Oderoor / Kraken / Bobax

Whatever it turns out to be, we have some test sigs for it.

2008103 2008104 2008105 2008106 2008107 2008108 2008109 2008110

According to Damballa's press release (upon which all commentaries are based), "Kraken was first observed in winter 2007, but investigation into its origins suggests the existence of early variants as far back as late 2006." Depending on the variant, the components of the binary may or may not include a rootkit component (HacDef?), and may use a completely disjoint set of C&C domain names.

Like Bobax, Kraken uses randomly generated domain names that appear to have a common algorithm; it may also use common templating code for sending spam. However, Bobax uses a different set of C&C domain names from different DynDNS? providers than Kraken. Bobax also uses HTTP for its C&C protocol, while Kraken uses port 447 UDP to communicate; its packet payloads are believed to be encrypted with a 64-bit key. The earliest variants performed an occasional, large transfer on TCP 446, although the port was subsequently changed to TCP 447; this TCP communication likely represents a binary update. This port is reserved for ddm-dfm Distributed File Management and packets sent by the bot malware do not decode to it; the ddm-dfm protocol is very rarely used as far as we can tell. The signatures above count on the fact that even if this is used it's likely not used over public networks. Please let us know if this isn't true. If you do use this protocol locally please consider a pass or suppression rule until we get better sigs.

References:

http://www.cnbc.com/id/23993105

http://www.incidents.org/diary.html?storyid=4256

http://isc.sans.org/diary.html?storyid=4250

http://www.darkreading.com/document.asp?doc_id=144919 (May be FUD)

http://www.theregister.co.uk/2008/04/07/kraken_botnet_menace/ (also may be FUD)

Please update and add any information at all!

-- MattJonkman - 07 Apr 2008

-- PaulRoyal - 08 Apr 2008