Security vendor PC Tools has published the source code and mathematical algorithm used in the domain name generation technique applied by the latest Kraken bot variant, Bobax. Analysis by researchers at PC Tools has uncovered how Bobax talks to control centres via HTTP using pseudo-random DNS names with a variable seven to twelve character length followed by a number of default suffixes in order to evade host intrusion prevention systems. Of course, commands and data will be encrypted for transmission but there are also randomly generated faked headers employed in a further attempt to stay well below the security scanner radar.

The random word generator employed by Kraken is of particular interest as it is capable, in the Bobax variant at least, of dynamically constructing these random words using properly matched vowels and consonants by way of an internal rule based system which ensures that the random vowels and random consonants are only used when the word will still make sense. This means that a randomly generated word will be followed by a bot selected string, one of thirty three common English language suffixes. By using these default adjective, adverb, noun and verb suffixes such as -able, -ency or -hood for example, the bot is able to better avoid detection.

"Essentially what we are looking at is an artificial English word generator, which follows common English grammar rules and produces words of similar appearance to those in the English language" says Sergei Shevchenko, Senior Malware Researcher with PC Tools, continuing "The random word generator is possibly designed to evade spam filters and algorithms that have the ability to distinguish the "randomness" of words by locating uncommon combinations of characters. If a rule or algorithm cannot be built to distinguish such a word then it cannot be detected or blocked."

Although it is unusual to reveal the source code of such an exploit, PC Tools has done so in "the interests of congregating all the knowledge about this bot so that other security specialists can benefit from it" Shevchenko said.

203 Views
About the Author

A freelance technology journalist for 30 years, I have been a Contributing Editor at PC Pro (one of the best selling computer magazines in the UK) for most of them. As well as currently contributing to Forbes.com, The Times and Sunday Times via Raconteur Special Reports, SC Magazine UK, Digital Health, IT Pro and Infosecurity Magazine, I am also something of a prolific author. My last book, Being Virtual: Who You Really are Online, which was published in 2008 as part of the Science Museum TechKnow Series by John Wiley & Sons. I am also the only three times winner (2006, 2008, 2010) of the BT Information Security Journalist of the Year title, and was humbled to be presented with the ‘Enigma Award’ for a ‘lifetime contribution to information security journalism’ in 2011 despite my life being far from over...