After the report of the Kraken botnet from Damballa, several other vendors were skeptic about the report and indicated that it might have been self advertising and that the risk was. But these are competitors? Was this an attempt at Black PR?
Well, instead of just guessing, thanks to Brian Krebs (Washington Post), we have some concrete information.
Apart from that information, the story left many security professionals hungering for more details. Chief among those were: How exactly does Damballa know so precisely how many bots were involved? And how does the company know whether various anti-virus products detect this spam bot as malicious or not?
...Kraken also uses dynamic DNS services, but adds a twist: The authors include in the genetic makeup of the bot hidden instructions for finding brand new Web site names on the fly. Should security professionals or the dynamic DNS provider succeed in shutting down the domain name used to control the botnet, Kraken randomly creates another one, using an encryption routine built into the bot code.
The reason Damballa knows exactly how many bots are infected with Kraken is that its experts managed to work out the mathematical algorithm Kraken uses to generate dynamic DNS names that will be used in the future to control the botnet. With that information, the company can then go reserve those dynamic DNS names ahead of time, and when the botnet gets around to using them, all of the bots will eventually report to servers Damballa controls.
In fact, if you were to visit this link, which describes in exquisite detail how one variant of the Kraken botnet works, you'd see a list of more than 100 dynamic DNS names at the bottom. Investigate that list a bit further, and you'd find that nearly a third of those point to Internet servers hosted at Georgia Tech, home to many of the Damballa researchers, including the company's chief scientist, David Dagon.
....
Damballa says that in late December 2007 it used Virustotal.com to scan the Kraken code against 32 commercial anti-virus products, and that at the time only 11 of them (34 percent) detected it as malicious -- see the results here (PDF). A more recent scan of the bot code on April 1 (PDF) shows that detection of Kraken among the anti-virus industry has increased, but only slightly -- just 16 of 32 (50 percent) of the anti-virus companies now flag it as bad.
Royal said such dismal detection rates show why anti-virus products are "slowly slipping into a set of security tools whose time has come and gone."
Many folks in the anti-virus and broader Internet security space say Damballa is trying to make a name for itself by hyping this threat, and that Kraken is nothing more than a renamed and repackaged "Bobax," a worm of similar lineage and methods that was discovered several years ago (in February, Security Fix wrote about Damballa research suggesting that the indefatigable "Storm" worm got its start by cannibalizing PCs infected with Bobax).
"We've taken a look at this and it seems the Damballa guys are into rebranding, and that they've simply taken Bobax" and presented it as Kraken, said Dmitri Alperovitch, director of intelligence analysis at Secure Computing, also based in Atlanta.
Regardless of who's right here, this debate between Damballa and the anti-virus industry has happened before and is likely to occur again. That's because the anti-virus industry no longer has the luxury of correctly classifying malicious software: They are doing everything they can just to keep up with the glut of malware being released no the Net each day, and to classify it as malicious.
Read the full article. Thanks Brian !!!!! I have seen some webcasts from Damballa which made some good impressions. I will certainly keep an eye on them.
Previous posts:
- New botnet 'Kraken' is present in 50 out of Fortune 500
- Everything is increasing
- Paper on Botnets – The Silent Threat on the Internet
- Webcast: BotArmy Facts. Not Fiction.
UPDATE: SANS ISC has also updated their available information:
Information has just started flowing on the Kraken diary from earlier. As of this moment, I still don't have a sample of this particular malware, but I do have some packet captures of the control traffic.
C&C sends UDP/447 to the victim with packet lengths varying between 66, 115, 116 and 117 bytes. There does not appear to be an obvious pattern in the payload itself. Right now there are about 100 or so hostnames associated with this from dyndns and yi.org. I will publish a list and update this post with that information shortly. According to some malware we believe to be associated with Kraken, it will also use TCP 447 and encode data in some unknown way. (For those with malware zoos, look for MD5s 31b68fe29241d172675ca8c59b97d4f4 and c05eb75e00d54a041a057934979fed6d. Allegedly, MD5 1d51463150db06bc098fef335bc64971 is associated as well). Some other related bins (c1d078b93df31d032cea89f25dc56362, 3a8bd37f9b33de4d29198d125030f587, b0e7ac28f0a899afa0fcdda5f1252675, 1c6d6f727ee55a5797c369f7aa4a0f38, f43bebf91ae2f5cf1f2ad5168bf9d202, ffc2e41d8e729c7b8622a8420767cfb5)
Word on the street is that this may already be detected and it looks like it is just part of the Bobax family of malware related to this article on Dark Reading from last year. It appears that this malware is what Kraken malware is using to infect machines to based on the work of others.
Here are some sample packets (this is payload data only, no header):
0000 4d f4 d5 17 dc 04 c1 2e 31 77 aa 1b 9f 38 a0 8c M.......1w...8..
0010 84 22 24 64 68 9e 4c 48 ."$dh.LH
0000 4d f4 d5 17 dc 04 c1 2e d3 87 b7 0a 47 7c 9c e1 M...........G|..
0010 23 03 96 ed 57 ab 5c ea #...W.\.
0000 4d f4 d5 17 dc 04 c1 2e fe dd e2 19 b8 a5 0a df M...............
0010 9e fc 0d 71 66 d6 b2 15 ...qf...
0000 4d f4 d5 17 dc 04 c1 2e db 88 1d 13 ec 3f 86 36 M............?.6
0010 d5 26 51 9c 60 11 5d f2 .&Q.`.].You'll notice that the first 8 bytes are the same, those first 8 vary between different IP addresses, but the packets coming from the same IP all have that same first 8 bytes. This looks like some sort of session ID / signature that is used throughout the session.
UPDATE: The md5 that Damballa is saying is associated with this malware is MD5: 1d51463150db06bc098fef335bc64971. I'm working with a copy from Project Malfease and will have an analysis later. A Virus Total scan of this binary came back as 5/32 (with the 5 that did detect doing so in non-descript ways like "suspicious file").
UPDATE 2 (4/8/2008 - 13:29 UTC): First things first, Emerging Threats has some test signatures to detect this botnet C&C traffic. You can see them here.
There are some Threat Expert reports on related malware that should give you a good list of hostnames to work with for right now.
http://www.threatexpert.com/report.aspx?uid=83128ea3-453a-46fe-884b-71d05677d3ed
http://www.threatexpert.com/report.aspx?uid=e32f00bb-6b26-477f-a0d6-307000a31924
http://www.threatexpert.com/report.aspx?uid=2b65a341-7f74-413c-9854-a6aca09450f5
http://www.threatexpert.com/report.aspx?uid=c431073f-4321-4bc0-a219-832a10f4f3a0
http://www.threatexpert.com/report.aspx?uid=d04fcd5b-b221-43d0-8dad-95e64ba57145
http://www.threatexpert.com/report.aspx?uid=63606940-900b-4e26-87d9-7453a1518ed6
http://www.threatexpert.com/report.aspx?uid=52accf15-a173-4f90-9482-b2634c151d87UPDATE 3: (4/9/08 - 0030 UTC)
Also, Threat Expert has a pretty good write-up on what they have for Kraken. They see that the initial "phone home" is over TCP/447, and subsequent communication is UDP/447. The detection is still look for port 447 traffic crossing your perimeter. That port was used by an old IBM OS for some database stuff. It doesn't appear to have been used in years. Emerging Threats has some sigs (see above), and the UDP packets seem to be pretty consistently 66, 115, 116, or 117 bytes for the *entire packet*.
Security4all Blog
Twitter
Slideshare
Facebook
Digg
Flickr
0 comments:
Post a Comment