PC Tools experts crack new Kraken

London, 29 April 2008: Leading security software vendor, PC Tools revealed that it has identified a new variant of the Kraken bot, also known as Bobax, and has disclosed the source code of its key component.The new variant employs new techniques to evade detection which makes this latest Kraken bot a significant threat.

“PC Tools are revealing the details of the latest Kraken variant including the new list of domain names as well as the mathematical algorithm used.The source code of the Kraken domain name generation algorithm is disclosed in the interests of congregating all the knowledge about this bot so that other security specialists can benefit from it,” said Sergei Shevchenko, Senior Malware Researcher, PC Tools.

“The more collective knowledge security vendors have over this threat, the greater the chance the industry has of defeating it,” said Shevchenko.

According to the malware researchers at PC Tools, they are witnessing that the latest Kraken variant retains poor detection rates from traditional signature-based anti-malware solutions.

Malware researchers at PC Tools have also identified that the new variant poses a considerable threat due to its adoption of new techniques including the factors of “randomness” and unpredictability which have resulted in a considerable increase in its propagation rates.

The latest variant of Kraken was firstly intercepted and blocked by ThreatFire, PC Tools’ behavioural-based protection, due to its suspicious behaviour. ThreatFire then passed the threat sample to an automated threat analysis system used by PC Tools called ThreatExpert, for further analysis. ThreatExpert identified the malicious behaviour of the threat and alerted malware researchers at PC Tools about the new functionality of this bot.

Further analysis revealed that in order to evade host intrusion prevention systems, such as firewalls, the new variant of Kraken “talks” to its control centres via HTTP (the “language” that web browsers use to talk to websites), using pseudo-random dynamic DNS names, with a variable length from 7 to 12 characters, followed with one of the domain suffixes: dyndns.org, yi.org, mooo.com, dynserv.com, com, cc or net. The commands and data that the bot exchanges with the control centres is encrypted and also uses randomly generated “bogus” headers to stay hidden under the firewall radar.

The distinctive feature of this bot is a random word generator, used by the bot when it produces “bogus” headers and random URLs.Kraken bot is now capable of dynamically constructing words with properly matched vowels and consonants. It has an internal rule that dictates when to pick random vowels and random consonants.

The randomly generated word can be followed by a string that the bot selects from a list of 33 common English nouns, verbs, adjective and adverb suffixes, such as -able, -dom, -hood, -ment, -ship, -ly, or -ency .

“Essentially what we are looking at is an artificial English word generator, which follows common English grammar rules and produces words of similar appearance to those in the English language” said Shevchenko.

“The random word generator is possibly designed to evade spam filters and algorithms that have the ability to distinguish the “randomness” of words by locating uncommon combinations of characters. If a rule or algorithm cannot be built to distinguish such a word then it cannot be detected or blocked” said Shevchenko.

The ThreatExpert automated analysis system has provided evidence about Kraken infection incidents which suggest that, in some cases, the threat was distributed via MSN Messenger. The message would contain an attached ZIP or RAR self-extractor with a file name that includes a string: “pic_[random_number].jpeg”, “picture_[random_number].jpeg”, or “album[random_number].jpeg”.

PC Tools malware research experts report sightings of Kraken bot infections during the last 24 hours in the following locations: Italy, Turkey, Norway, Macedonia, Puerto Rico, Thailand, Dominican Republic, New Zealand, Romania, United States, Jamaica, Greece, Mexico, Morocco, Panama, Great Britain, Ecuador, Argentina, Sweden, Serbia, Kazakhstan, Algeria, Uruguay, Lebanon, Jordan, Antigua and Barbuda, Australia, Bosnia and Herzegovina.

“It is the new techniques employed by the new Kraken variant that makes it a significant threat requiring an advanced level of analysis and protection” said Shevchenko.

Designed by the same team of experts at PC Tools, ThreatFire, powered by ThreatExpert, provides an advanced level of behavioural-based protection against the latest Kraken variant.

Further technical details and the algorithm that constructs the URL’s is available at: http://blog.threatexpert.com/2008/04/kraken-changes-tactics.html

*Kraken/Bobax bot calculates the coordinates of its control server. Without knowing where it is, the bot is like a lost sheep without its shepherd.
(an analogy suggested by Brian Krebs, www.washingtonpost.com/securityfix)

ABOUT THREATFIRE
ThreatFire uses advanced patent pending technology to detect signs of malicious behaviour commonly used by malware threats. ThreatFire is unlike traditional anti-virus products that rely on signature technology and require updating every time a new threat occurs. ThreatFire’s ActiveDefence Technology is able to identify and paralyse threats that are too new or too sophisticated to be recognized by traditional security software. ThreatFire only alerts the end user to truly malicious behaviour

ABOUT PC TOOLS
PC Tools is a global software leader with a cache of security and utility products, including the multi award-winning Spyware Doctor®. PC Tools is an industry leader in real-time anti-spyware and has a number of key patents pending.

The PC Tools Malware Research Centre monitors trends and emerging spyware issues and provides security solutions for the consumer and enterprise marketplace. The company is headquartered in Sydney, with offices in San Francisco, London, Shannon (Ireland), Melbourne, Kiev, and Boulder. PC Tools has a global network of distributors, resellers, and retailers.

MEDIA CONTACT
Magida Ezzat
Marketing Communications Manager
PC Tools Software
Mobile: +61 411 156 152

Lauren Young
Public Relations Manager
PC Tools Software
Mobile: +61 410 541 562