New botnet 'Kraken' is present in 50 out of Fortune 500

Monday

In February, it was the turn of MayDay. A bot that was quite good at infiltrating corporations. Now there is a new one: Kraken and it has taken twice the size of Stormworm.

A new botnet twice the size of Storm has ballooned to an army of over 400,000 bots, including machines in the Fortune 500, according to botnet researchers at Damballa.
The so-called Kraken botnet has been spotted in at least 50 Fortune 500 companies and is undetectable in over 80 percent of machines running antivirus software. Kraken appears to be evading detection by a combination of clever obfuscation techniques, including regularly updating its binary code and structuring the code in such a way that hinders any static analysis, says Paul Royal, principal researcher at Damballa.
"It's easy to trace but slow to get antivirus coverage. It seems to imply [the creators] have a good understanding of how AV tools operate and how to evade them," Royal says.
Kraken's successful infiltration of major enterprises is a wakeup call that bots aren't just a consumer problem. Damballa and other botnet experts over the past few months have seen an unsettling rise in bot infections in enterprises.
Royal says like Storm, Kraken so far is mostly being used for spamming the usual scams -- high interest loans, gambling, male enhancement products, pharmacy advertisements, and counterfeit watches, for instance. "But given that it updates its binary, there's no reason it couldn't update itself to a binary that does other things," Royal says. "I'm wondering where this thing is going to go."
...
Just how Kraken is infecting machines is still unclear, but Royal says the malware seems to appear as an image file to the victim. When the victim tries to view the image, the malware is loaded onto his or her machine. "We know the picture... ends in an .exe, which is not shown" to the user, Royal says. (Source: Darkreading.com)

The Sans Internet Stormcenter is asking anyone with more details or samples to report it.

UPDATE: Sans ISC has some updates:

C&C sends UDP/447 to the victim with packet lengths varying between 66, 115, 116 and 117 bytes. There does not appear to be an obvious pattern in the payload itself. Right now there are about 100 or so hostnames associated with this from dyndns and yi.org. I will publish a list and update this post with that information shortly. According to some malware we believe to be associated with Kraken, it will also use TCP 447 and encode data in some unknown way. (For those with malware zoos, look for MD5s 31b68fe29241d172675ca8c59b97d4f4 and c05eb75e00d54a041a057934979fed6d. Allegedly, MD5 1d51463150db06bc098fef335bc64971 is associated as well). Some other related bins (c1d078b93df31d032cea89f25dc56362, 3a8bd37f9b33de4d29198d125030f587, b0e7ac28f0a899afa0fcdda5f1252675, 1c6d6f727ee55a5797c369f7aa4a0f38, f43bebf91ae2f5cf1f2ad5168bf9d202, ffc2e41d8e729c7b8622a8420767cfb5)

Word on the street is that this may already be detected and it looks like it is just part of the Bobax family of malware related to this article on Dark Reading from last year. It appears that this malware is what Kraken malware is using to infect machines to based on the work of others.

Here are some sample packets (this is payload data only, no header):

0000 4d f4 d5 17 dc 04 c1 2e 31 77 aa 1b 9f 38 a0 8c M.......1w...8..
0010 84 22 24 64 68 9e 4c 48 ."$dh.LH

0000 4d f4 d5 17 dc 04 c1 2e d3 87 b7 0a 47 7c 9c e1 M...........G|..
0010 23 03 96 ed 57 ab 5c ea #...W.\.

0000 4d f4 d5 17 dc 04 c1 2e fe dd e2 19 b8 a5 0a df M...............
0010 9e fc 0d 71 66 d6 b2 15 ...qf...

0000 4d f4 d5 17 dc 04 c1 2e db 88 1d 13 ec 3f 86 36 M............?.6
0010 d5 26 51 9c 60 11 5d f2 .&Q.`.].

You'll notice that the first 8 bytes are the same, those first 8 vary between different IP addresses, but the packets coming from the same IP all have that same first 8 bytes. This looks like some sort of session ID / signature that is used throughout the session.