Tuesday, April 22, 2008

Kraken is Finally Cracked

The previous post provided a snapshot of the Kraken code responsible for generating dynamic DNS names.

As it was mentioned, those names are pseudo-random as their original seed remains the same.

ThreatExpert system reports the list of DNS names, but this list is not full.

If Kraken is left “running” by ThreatExpert for a bit longer, it will eventually generate a couple of thousand of unique host names.

What are those names? Are they important? Is it possible to predict them?

Once we have the disassembled code of Kraken and once we know the seed of its randomizer, it’s a trivial task to build our own tool around that code.

This source code is a quick-and-dirty port of Kraken’s DNS name randomizer.

It generates and prints on screen 10,000 dynamic DNS names, that the latest Kraken variant uses to address its C&C servers, but that limit can easily be changed.

The tool can be compiled with any version of VC++.

The text output of this tool is provided here.