A new variant of Kraken/Bobax bot, firstly seen in the wild on 14th April 2008, seem to be gaining a bit of power: over the last week-end, our ThreatExpert system has received around 50 of unique samples of it, and we're
still getting them at the same pace - 20-25 of new samples a day.
In the new variant of Kraken, dumping its c.dll module from the heap of its own process is a bit trickier due to the fact that its PE-header is now wiped out. Thus, restoring the module's imports is not straight-forward. You can still see its strings in the main process module, but to dump its code, look for a heap page that is 0x1B000 bytes in size. Otherwise, all you'll find in the main process module is the code of the packer itself.
For example, look for a page that the packer allocates on the heap and extracts to at the address range of 0x1DF0000-0x1E0B000.
Once the code is located, let's see what it's doing.
To hook itself into the system, the previous variant registered itself as a service with the fixed display name "Print Spooler Service".
The new Kraken randomly chooses its service display name from the following list:
- SolidWorks Licensing Service
- LXCCCustomerConnect
- Wireless Adapter Configurator
- DeepSight Extractor Service for NP08
- Dell Printer Status Watcher
- DigiCtrl
- CMG Shield
- Cognos ReportNet
- CommServer
- Compaq DMI Web Agent
- ActiveSMART Service
- Advanced Networking Service
- Amazon Unbox Video Service
- Ati HotKey
- Aventail VPN Client
- Axon Service
- BlueSoleilCS
- BT Modem Lock
- Creative Labs Licensing
- DQLWinService
- Electronic Arts Licensing Service
- Electronic Arts Licensing
In order to evade host intrusion prevention systems (e.g. firewalls), new Kraken "talks" to its command-and-control servers via HTTP protocol that relies on pseudo-random URLs.
The URLs it builds consist from several parts:
- a host name that is a pseudo-random string with a variable length from 7 to 12 characters; the algorithm that constructs this string was altered in this variant - it is provided below:
- please note that the seed it starts from is always the same; thus, it is possible to use the same algorithm and predict the entire list of its pseudo-random domain names;
- the constructed domain name is then appended with a dot (".") and then it is followed with one of the domain suffixes below (the first three suffixes have twice the chance of being selected than the following four suffixes):
- dyndns.org
- yi.org
- mooo.com
- dynserv.com
- com
- cc
- net
- the dynamically constructed host name is then followed by a random resource name - the first part of this name is constructed from two sets of characters - the code is hopping from one list to another to produce a string with the properly matched vowels and consonants; it has an internal rule that dictates when to hop - that is, when to pick a random vowel and when to pick a random consonant:
"a", "o", "e", "i", "y", "u", "ou", "oo"
and
"w", "r", "t", "p", "s", "d", "f", "g", "h", "j", "k", "l", "z", "c", "v", "b", "n", "m", "qu"
- the second part of the random resource name is a string that the bot picks up from the following list of 33 common English noun, verb, adjective, and adverb suffixes:
- able
- al
- ance
- ate
- dom
- en
- ence
- ency
- er
- ful
- hood
- ible
- ify
- ish
- ism
- ist
- ity
- ize
- less
- list
- ly
- ment
- ness
- or
- ous
- ship
- sion
- tial
- tic
- tion
- tive
- ulent
- the constructed random resource name is then followed by an extension that is randomly chosen from the following list:
As shown above, the random resource name used by the bot combines a random string with the properly matched vowels and consonants that is followed with a valid suffix.
In some way, we may call this new feature of the bot as an "Artificial English Word Generator", that follows English grammar rules and produces words that look like most of other words. For example, compare "confusulent" or "pritation" with something like "ktjptrca".
What is it for? Probably, to evade SPAM filters, or any other algorithms that can distinguish a random word by locating weird or non-common combinations of characters. If no rule or algorithm can be built to distinguish such word, then it cannot be detected, and therefore, blocked.
The bot constructs an HTTP package with the encrypted contents that is MIME-encoded and is presented as a random MIME-type archive in the HTTP header.
Kraken/Bobax POSTs that HTTP package to its C&C servers (with the pseudo-random URLs), thus making it non-trivial to detect and block such traffic, as not much is left to "hook" in it.
The HTTP traffic it generates uses different MIME types that the bot randomly selects from the following list of 22 types:
- ai: application/postscript
- avi: video/x-msvideo
- bin: application/octet-stream
- bmp: image/x-ms-bmp
- eps: application/postscript
- gif: image/gif
- gtar: application/x-gtar
- hqx: application/mac-binhex40
- jpeg: image/jpeg
- jpg: image/jpeg
- mpeg: video/mpeg
- mpg: video/mpeg
- pdf: application/pdf
- png: image/x-png
- ppt: application/ms-powerpoint
- ps: application/postscript
- sea: application/x-stuffit
- sit: application/x-stuffit
- tar: application/x-tar
- uu: application/octet-stream
- wav: audio/x-wav
- zip: application/zip
As demostrated above, the new factor of "randomness" in this bot makes it extremely dangerous considering how serious is its effort in concealing its traffic in order to flow with no obstruction imposed by the firewalls.
The backdoor component is left intact in the new variant - its code was copy-and-pasted from the previous variant: the same commands, the same responses.
The SPAM engine and the email collector module are also identical to the previous variant.
Virustotal.com results are not very good considering only 9 out of 32 AV scanners (28.12%)
can detect this threat, among which only two can actually identify this threat explicitly.
ThreatExpert was updated to generically detect the whole Kraken family, as seen in
this report.