 |  |  |  |  |  |  |  |
Kraken bot cracked open to reveal source code
Security vendor PC Tools has published the source code and mathematical algorithm used in the domain name generation technique applied by the latest Kraken bot variant, Bobax. Analysis by researchers at PC Tools has uncovered how Bobax talks to control centres via HTTP using pseudo-random DNS names with a variable seven to twelve character length followed by a number of default suffixes in order to evade host intrusion prevention systems. Of course, commands and data will be encrypted for transmission but there are also randomly generated faked headers employed in a further attempt to stay well below the security scanner radar.
The random word generator employed by Kraken is of particular interest as it is capable, in the Bobax variant at least, of dynamically constructing these random words using properly matched vowels and consonants by way of an internal rule based system which ensures that the random vowels and random consonants are only used when the word will still make sense. This means that a randomly generated word will be followed by a bot selected string, one of thirty three common English language suffixes. By using these default adjective, adverb, noun and verb suffixes such as -able, -ency or -hood for example, the bot is able to better avoid detection.
"Essentially what we are looking at is an artificial English word generator, which follows common English grammar rules and produces words of similar appearance to those in the English language" says Sergei Shevchenko, Senior Malware Researcher with PC Tools, continuing "The random word generator is possibly designed to evade spam filters and algorithms that have the ability to distinguish the "randomness" of words by locating uncommon combinations of characters. If a rule or algorithm cannot be built to distinguish such a word then it cannot be detected or blocked."
Although it is unusual to reveal the source code of such an exploit, PC Tools has done so in "the interests of congregating all the knowledge about this bot so that other security specialists can benefit from it" Shevchenko said.
The random word generator employed by Kraken is of particular interest as it is capable, in the Bobax variant at least, of dynamically constructing these random words using properly matched vowels and consonants by way of an internal rule based system which ensures that the random vowels and random consonants are only used when the word will still make sense. This means that a randomly generated word will be followed by a bot selected string, one of thirty three common English language suffixes. By using these default adjective, adverb, noun and verb suffixes such as -able, -ency or -hood for example, the bot is able to better avoid detection.
"Essentially what we are looking at is an artificial English word generator, which follows common English grammar rules and produces words of similar appearance to those in the English language" says Sergei Shevchenko, Senior Malware Researcher with PC Tools, continuing "The random word generator is possibly designed to evade spam filters and algorithms that have the ability to distinguish the "randomness" of words by locating uncommon combinations of characters. If a rule or algorithm cannot be built to distinguish such a word then it cannot be detected or blocked."
Although it is unusual to reveal the source code of such an exploit, PC Tools has done so in "the interests of congregating all the knowledge about this bot so that other security specialists can benefit from it" Shevchenko said.
Similar Threads
- Open source for code for program similar to HyperTerminal (VB.NET)
- Spell Check Open Source Code Required (JSP)
| Thread Tools | Search this Thread |
You need to join our community in order to build your list of favorite forums. You can visit the forum index for a listing of all forums.
Related Forum Features
Latest Network Security Posts
- Today's Posts
- Unanswered Threads
advertising age amd android apple avatar bluegene botnet browser business cellphone censorship china chips copyright crime data database development dos downloads economy email encryption energy enterprise europe facebook firefox gadget games gaming google government hacker hacking hardware ibm ibm.news intelibm internet iphone ipod itunes law legal linux mac malware marketing mcafee medicine memory microsoft mobile mozilla music news openoffice opensource os pc phishing piracy porn privacy ps3 recession redhat report research russia search security sex socialnetworking software spam sun supercomputer supercomputing survey technology trends trojan twitter ubuntu uk video virus vista web windows windows7 working worm x86 xbox yahoo youtube
