Monday, April 7, 2008

Crikey, you’ve been Kraken!

Kraken bot, also known as Bobax, Bobic, Oderoor, Cotmonger, Hacktool.Spammer, is a template-based SPAM mailbot that was recently reported by Paul Royal, principal researcher at Atlanta-based security company Damballa (please read the reports here and here).

At ThreatExpert site, there is a slight surge in the number of submissions of this threat.

As this bot unpacks its embedded stub onto its own heap (kind of self-injection), the quickest way of analyzing it is to locate a heap page in its own process that has an approximate size of 200Kb and starts with an MZ-header, dump that page and load it into the disassembler.

As seen from the code, the control channel for this bot is established over the TCP port 447:



The backdoor component of this bot allows the following remote commands:

  • "info": report bot statistics

  • “version”: report bot version

  • “windowsversion”: report Windows version of the compromised system (as reported by GetVersionExA() API)

  • "hostname": report the local host name

  • "upspeed": report the upload speed of the bot

  • "countrycode": report what country the bot is currently running with the GetLocaleInfoA() API


Other commands instruct the bot to report various system information, such as total amount of system memory, amount of free memory, amount of time the bot is running, etc.

For example, the bot may construct and send back the collected information in the form of the following XML file:

<info>
  <first>1</first>
  <userdata>nine</userdata>
  <version>315</version>
  <windowsversion>5.1.2600 Pro</windowsversion>
  <xpsp2>1</xpsp2>
  <connectionlimit>10</connectionlimit>
  <hostname>ComputerName</hostname>
  <upspeed>0</upspeed>
  <countrycode>1</countrycode>
  <language>en</language>
  <hostname>ComputerName</hostname>
  <cpu> Intel(R) Pentium(R) 4 CPU 3.20GHz (3193 MHz)</cpu>
  <memtotal>1024</memtotal>
  <memavailable>538</memavailable>
  <uptime>17024</uptime>
</info>

In order to retrieve the connection limit of the current system, the bot checks the content of the file tcpip.sys (as it is known, patching this file on Windows XP system may extend the concurrent connection limit).

By the way, one of the encrypted strings it uses has characters "odneRO0R" in it:



which explains why some vendors named it "Oderoor".

Another remote command instruct the bot to enumerate the file system, and harvest email addresses from the files with the following extensions:

• 123
• asm
• chm
• cpp
• csv
• dbf
• dif
• doc
• eps
• h
• htm
• html
• hwp
• inc
• info
• jtd
• nfo
• ott
• pdf
• php
• ps
• rtf
• sdc
• sdw
• slk
• sxw
• sys
• tmp
• txt
• wab
• wk1
• wks
• wpd
• wps
• xml

The bot has an internal client SMTP engine that it engages in sending out SPAM.