Kraken: a giant squid or a wet squib?

Filed Under: SophosLabs

Yesterday I read a couple of news articles about the Kraken botnet - supposedly twice the size as that for Storm (aka Dorf) [1,2]. Interesting, and potentially worrying, especially when I read the references to low rates of AV detection and clever obfuscation techniques. Reading again, I noticed the source of the information, researchers at Damballa. The name rang bells - not the first time we have seen something like this. Remember 'MayDay', the last botnet more powerful than Storm ? Vanja blogged about it here.

The guys at the Internet Storm Center (ISC) posted an entry [3] asking users to submit any potentially useful information. Subsequently, they have posted an updated [4] with a few more details, including some file checksums. I found the corresponding samples in our collection and quickly scanned them with various scanners. All were detected by 5 of the 8 scanners, including the specific sample supposedly linked to the Damballa article. Detection names (for those scanners with a common name across all samples) were as follows:

  • McAfee: Spam-Mailbot
  • Microsoft: Backdoor:Win32/Oderoor.gen!B
  • Sophos: Mal/EncPk-CK

As you can see, Sophos detects this threat as Mal/EncPk-CK. In fact, we have done since 21st Feb 2008. Since then we have seen several samples which are most likely variants in the same family, but the numbers are small. So how is the bot being distributed? How is it that such large numbers of victims are becoming infected? The original article suggests the bot is being spammed out to users, masquerading as a image file. It may well be, but thus far we have not seen it hitting any of our spam traps. We have seen web attacks delivering Mal/EncPk-CK as the final payload, but again not in large numbers.

Like 'MayDay', I think this may well be another 'flash in the pan' story. I do not doubt victims are infected with this bot, but care should be taken to not over-state the threat. Tactics such as code obfuscation, anti-emulation and self-updating are not new. They are used in countless modern attacks. These type of tricks are exactly what technology such as Behavioral Genotype detection is designed to combat.

You might like