Security vendor PC Tools has published the source code and mathematical algorithm used in the domain name generation technique applied by the latest Kraken bot variant, Bobax. Analysis by researchers at PC Tools has uncovered how Bobax talks to control centres via HTTP using pseudo-random DNS names with a variable seven to twelve character length followed by a number of default suffixes in order to evade host intrusion prevention systems. Of course, commands and data will be encrypted for transmission but there are also randomly generated faked headers employed in a further attempt to stay well below the security scanner radar.
The random word generator employed by Kraken is of particular interest as it is capable, in the Bobax variant at least, of dynamically constructing these random words using properly matched vowels and consonants by way of an internal rule based system which ensures that the random vowels and random consonants are only used when the word will still make sense. This means that a randomly generated word will be followed by a bot selected string, one of thirty three common English language suffixes. By using these default adjective, adverb, noun and verb suffixes such as -able, -ency or -hood for example, the bot is able to better avoid detection.
"Essentially what we are looking at is an artificial English word generator, which follows common English grammar rules and produces words of similar appearance to those in the English language" says Sergei Shevchenko, Senior Malware Researcher with PC Tools, continuing "The random word generator is possibly designed to evade spam filters and algorithms that have the ability to distinguish the "randomness" of words by locating uncommon combinations of characters. If a rule or algorithm cannot be built to distinguish such a word then it cannot be detected or blocked."
Although it is unusual to reveal the source code of such an exploit, PC Tools has done so in "the interests of congregating all the knowledge about this bot so that other security specialists can benefit from it" Shevchenko said.