Information has just started flowing on the Kraken diary from earlier. As of this moment, I still don't have a sample of this particular malware, but I do have some packet captures of the control traffic.
C&C sends UDP/447 to the victim with packet lengths varying between 66, 115, 116 and 117 bytes. There does not appear to be an obvious pattern in the payload itself. Right now there are about 100 or so hostnames associated with this from dyndns and yi.org. I will publish a list and update this post with that information shortly. According to some malware we believe to be associated with Kraken, it will also use TCP 447 and encode data in some unknown way. (For those with malware zoos, look for MD5s 31b68fe29241d172675ca8c59b97d4f4 and c05eb75e00d54a041a057934979fed6d. Allegedly, MD5 1d51463150db06bc098fef335bc64971 is associated as well). Some other related bins (c1d078b93df31d032cea89f25dc56362, 3a8bd37f9b33de4d29198d125030f587, b0e7ac28f0a899afa0fcdda5f1252675, 1c6d6f727ee55a5797c369f7aa4a0f38, f43bebf91ae2f5cf1f2ad5168bf9d202, ffc2e41d8e729c7b8622a8420767cfb5)
Word on the street is that this may already be detected and it looks like it is just part of the Bobax family of malware related to this article on Dark Reading from last year. It appears that this malware is what Kraken malware is using to infect machines to based on the work of others.
Here are some sample packets (this is payload data only, no header):
0000 4d f4 d5 17 dc 04 c1 2e 31 77 aa 1b 9f 38 a0 8c M.......1w...8..
You'll notice that the first 8 bytes are the same, those first 8 vary between different IP addresses, but the packets coming from the same IP all have that same first 8 bytes. This looks like some sort of session ID / signature that is used throughout the session.
If you are going to be in the malware / security research business, it is nice to let the security community know when you find what you believe to be new malware.
UPDATE: The md5 that Damballa is saying is associated with this malware is MD5: 1d51463150db06bc098fef335bc64971. I'm working with a copy from Project Malfease and will have an analysis later. A Virus Total scan of this binary came back as 5/32 (with the 5 that did detect doing so in non-descript ways like "suspicious file").
UPDATE 2 (4/8/2008 - 13:29 UTC): First things first, Emerging Threats has some test signatures to detect this botnet C&C traffic. You can see them here.
There are some Threat Expert reports on related malware that should give you a good list of hostnames to work with for right now.
UPDATE 3: (4/9/08 - 0030 UTC)
First, Brian Krebs has some good coverage of the Kraken incident and some of the back story going on between Damballa and some AV vendors. It also covers some neat technical details of how Damballa got the information on this botnet. Also, Threat Expert has a pretty good write-up on what they have for Kraken. They see that the initial "phone home" is over TCP/447, and subsequent communication is UDP/447. The detection is still look for port 447 traffic crossing your perimeter. That port was used by an old IBM OS for some database stuff. It doesn't appear to have been used in years. Emerging Threats has some sigs (see above), and the UDP packets seem to be pretty consistently 66, 115, 116, or 117 bytes for the *entire packet*.
Apr 7th 2008
9 years ago