0

Security vendor PC Tools has published the source code and mathematical algorithm used in the domain name generation technique applied by the latest Kraken bot variant, Bobax. Analysis by researchers at PC Tools has uncovered how Bobax talks to control centres via HTTP using pseudo-random DNS names with a variable seven to twelve character length followed by a number of default suffixes in order to evade host intrusion prevention systems. Of course, commands and data will be encrypted for transmission but there are also randomly generated faked headers employed in a further attempt to stay well below the security scanner radar.

The random word generator employed by Kraken is of particular interest as it is capable, in the Bobax variant at least, of dynamically constructing these random words using properly matched vowels and consonants by way of an internal rule based system which ensures that the random vowels and random consonants are only used when the word will still make sense. This means that a randomly generated word will be followed by a bot selected string, one of thirty three common English language suffixes. By using these default adjective, adverb, noun and verb suffixes such as -able, -ency or -hood for example, the bot is able to better avoid detection.

"Essentially what we are looking at is an artificial English word generator, which follows common English grammar rules and produces words of similar appearance to those in the English language" says Sergei Shevchenko, Senior Malware Researcher with PC Tools, continuing "The random word generator is possibly designed to evade spam filters and algorithms that have the ability to distinguish the "randomness" of words by locating uncommon combinations of characters. If a rule or algorithm cannot be built to distinguish such a word then it cannot be detected or blocked."

Although it is unusual to reveal the source code of such an exploit, PC Tools has done so in "the interests of congregating all the knowledge about this bot so that other security specialists can benefit from it" Shevchenko said.

As Editorial Director and Managing Analyst with IT Security Thing I am putting more than two decades of consulting experience into providing opinionated insight regarding the security threat landscape for IT security professionals. As an Editorial Fellow with Dennis Publishing, I bring more than two decades of writing experience across the technology industry into publications such as Alphr, IT Pro and (in good old fashioned print) PC Pro. I also write for SC Magazine UK and Infosecurity, as well as The Times and Sunday Times newspapers. Along the way I have been honoured with a Technology Journalist of the Year award, and three Information Security Journalist of the Year awards. Most humbling, though, was the Enigma Award for 'lifetime contribution to IT security journalism' bestowed on me in 2011.

1
Contributor
0
Replies
1
Views
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.