Kraken Spawns a Clash of the Titans
Most of my waking hours on Monday were spent fielding indignant queries from sources in the anti-virus industry who were wondering what I knew about reports of a new family of malicious software that allegedly had managed to infect more than 400,000 computers worldwide seemingly overnight with computer code that hijacked each machine for use in blasting out spam e-mails.
What I discovered says as much about the steady-as-she-goes state of the anti-virus industry as it does the lengths to which an upstart security company will go to upset the apple cart that defines the mainstream computer security marketplace today.
At issue was news that Atlanta-based security firm Damballa had discovered that hackers had infected more than 400,000 Windows PCs with malicious software that forces them to relay junk e-mail. The story noted that this particular contagion had heretofore gone undetected by 80 percent of the commercial anti-virus tools on the market. Spam relays often are referred to as "bots," while large groupings of bots -- remotely controlled by the attackers -- are known as "botnets." Damballa is a startup at Georgia Tech that is trying to build a business around helping companies identify and remove bot infections from their networks.
From the now ubiquitous Dark Reading story about Damballa's discovery:
"The so-called Kraken botnet has been spotted in at least 50 Fortune 500 companies and is undetectable in over 80 percent of machines running antivirus software. Kraken appears to be evading detection by a combination of clever obfuscation techniques, including regularly updating its binary code and structuring the code in such a way that hinders any static analysis, says Paul Royal, principal researcher at Damballa."
Apart from that information, the story left many security professionals hungering for more details. Chief among those were: How exactly does Damballa know so precisely how many bots were involved? And how does the company know whether various anti-virus products detect this spam bot as malicious or not?
In regard to the first question, most botnet masters control their herds of infected PCs by having each report to a specific Web site to receive instructions. But these bots quickly become stranded when security professionals step in and have Internet service providers shutter those sites.
Consequently, many botmasters -- including those who control the Kraken botnet -- have taken to using free so-called "dynamic DNS" services (DNS, short for domain name system, is what helps map human-friendly domain names like example.com into numeric Internet addresses that are easier for computers and Web browsers to route). Dynamic DNS services are great for small mom-and-pop Web sites that may be hosted on a network that frequently changes its numeric Internet address: No matter how many times that address changes, a dynamic DNS service will route a visiting Web browser to the latest address.
In the early days of bot infections, botmasters would have all of their infected PCs report to a particular Internet server to receive updates and instructions on what to spam or whom to attack. But those stationary control servers represent a single point of failure for botmasters: If security professionals can get them taken offline, the botmaster can lose control over his herd of infected machines, as the individual bots no longer know where to go to receive instructions and become stranded indefinitely, sort of like sheep without a shepherd.
As a result, many botmasters have switched to using dynamic DNS because these services eliminate this single point of failure. Using dynamic DNS, the botmaster simply tells his bots to report to a particular domain name he controls, such as example.com, and the dynamic DNS provider takes care of making sure all infected machines know how to find the control server (I wrote about this trend back in February 2006, in an investigative story that followed a young botmaster named 0x80 who controlled a network of more than 13,000 infected PCs using dynamic DNS services.)
Kraken also uses dynamic DNS services, but adds a twist: The authors include in the genetic makeup of the bot hidden instructions for finding brand new Web site names on the fly. Should security professionals or the dynamic DNS provider succeed in shutting down the domain name used to control the botnet, Kraken randomly creates another one, using an encryption routine built into the bot code.
The reason Damballa knows exactly how many bots are infected with Kraken is that its experts managed to work out the mathematical algorithm Kraken uses to generate dynamic DNS names that will be used in the future to control the botnet. With that information, the company can then go reserve those dynamic DNS names ahead of time, and when the botnet gets around to using them, all of the bots will eventually report to servers Damballa controls.
In fact, if you were to visit this link, which describes in exquisite detail how one variant of the Kraken botnet works, you'd see a list of more than 100 dynamic DNS names at the bottom. Investigate that list a bit further, and you'd find that nearly a third of those point to Internet servers hosted at Georgia Tech, home to many of the Damballa researchers, including the company's chief scientist, David Dagon.
At this point, it might appear that Georgia Tech/Damballa is enabling a massive spam botnet. But Damballa's Paul Royal said the none of the bots that connect to its systems ever send any outbound traffic or receive updates from the Kraken botmasters.
"If you were to watch the traffic on those servers, what you'd find is that there's only traffic going into them, and no actual traffic coming back out," Royal told Security Fix. He declined to elaborate further on exactly how Damballa manages this -- citing trade secrets. But the reality is that Damballa researchers have been doing this for some time now, and more precise descriptions of how they manage this "sinkhole" approach to botnets is described here, here and here.
So that explains why Damballa knows exactly how many machines are infected with Kraken (and the company says it plans next week to publish a list of Internet addresses infected with the bot). But how does the company know whether various anti-virus firms detect this spam bot as malicious or not?
Damballa says that in late December 2007 it used Virustotal.com to scan the Kraken code against 32 commercial anti-virus products, and that at the time only 11 of them (34 percent) detected it as malicious -- see the results here (PDF). A more recent scan of the bot code on April 1 (PDF) shows that detection of Kraken among the anti-virus industry has increased, but only slightly -- just 16 of 32 (50 percent) of the anti-virus companies now flag it as bad.
Royal said such dismal detection rates show why anti-virus products are "slowly slipping into a set of security tools whose time has come and gone."
Many folks in the anti-virus and broader Internet security space say Damballa is trying to make a name for itself by hyping this threat, and that Kraken is nothing more than a renamed and repackaged "Bobax," a worm of similar lineage and methods that was discovered several years ago (in February, Security Fix wrote about Damballa research suggesting that the indefatigable "Storm" worm got its start by cannibalizing PCs infected with Bobax).
"We've taken a look at this and it seems the Damballa guys are into rebranding, and that they've simply taken Bobax" and presented it as Kraken, said Dmitri Alperovitch, director of intelligence analysis at Secure Computing, also based in Atlanta.
Regardless of who's right here, this debate between Damballa and the anti-virus industry has happened before and is likely to occur again. That's because the anti-virus industry no longer has the luxury of correctly classifying malicious software: They are doing everything they can just to keep up with the glut of malware being released on the 'Net each day, and to classify it as malicious.
As I noted in my recent story Antivirus Firms Scrambling to Keep Up, most anti-virus companies have by necessity moved to classify new threats under far more boring, catch-all names, such as "hacktool.spammer," and "backdoor.trojan," as opposed to anything as scary- and impressive-sounding as Kraken.
For those readers still playing along and wondering what they can do to protect their Windows PCs from the mighty Kraken, the advice is the same: Use anti-virus, but don't depend on it to save you from risky behaviors online. Use a firewall, keep your computer and third-party software up-to-date with the latest security patches. Don't click on links sent to you unexpectedly in e-mail or instant message. But if you do nothing else, configure your computer so that you run it under a limited user account for everyday use.
Update, April. 10, 11:29 p.m.: Joe Stewart, director of malware research for SecureWorks, published a paper listing the top spam botnets by apparent size. Stewart's research references Kraken as another name for Bobax, and suggests the size of that botnet is closer to 185,000 infected machines. Meanwhile, Damballa has put out a white paper on Kraken, defending the company's methods and the reasons it believes Kraken is separate from Bobax and any other previously identified botnet families.
April 8, 2008; 11:38 AM ET
Categories: From the Bunker , Latest Warnings , Safety Tips
Save & Share: Previous: Social Networking Accounts Prized By Cybercrooks
Next: Microsoft Fixes 10 Security Vulnerabilities
The comments to this entry are closed.