I caught this on heise.co.uk, the inner working of Kraken botnet analysed. It provides the packer format, source code and a command line tool to analyze intercepted traffic. There might be an upcoming plugin for Wireshark!!
Michael Hale Ligh and Greg Sinclair have reverse engineered the encryption algorithm of the C&C traffic. They explain the packet format in a blog entry and have posted the source code in C++ for encryption and decryption for download. They also want to release an analysis module for Wireshark, but so far they have only offered a command line tool to analyse intercepted botnet traffic.
The Kraken drones search for their C&C server under randomly generated domain names. Researchers at PCTools have studied the algorithms that the drones use to generate these domain names. They have used this to program a variant in C++ that interested users can download.
The results of this analysis make it easier to identify new variants of the Kraken bot and to adapt antivirus recognition routines and signatures to them. So maybe the botnet can be hit where it hurts – Thorston Holz and his researchers at the University of Mannheim have already succeeded in demonstrating on the Storm worm botnet that this can be done.
See also:
- Mailbot.f (a.k.a “Kraken”) gets stealthier - Update, Entry in McAfee's security blog
- Kraken Encryption Algorithm, Entry in the mnin blog by Michael Hale Ligh
- Kraken is Finally Cracked, Entry in the PCTools security blog
- New Variant of Kraken bot on the loose
- Paper: "Measurements and Mitigation of Peer-to-Peer-based Botnets
- Some more details on the 'Kraken' bot, fact or fiction?
- New botnet 'Kraken' is present in 50 out of Fortune 500
- Paper on Botnets – The Silent Threat on the Internet
Security4all Blog
Twitter
Slideshare
Facebook
Digg
Flickr
0 comments:
Post a Comment