The biggest vulnerabilities facing the world today are not buffer overruns, but the carbon-based life form sitting between the keyboard and chair. Kraken has proven that yet again. Despite the naming and size controversy, we believe Kraken represents a significant malware threat, that if left unchecked, has the potential to cause businesses and consumers damages more severe than simply spamming.
In our research lab at FireEye, we have been monitoring the Kraken Command and Control (C&C) servers for the past month. We observed that the C&C channels (UDP/TCP 447) on the C&C servers were turned off from April 8th to April 13th, which directly followed the announcement about its existance during the RSA conference. Kraken was completely silent for that 5 day period leading up to the evening of April 13th. At that time we observed some of the CnC servers coming online again, but this time with a small twist. Kraken samples under our observation had stopped using TCP/447 to download their spam templates. Instead, they began using TCP/447 to update their core binaries. The new binary was installed on the system during startup and began to produce an altogether different behavior. It had new C&C hosts, new ports, and a slightly modified protocol. The Kraken bot masters also changed their DNS generation algorithm to stop others from hijacking their DNS entries.
The shutdown period of 5 days appears to be related to all the press the Botnet received at RSA. Those responsible for Kraken simply took the time to update their code base to render any prior research invalid. From here on out, we will refer to old variants as IM.Kraken.447 and the new variaent as IM.Kraken.443. We'll begin by first explaining some low level details about the IM.Kraken.447 C&C structure and then we’ll show how and why IM.Kraken.443 changed its C&C structure altogether. Later, we'll delve into other relavent details such as the original Kraken attack vector, rootkit details, and mitigation factors which are shared between both variants.
C&C channel:Custom obfuscated protocols
Payload:Currently used to send spam
Rootkit:Startup file entry and a Windows service
Attack Vector:IM through social engineering
Commands and Control Structure
1. Probing for TCP/25 connectivity
The first outbound communications from the malware consist of connection attempts on TCP/25 to a number of well known mail servers on the Internet, including mail, hotmail, and mindspring. This is an effort to make sure that the zombie machine is able to connect to SMTP servers outside its network to send out spam messages.
2. Dynamic FQDN discovery
The malware uses a dynamic C&C based communication structure. The fully qualified domain name (FQDN) of the C&C server is constructed from a dynamically generated hostname and one of the following four base domain names:
Examples of runtime FQDNs have been the following:
As long as the bot master and the malware use the same algorithm to generate the list of hostnames to use, the bot master can change the CnC server names, IP addresses, or physical hosts to evade detection without updating the malware code. In a run of 2 hours in our lab, a single sample went through 170 FQDNs.
While most of these names resolved to 127.0.0.2, some of them were resolving to public IP addresses at the time of analysis:
3. Obfuscated C&C Communication
The actual C&C communication consists of two steps:
Step 1: UDP/447 to the C&C server resolved from the aforementioned FQDN list.
Step 2: TCP/447 download spam templates from the server IP retrieved from the C&C server in step 1.
Although the communication payload is obfuscated, our analysis has revealed that the initial UDP based exchange registers the new zombie with the C&C server along with host information:
* Machine's NetBIOS name
* System uptime
* Total RAM + hard drive space available in MB
* OS version number
* Status of outbound TCP/25 (enabled or disabled)
* Upload speed
* Country code
After analyzing the memory dumps, we discovered that underneath its obfuscated protocol, an XML schema is being used. The following strings were extracted from Kraken memory dumps.
Above one can see that Kraken is sending the zombie’s host information to its master. At the same time, the IP address of the spam template server was distributed to the zombie machine. In our lab run, a UDP communication to a C&C server was always followed by a TCP commutation to another IP different from those resolved from the FQDN list. We have seen IP addresses 20X.1XX.52.43 and 6X.2XX.17.223 during step 2 of the C&C communication. Once the spam template is downloaded, the bot starts generating spam emails.
After the shutdown of 5 days, the Kraken bot masters came up with new obfuscation techniques. They are no longer using TCP/447 as their C&C link. They have switched to the more common (and harder to filter) TCP/443 to blend in with normal SSL traffic. This was a move intended to fool simple signature based IDS systems and render port filters inoperable. There are public snort signatures available (http://doc.emergingthreats.net/bin/view/Main/OdeRoor ) that are using TCP/447 for Kraken detection that will not detect the new variant. Moreover, for its UDP based C&C communication, it is no longer using UDP/447. Instead, new variants are using totally random UDP ports.
New variants have also been seen connecting to well known web sites such as news.com and cbsnews.com to test internet connectivity on port 80. Immediately after the connection to these news sites, Kraken.443 tries to connect to one of its C&C servers on port 80 and does an HTTP POST to urls similar to: bakoo.cgi, hoofadebooh, and nazuz.php. During this process, encrypted data is exchanged.
We can summarize the important changes as the following:
* Older variants are using UDP/447 to update their binaries instead of using it to download spam templates.
* Older variants are no longer sending any spam.
* The new binary discovers the C&C servers by using a different DNS generation algorithm. We've also seen hostnames (xxxdzfjd.yi.org , xxxxssabg.yi.org ) resolving to new IPs.
* New variants are using TCP/443 to download their spam templates and binary updates. With this change, Kraken cannot be detected based on the use of the non standard port 447.
* New varients use completely random ports instead of fixed UDP/447 for its UDP based communication. The new variants are only sending spam.
The main vector used by Kraken is social engineering, much like Storm and others. IM messages are sent to victims with a disguised malware attachment. For instance, the victim may receive an MSN IM like this:
hey i found your picture on hotornot.com! I swear its you!
they banned my account because of THIS picture they said. Its not Bad at all. Man Am i angry.
are you there? tell me what you think of this. I Made it in photoshop. do you think its too green?
When this message comes from a known contact, a user may feel compelled to find out how he or she is portrayed. In the message, the malware is attached, but using a very deceptive file name like "[email protected]". This is a very clever piece of social engineering in that, for systems where the file extension (.com) is not shown to users, users will not have any visible clues that the attachment is actually an executable file. For systems where the file extension is shown to users, the whole file name, with extension, looks like an email address which could also trick the user into clicking it.
All the malware attachments are generated using random names, although bits and pieces come from a dictionry. Most also use double extensions (.jpg.exe) to try to fool the user. To attempt a bypass of .exe blocking systems, Kraken sends these files as .zip. It's interesting to note that in Windows, zip files are shown to user as a folder. If one were to click on the zip file, Windows Explorer will not show the file extension. Again, the user will only see .jpg at the end and may feel compelled to open up what seems to be an image.
Here, Kraken stole the MSN buddy list from the infected machine and sent these fake invitations to the whole contact list
Here is the infected file opened in Explorer where the file extension is hidden from the user
Here is the infected file opened in Explorer where the file extension is not hidden from the user
In both of these cases, the unimformed user would not be aware it the file is an executable as opposed to an image.
The following changes are made to the infected system upon installation of Kraken. After execution, it chooses a random name for its binary, copies itself with that random name under %system32, and deletes the original image.
It adds itself into the startup list, e.g. adding wxechzzmsaqa = C:\WINNT\System32\wxechzzmsaqa.exe into:
It also has a fallback system where if it is disabled manually by the user, it will run with the name of a common Windows service, such as “Print Spooler Service”.
The malware process remains visible in Task Manager, either as a standalone exe or as an NT service running under the SYSTEM account.
As explained above, recent Kraken variants also register themselves as a Windows service. This means that even if one were to remove the Kraken entries from the system startup, its Windows service will again add itself into startup.
For complete removal instructions please refer to "Kraken Removal Instructions".
The main objective of the botnet seems to be spamming. The theme of the spam messages currently is "cheap luxury watches". Some examples of the message titles extracted are:
* High Quality Watches
* Timepieces Rolex
* Discover Our Range of Extraordinary Rolex Timepieces for Men and Women.
* Rolex Timepieces for Men and Women.
* Designer Watches
The messages are designed to lead the recipients to web sites offering these pieces of merchandies and much more. For example, male enhancement drugs are part of the low-cost offerings. Buyer beware!
How to protect yourself
The best security practice for users is to apply security patches in a timely manner to minimize their exposure to malware attacks. To avoid falling victim to social engineering attacks, users should avoid opening any emails from unknown or unexpected sources. They should also not allow installation of any program on their computer unless they trust the source of the program and know what the program is supposed to do.
For users with a firewall deployment, add a "deny" rules for traffic on port 447 on UDP and TCP to stop the Kraken C&C communication.
The recent change of protocols by Kraken has made it difficult to detect its existence in a network. The good news is that even with the new binary installed, the old binary still remains. The Kraken bot masters will probably remove the old binaries over time, but until then the infected hosts will still be generating TCP/447 and UDP/447 traffic for some time.
As a general rule of thumb, users should follow this advise:
* Avoid opening any emails from unknown or unexpected sources.
* Windows users should change the default windows settings to show common file extensions. Users can change this setting by going to File -> Folder Options -> View. Uncheck the “Hide extensions for known file types” checkbox.
* ·Please note that .com, .exe and .bat are interpreted as Windows executable files. Files from unknown sources ending with these extensions might be malicious.
* If you receive a file with a name similar to [email protected], do not open it. Beware of such social engineering traps.
The way the Kraken bot masters reacted to their popularity by changing their C&C communication within days shows that they are watching every move against them. In the near term, we believe Kraken will remain a signifigant threat and urge users to be extra aware of social engineering attempts against their systems.
Haroon W Malik, Atif Mushtaq @ Fireeye Malware Intelligence Lab
Comments/Questions to [email protected]