Busy Day – Kraken, New Storm Run, and MSFT Bulletins
Kraken, the spam botnet on everyone’s minds, has soaked up a good bit of out Monday evening and today. We’re going with the popular name and dubbing it Trojan.Kraken. In short, what we know and what we don’t know:
- It’s unclear if this is a variant of Bobax or Srizbi, or something new.
- A lot of the C&Cs are dead
- We analyzed samples going back through last year
- It’s a spam botnet, doesn’t appear to harm the host otherwise
- We don’t know how big it is
We’ve spent a lot of time in ASERT in the past day dissecting samples, gathering data from the community, and looking at our own analysis. Here’s some brief notes:
- It drops a file in %SYSTEM32% with a random name (lowercase characters, 2-20 characters). It sets the following registry keys to ensure it runs:
Where the random name is between 2 and 20 characters long.
- It picks a random string of lowercase characters for a service title
- It communicates with over 150 command nodes (if they all were to resolve) for instructions and templates using UDP port 447; we’re not sure if the replies are source-spoofed or not
- The Kraken servers currently resolve to 18.104.22.168 and 22.214.171.124
AV detection for the samples varies, but the naming isn’t consistent. This doesn’t appear to be the bot that ate the Internet, however, but it does go to show you that spambots are becoming a serious problem.
Microsoft released 8 security bulletins today, 5 critical and 3 important. Go get patched! The ones that have me worried about widespread exploitation:
- MS08-021 – Vulnerabilities in GDI Could Allow Remote Code Execution
- MS08-022 – Vulnerability in VBScript and JScript Scripting Engines Could Allow Remote Code Execution, given how successful attacks against IE have been … this could get messy. Really messy.
- MS08-023 – Security Update of ActiveX Kill Bits, the classic ActiveX overflow.
- and MS08-024 – Cumulative Security Update for Internet Explorer, again, how successful attacks against IE have been in the past 2 years.
Look for each of these to be used in the coming weeks and months in malware delivery. Go review and patch, now.
Remember Storm? New run starting today, using a codec theme. We’ve been working with ISPs to get boxes shut down and alerting people about mitigating the new fastflux domain name, supersameas.com.