the upload speed of the bot


• "countrycode": report what country the bot is currently running with the GetLocaleInfoA() API

Other commands instruct the bot to report various system information, such as total amount of system memory, amount of free memory, amount of time the bot is running, etc.

For example, the bot may construct and send back the collected information in the form of the following XML file:

<info>
  <first>1</first>
  <userdata>nine</userdata>
  <version>315</version>
  <windowsversion>5.1.2600 Pro</windowsversion>
  <xpsp2>1</xpsp2>
  <connectionlimit>10</connectionlimit>
  <hostname>ComputerName</hostname>
  <upspeed>0</upspeed>
  <countrycode>1</countrycode>
  <language>en</language>
  <hostname>ComputerName</hostname>
  <cpu> Intel(R) Pentium(R) 4 CPU 3.20GHz (3193 MHz)</cpu>
  <memtotal>1024</memtotal>
  <memavailable>538</memavailable>
  <uptime>17024</uptime>
</info>

In order to retrieve the connection limit of the current system, the bot checks the content of the file tcpip.sys (as it is known, patching this file on Windows XP system may extend the concurrent connection limit).

By the way, one of the encrypted strings it uses has characters "odneRO0R" in it:



which explains why some vendors named it "Oderoor".

Another remote command instruct the bot to enumerate the file system, and harvest email addresses from the files with the following extensions:

• 123
• asm
• chm
• cpp
• csv
• dbf
• dif
• doc
• eps
• h
• htm
• html
• hwp
• inc
• info
• jtd
• nfo
• ott
• pdf
• php
• ps
• rtf
• sdc
• sdw
• slk
• sxw
• sys
• tmp
• txt
• wab
• wk1
• wks
• wpd
• wps
• xml

The bot has an internal client SMTP engine that it engages in sending out SPAM.