So I recently got contacted by someone who said they had KrakenHTTP and wondered if I wanted it. I have been waiting for a while to grab my hands on this, not because it looked amazing. Simply, it was shouting so much on forums on how wonderful it was that I wanted to disprove that it was that great.
The first big let down is that it’s ioncube encoded, I don’t know why some malware developers think it’s appropriate to obfuscate their source. When I’m saying it’s inappropriate I’m not saying this as a researcher but looking a clients viewpoint. You buy yourself a server and decide to start a botnet, you view around forums around various botnets and find “KrakenHTTP”. You purchase this botnet to find out the panel files are encoded with Ioncube (a popular PHP encoder). I am now suspicious on what sort of code is within the panel code and wonder if there is a possibility of a backdoor or bot stealing code? There’s a reason why big names keep things open source kids.
Let’s start off with the executable. First of all, they have packed it with a very popular packer UPX, although at first I discovered this in the debugger I was using, you can simply look at the hex to identify the ASCII characters to see a UPX signature. If I was a network administrator, I would have a whitelist for UPX signatures, far too many executables which utilise UPX are malware.
After successfully unpacking that (Manually or through UPX decompressor arguement), we can now move on to the main business the exe. I will note I’m not covering everything here, simply the highlights for me. It’s 10:00PM and I have other things sadly to attend to.
Forum Post Advertising Kraken
Kraken works under Windows System.
Windows 95,Windows NT_4,Windows 98,Windows ME, Windows 2000,Windows XP —> (Show In Statistic as “Windows XP”)
Windows Server 2003, 2008, 2008_R2, 2012 —> (Show in statistic as “Windows Server”)
Windows 7 –> (Show in statistic as “Windows 7”)
Windows 8/8.1 –> (Show in statistic as “Windows 8”)
-> Login system with AntiBruteforce (if you enter 3X wrong user/password, you get banned for about 24 Hours)
-> Dashboard,Active Commands, Settings, Logs and Logout Page
-> Statistic about Total Bots, Bots Onlines, Bot Onlines within 24 Hours, New Bots (past 24 hours), Bots Offline and Bots Dead
-> Bots information “IP Addresse, Computer, Operating System, (32/64bit), HWID, Version, Status” in DashBoard
-> Bots Informations if you click on Computer Name “CPU, GPU, RAM, Hard Disk, Java Installed ?, Steam Installed ?, Origin Installed ?,
web Browser used ? Install Date, Antivirus used ?, Firewall on or Off, Windows Update On or Off
-> Some Statistic Charts
-> Create command with parameter like for “one computeur (hwid) or all”, “How Much ?”, “For Only Bots who are running XP or Vista or win7 ect..”
For only bots who live in Country like China or just all computeurs”
-> Active commands who show up how much bot have run Task, name of command, data and Parameter
-> Settings, you can change the password
-> Settings, you can change number of bots per page
-> Settings, you can change between 3 theme (blue,green,red)
-> Settings you can change timeout bots dead (in day)
-> Settings you can change timeout (in minutes) of panel & bots are update automatic
without need to update your bots
-> You can enable antibotkill or disable it
-> Logs, you can see logs get from CoreFTP and FileZilla FTP
-> Startup install with HKCU Key & HKLM (if admin right is enough like with Windows XP)
-> Bin Write in FASM (under 25kb packed with UPX) (ATM it’s 18Kb)
-> Working from 95 to Windows 10. (no dependacies)
-> Bypass UAC (work around)
-> C&C Backup (if the first C&C is down, bot connect to a 2nd C&C, so you don’t loose your bots)
-> Unicode support (work under all system, even with Chinese, Japon, Arabic, Russia)
-> Anti VirtualBox (bot won’t work under VirtualBox System)
-> Path & variable encrypted
-> Process & Registry persistence
-> Folder, Bot File & All file dropped are Hidden (though Rootkit)
-> RootKit Ring3 (File hidden from Explorer / Registry, and Process Protected from Killed)
-> Botkill (A simple module who loop and search for suspect process than suspend, Kill and Delete file + Remove Startup)
-> Bitcoin Monitor (This module detects any BTC addresses copied to the clipboard of the PC,
and replaces them with a customer specified address. So whenever a victim copies and pastes a BTC
address to pay, it is replaced with yours)
–> How Rootkit Work ?
Rootkit Work under User-Mode (ring3)
This don’t use Driver, just only API of Windows and Hooking.
This rootkit do the job and work even with computeur with UAC Enable.
We hook and detect if a user go to view our keys if he do we delete Keys and then we add again theses Keys.
So you can’t know than you have some keys in your system. Because all keys are “invisible” if you try to see.
We use serveral method to hide all files used by the bot (bin itself, files dropped though dl/exe and update)
Kraken use some very well know process name trusted in Windows, then we use a “tick” who allow to set a process
in debug mode.
So Kraken process is set as “Critical Process” and can’t be killed.
Process method aren’t related to a Rootkit, it’s more a Tick but who work nice smile.gif
Rootkit work under 32/64Bit System. Tested on Windows XP & Windows 7. (of course it’s should work under Vista & Windows 8/8.1,
there are no reason that rootkit won’t work under theses system, because Windows 8/8.1 and Vista it’s just Windows 7 with a other skin)
–> How Botkill Work ?
Botkill look for all process who path are related to APPDATA,TEMP and some other System Folder
If theses process have nothing do to in the System. (no Windows/Legit Application Process)
Botkill module suspend process, than kill, delete file & remove Keys.
This module work enough to kill most Malware Shit (cryptominer,rats, some bots)
-> Visit Website hide or Visible
-> Download & Execute (with filename or random name)
-> Download & Inject DLL (default explorer)
-> Update with MD5 Check
Bin = 270$ (rootkit module included)
Botkill Module = + 30$
Bitcoin Monitor = + 20$
Rebuild = 20$ (proof of suspended domain must be given)
Major Updates = Free
Future Plugins and very time consuming updates will be paid.
Payment: BTC and UKASH (for european customers)
Panel Files and Builds will be sent within 24H after purchase.
Note: I am just selling this product. I am not the coder. The coder prefers to stay anonymous and can be contacted over me and only me. But i should be able to answer you most of your questions.
I’m not the greatest at cryptography but came under the conclusion it was RC4, comparing from other pieces of malware it seemed like the popular RC4 was used once again (correct me if I’m wrong). One of the first things Kraken will do will decode the strings that are fused with the executable. One of the first is the path to VBoxTray.exe, which I assume (I have VMware) is VirtualBox.
Next is what looks to be the C&C, after a loop in which set a simple breakpoint we can see the host is defaulting to the includes folder. The rest of the files that aren’t includes are most likely to do with the administration of the botnet.
We then call CreateMutexW to create a mutex called “yourhavebecracked”. An interesting name I must say. But ok. We then move on to some evasion, first of all is Wireshark in which Kraken uses a few tricks with the windows API to check whether anything under the name Wireshark is apparent, this also goes for Fiddler as well.
I have simply NOP’d out the VMware code for Kraken so it cannot detect that I am indeed running VMware. Interesting thing is, VirtualBox string was encoded, but VMware isn’t. What’s up with that? Anyway, it simply checked whether files from a 32 or 64 bit system existed a.k.a checked the programs folder for VMware files. It then further identifies the machine by checking AMD, NVIDIA and ATI folders in the program files segment of Windows. Further on, it also checks for Steam and Origin folders. Oh Kraken, you. Infact, it does this to also identify if Google Chrome is present, Mozilla Firefox, and every AV that a western country uses. Not the best of methods in my opinion. I’ve decided to just give one screenshot of this, it’s not like it’s groundbreaking stuff.
Kraken then moves on to placing itself within the system. Of course it decides to have hidden attributes for every folder and file it create but it plants smss.exe and another folder containing smss.exe down at C:\Documents and Settings\[username]\Application Data\System\Oracle I will say now that I am using XP with this analysis, as I simply prefer it when looking at malware.
From then we move on to FileZilla and find out if we have any servers that we can scrape. Surprisingly works quite well for botnets. A weird amount of people do use FileZilla for FTP. Whether it be for corporate or personal websites, a botnet owner usually doesn’t care, they just want the server resources.
The amount of HTTP calls back to the server would be slightly worrying for me if I was a botnet owner. This calls back twice (day.php, ip.php) simply to know what day it is and what IP the user has. What strikes me is this could been done with one request and yet they have decided to have two separate HTTP calls. I thought botnets were supposed to be as quiet as possible.
To further the embarrassment, it then proceeds to check the country by inputting the IP it just got from the server, and then sends it back to file called country.php with a request called IP. After a while it proceeds to check in via idcontact.php, here is a typical URL pattern. Another is get.php
For now I’ll leave you with this from Krakens advert “Kraken use some very well know process name trusted in Windows” smss.exe is routinely used in Windows malware, it’s like me saying naming my executable to firefox.exe is trusted in Windows because it’s a well known browser. Until part 2.