Kraken Botnet

Notification Date: April 11, 2008
Notification Version: 1.0
   
Name:

Kraken Botnet
Public disclosure/
In the wild date:		 late 2007, possibly late 2006
Aliases:

Orderdor (Microsoft & BitDefender), Spakrab (Symantec), and possibly Bobax
Risk: Low
Distribution: Low
CME: none
Description:

Kraken is a botnet that may be a not-so-distant relative of the Bobax botnet.  The malware used by this botnet appears to share code or be a variant of previous malware.  Although some samples may evade antivirus technologies, the majority of samples are detected with behavior-based detection.  The main purpose of the Kraken bot appears to be spam relay. 

Recent unverified reports have claimed that the Kraken botnet has infiltrated 10% of Fortune 500 companies.  Although X-Force has not verified this information, we have analyzed Kraken samples and would like to advise our customers that the antivirus technologies in our host and network products have detected all of the samples we have collected as of 4/11/2008 9 AM EST.  In addition to antivirus coverage, Proventia ADS has specific botnet detection capabilities for Kraken.
Research Credits: Detailed description provided by Jose Nazario at Arbor Networks

 

ISS Coverage

Product

Content Version

Proventia Desktop
Proventia Multifunction
Proventia Mail

 base version (with antivirus enabled)

Propagation
Techniques

ISS Protection

Available

email/spam 

Mal/Generic-A (Proventia-M signature av)
Mal/EncPk-CK (Proventia-M signature av)
Mal/EncPk-Y (Proventia-M signature av)

Backdoor.Oderoor.G (desktop signature AV)
Backdoor.Oderoor.BM (desktop signature AV)
Trojan.Obfuscated.GY (desktop signature AV)
Backdoor.Oderoor.BN (desktop signature AV)
Trojan.Agent.AHNY (desktop signature AV)

Jan 8, 2008
Feb 21, 2007
Jul 7, 2007

tbd

Detection Techniques

ISS Detection

Available

Network bot detection

Proventia Content Filtering technologies

ADS Active Threat Feed - ATF-2008-202
IDS coverage TBD

Antispam and Web-filtering Malware categories can block potential infections through these vectors

Detailed Description
Description:

Kraken is a spam Trojan, also known as Oderoor. Infected hosts form a botnet, receiving spam templates and recipient lists from a list of control nodes. It sends out spam from an infected machine and might also download other malicious files onto the infected machine.

Hosts become infected with Kraken (or Oderoor) through Trojan downloads over instant messaging or peer-to-peer links. We have also seen at least one IRC botnet used to distribute this malware.

On startup, the malware first tries to resolve a list of hostnames hardcoded into the binary to discover the current Kraken server IPs. Once hostname resolution is complete, the malware sends a UDP datagram  to the Kraken servers on destination port 447 to identify the victim machine. Depending upon the malware variant, the payload size for the datagram is between 24 and 74 bytes. The infected host then gets the spam template and starts sending out spam based on that command. Periodically, the malware makes connections to the Kraken servers on UDP/TCP port 447, possibly to get new templates.

Once it infects a machine, the Kraken malware creates a binary file in the %SYSTEM32% directory with a random name. This filename is a string of lowercase letters between 2 and 20 characters long and is not based on any dictionary words. It then modifies the following registry entry to ensure that the malware is always running:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "" =
C:\WINDOWS\system32\[%random_name%].exe
"" =C:\WINDOWS\system32\[%random_name%].exe

After this, it tries to open a series of services and, ultimately, creates a service with the file pointing to the file created above.

Affected Platforms:
  • Windows 2003
  • Windows XP
  • Windows 2000
  • Windows NT
  • Windows 98
  • Windows 95

References
Arbor http://asert.arbornetworks.com/2008/04/busy-day-kraken-new-storm-run-and-msft-bulletins/

Revision History
Apr 11, 2008 Initial release.

* According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall IBM be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

About IBM Security Systems

IBM Security Systems include an extensive portfolio of hardware, software solutions, professional and managed services offerings covering the spectrum of IT and business security risks: people and identity, data and information, application and process, network, server and endpoint and physical infrastructure, empowering clients to innovate and operate their businesses on the most secure infrastructure platforms. Through world-class solutions that address risk across the enterprise, IBM helps organizations build a strong security posture that helps reduce costs, improve service, and manage risk. IBM X-Force(R) Research and Development is one of the most renowned commercial security research and development groups in the world. For more information on how to address today's biggest risks, please visit us at ibm.com/security.