Busy Day – Kraken, New Storm Run, and MSFT Bulletins

By: Jose -

Kraken, the spam botnet on everyone’s minds, has soaked up a good bit of out Monday evening and today. We’re going with the popular name and dubbing it Trojan.Kraken. In short, what we know and what we don’t know:

  • It’s unclear if this is a variant of Bobax or Srizbi, or something new.
  • A lot of the C&Cs are dead
  • We analyzed samples going back through last year
  • It’s a spam botnet, doesn’t appear to harm the host otherwise
  • We don’t know how big it is

We’ve spent a lot of time in ASERT in the past day dissecting samples, gathering data from the community, and looking at our own analysis. Here’s some brief notes:

  • It drops a file in %SYSTEM32% with a random name (lowercase characters, 2-20 characters). It sets the following registry keys to ensure it runs:

    HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
    "" =C:WINDOWSsystem32[%random_name%].exe
    "" =C:WINDOWSsystem32[%random_name%].exe

    Where the random name is between 2 and 20 characters long.
  • It picks a random string of lowercase characters for a service title
  • It communicates with over 150 command nodes (if they all were to resolve) for instructions and templates using UDP port 447; we’re not sure if the replies are source-spoofed or not
  • The Kraken servers currently resolve to 64.21.149.167 and 64.21.181.87

AV detection for the samples varies, but the naming isn’t consistent. This doesn’t appear to be the bot that ate the Internet, however, but it does go to show you that spambots are becoming a serious problem.

Microsoft released 8 security bulletins today, 5 critical and 3 important. Go get patched! The ones that have me worried about widespread exploitation:

Look for each of these to be used in the coming weeks and months in malware delivery. Go review and patch, now.

Remember Storm? New run starting today, using a codec theme. We’ve been working with ISPs to get boxes shut down and alerting people about mitigating the new fastflux domain name, supersameas.com.

Storm8apr08.png

Comments

  1. Thank you for your information. Security is most important side in a Company for Information Technology Personals. Because of this I ll read your website.

    Omer KARADENIZ
    http://www.omerkaradeniz.com

  2. Jose,

    I’ve done a quick measurement of the supersameas.com fastflux domain (involved IPs, lifetime, etc):
    http://www.cs.ucsb.edu/~marco/blog/2008/04/29/#storm-codec-fastflux
    I was wondering if you had collected data relative to this or other domains and, if so, if you had seen characteristics/behavior similar to the ones I have.