Mailbot.f (a.k.a “Kraken”) gets stealthier
Wednesday April 23, 2008 at 11:19 am CST
Posted by Ravi Balupari
After the recent interest in Kraken bot by various communities, Gaurav Dalal, Denys Ma, and I have been observing the network behavior of the bot very closely. About 2 weeks after the initial analysis from SANS, it seems like the bot author has seeded the bot with an update via TCP port 447. The updated bot now uses a stealthier command and control (c&c) mechanism that will evade previously proposed detections. The updated bot no longer uses UDP port 447 with 74 bytes of payload. After the bot updated itself, we observed that it uses UDP packets with random ports and also random packet payload lengths for its c&c communication. All of this c&c communication is encrypted. As a surprise, we also noticed that the updated bot now uses the well known HTTP protocol on TCP port 80 and 443 to send and receive encrypted c&c communication data. More interestingly, the communication on port 443 is encrypted but non-SSL. The process of the upgrade and also the c&c mechanism itself seems to be very interesting. We are continuing our research and will update this blog with more technical information soon.
April 29th, 2008 at 10:26 am
[…] was thoroughly studied and reverse engineered by various security researchers. As mentioned in my previous blog, we focused mainly towards the network behavior of the bot and observed a few interesting […]