Arbor Networks: Security to the Core

Kraken, the spam botnet on everyone’s minds, has soaked up a good bit of out Monday evening and today. We’re going with the popular name and dubbing it Trojan.Kraken. In short, what we know and what we don’t know:

• It’s unclear if this is a variant of Bobax or Srizbi, or something new.
• A lot of the C&Cs are dead
• We analyzed samples going back through last year
• It’s a spam botnet, doesn’t appear to harm the host otherwise
• We don’t know how big it is

We’ve spent a lot of time in ASERT in the past day dissecting samples, gathering data from the community, and looking at our own analysis. Here’s some brief notes:

• It drops a file in %SYSTEM32% with a random name (lowercase characters, 2-20 characters). It sets the following registry keys to ensure it runs:
  
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"" =C:\WINDOWS\system32\[%random_name%].exe
"" =C:\WINDOWS\system32\[%random_name%].exe

  Where the random name is between 2 and 20 characters long.
• It picks a random string of lowercase characters for a service title
• It communicates with over 150 command nodes (if they all were to resolve) for instructions and templates using UDP port 447; we’re not sure if the replies are source-spoofed or not
• The Kraken servers currently resolve to 64.21.149.167 and 64.21.181.87

AV detection for the samples varies, but the naming isn’t consistent. This doesn’t appear to be the bot that ate the Internet, however, but it does go to show you that spambots are becoming a serious problem.

Microsoft released 8 security bulletins today, 5 critical and 3 important. Go get patched! The ones that have me worried about widespread exploitation:

• MS08-021 – Vulnerabilities in GDI Could Allow Remote Code Execution

, given that you can load EMF and WMF files into a box via the web, and that WMF and EMF are vectors.

• MS08-022 – Vulnerability in VBScript and JScript Scripting Engines Could Allow Remote Code Execution, given how successful attacks against IE have been … this could get messy. Really messy.
• MS08-023 – Security Update of ActiveX Kill Bits, the classic ActiveX overflow.
• and MS08-024 – Cumulative Security Update for Internet Explorer, again, how successful attacks against IE have been in the past 2 years.

Look for each of these to be used in the coming weeks and months in malware delivery. Go review and patch, now.

Remember Storm? New run starting today, using a codec theme. We’ve been working with ISPs to get boxes shut down and alerting people about mitigating the new fastflux domain name, supersameas.com.

This entry was posted on Tuesday, April 8th, 2008 at 3:01 pm and is filed under Botnets, Malware, Trojan Horses, Vulnerabilities. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.