Kraken Reverts to HTTP

April 22, 2008 – 7:47 PM

Following a friendly heads up from someone yesterday morning, I re-loaded the
following Kraken samples into my honeypot:

1d51463150db06bc098fef335bc64971
65b958bf6f5eddca3d9455354af08b6f
6ec7d67d5553cbec2a99c7fbe385a729
7ecef2f126e66e7270afa7b803f715bc
8fd8c67103ec073d9303a7fbc702f89a

and began monitoring them. Each sample proceeded to update itself;
the updated binary is around 160KB, given a random name and
placed in the system32 directory, and no longer has an imagefile icon.

The names/MD5 values of samples I got are:

26bd8e696629edba4a1d610d1062b3f1 jtliutnj.exe
36a8c8cce65c9ab46fca127de9dcc5d1 niksojrjbg.exe
b5f65d971d7362512dafdb473ef5888d xfkmrb.exe
5f94989145b4bf69cf81c223b15ec653 yy.exe
5c9274a4483ed540fd433a2cd885e561 zp.exe

As someone mentioned, it does indeed appear that Kraken/Bobax has changed
(perhaps reverted?) its C&C to HTTP. The honeypot session for
1d51463150db06bc098fef335bc64971 goes something like the following:

UTC 15:30 – Honeypot infected with 1d51463150db06bc098fef335bc64971.
UTC 15:45 – niksojrjbg.exe appears in system32 directory.
UTC 15:50 – Last TCP/UDP 447 packets (host 209.160.65.66) observed.
UTC 16:00 – Spam run commences.
UTC 16:10 – First observed HTTP communication with C&C.

The samples do not appear to be using DNS to obtain IPs of the C&C
servers. The C&C IPs I’ve been able to identify from the samples are
208.101.52.82, 208.101.54.243, and 208.101.42.28. Communication is
performed by the victim making an HTTP POST (poststring attached);
receipt of binary data with a bogus MIME type follows:

paul:~$ cat kraken.poststring | nc 208.101.52.82 80 > file1

paul:~$ cat kraken.poststring | nc 208.101.52.82 80 > file5

paul:~$ for i in file*; do head -n 5 $i; echo ‘–‘; done;
HTTP/1.1 200 OK
Server: Apache
Content-Length: 13958
Connection: Close
Content-Type: video/mpeg

HTTP/1.1 200 OK
Server: Apache
Content-Length: 13958
Connection: Close
Content-Type: application/x-tar

HTTP/1.1 200 OK
Server: Apache/2.0.54
Content-Length: 13958
Connection: Close
Content-Type: image/gif

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
Content-Length: 13958
Connection: Close
Content-Type: audio/x-wav

HTTP/1.1 200 OK
Server: Apache/1.3.33
Content-Length: 13958
Connection: Close
Content-Type: audio/x-wav

Source: Offensive Computing

You must be logged in to post a comment.