Wednesday, May 7, 2008

Memory Stealthiness of Kraken

A new variant of Kraken (v317) demonstrates extremely stealthy memory techniques.

This time, it dynamically decodes the chunks of code and data only when it needs them, leaving no traces behind that could be suitable for generic memory signatures.

The total amount of memory that Kraken consumes was measured with a tool specially built for this purpose. The tool simply checked its total memory consumption every 100ms, from starting the executable untill it reached its active phase. With every check, the tool also scanned the entire scope of its address space (including all modules and heap) by looking for a string "yi.org" which is known from a dynamic analysis of this bot.

The tool produced an interesting result that is shown below:



As the graph suggests, the Kraken executable spends considerable amount of time to "shake off" emulators from its tail. But even when it achieves its active payload phase, it still does not expose its original strings.

The vertical red lines on the chart represent the occurrence of the string "yi.org", which is a part of a dynamic DNS name that it generates. Thus, it pulls the name, works with it, then destroys it, keeping the amount of data suitable for a generic detection as low as possible. Well, if APIs could accept encrypted parameters, it would surely feed them encrypted, but they don't, thus, Kraken has no choice left as to decrypt them only when it calls APIs, and only after it reaches its active payload phase. Pretty impressive stealthiness for memory.

The next image shows the contents of a small heap fragment at the same address, analysed every 100ms:



That narrow "window" is all that Kraken exposes for memory contents analysis, making generic memory signature-based detection unreliable.

Another aspect worth noting is that the new Kraken now has its cryptography based on "LibTomMath", an open-source library.

As for the system info it collects and reports - here is its format, including the Kraken version number:


<info>
  <first>1</first>
  <userdata>oneone</userdata>
  <version>317</version>
  <windowsversion>5.1.2600 Pro</windowsversion>
  <xpsp2>1</xpsp2>
  <connectionlimit>10</connectionlimit>
  <hostname>ComputerName</hostname>
  <upspeed>0</upspeed>
  <countrycode>1</countrycode>
  <language>en</language>
  <hostname>ComputerName</hostname>
  <cpu> Intel(R) Pentium(R) 4 CPU 3.20GHz (3193 MHz)</cpu>
  <memtotal>1024</memtotal>
  <memavailable>256</memavailable>
  <uptime>12686</uptime>
</info>