Oderoor / Kraken / Bobax
Whatever it turns out to be, we have some test sigs for it.
2008103
2008104
2008105
2008106
2008107
2008108
2008109
2008110
According to Damballa's press release (upon which all commentaries are based), "Kraken was first observed in winter 2007, but investigation into its origins suggests the existence of early variants as far back as late 2006." Depending on the variant, the components of the binary may or may not include a rootkit component (
HacDef?), and may use a completely disjoint set of C&C domain names.
Like Bobax, Kraken uses randomly generated domain names that appear to have a common algorithm; it may also use common templating code for sending spam. However, Bobax uses a different set of C&C domain names from different
DynDNS? providers than Kraken. Bobax also uses HTTP for its C&C protocol, while Kraken uses port 447 UDP to communicate; its packet payloads are believed to be encrypted with a 64-bit key. The earliest variants performed an occasional, large transfer on TCP 446, although the port was subsequently changed to TCP 447; this TCP communication likely represents a binary update. This port is reserved for ddm-dfm Distributed File Management and packets sent by the bot malware do not decode to it; the ddm-dfm protocol is very rarely used as far as we can tell. The signatures above count on the fact that even if this is used it's likely not used over public networks. Please let us know if this isn't true. If you do use this protocol locally please consider a pass or suppression rule until we get better sigs.
References:
http://www.cnbc.com/id/23993105
http://www.incidents.org/diary.html?storyid=4256
http://isc.sans.org/diary.html?storyid=4250
http://www.darkreading.com/document.asp?doc_id=144919 (May be FUD)
http://www.theregister.co.uk/2008/04/07/kraken_botnet_menace/ (also may be FUD)
Please update and add any information at all!
--
MattJonkman - 07 Apr 2008
--
PaulRoyal - 08 Apr 2008