KrakenHTTP – Not Sinking My Ship Part 2

February 20, 2015

Well Well Well, seems like this has got some attention from various people on the internet. Interesting to see who my readers are and how fast information can be passed. Anyway, it’s time for part 2. One interesting thing to note for this ring3 rootkit. Is if we change the title from msconfig to anything that isn’t msconfig, we can still view the entry smss.exe with the value “Windows”.

userlolz

Funny thing to note if you untick smss.exe to note run on startup, and restart msconfig, it has no idea what’s going on and leaves it. Which is pretty funny to me. None the less it does have its functionality. It first checks if msconfig or regedit is running (I’ve chose msconfig in these examples) and closes them, it then replaces them with another msconfig process, this time it’s a child.

userlolz1

To be honest I have been able to kill every single process that Kraken has thrown at me with Process Explorer, which it doesn’t search for by the way. I haven’t looked extensively into every detail of Kraken, but have had no problem with just stopping or suspending the processes while I check something, I guess that’s something to think about. This goes the same for the Fiddler and Wireshark checking, simply use change the Window titles so that it does not contain the string “fiddler”, “wireshark” or “msconfig”. You can also change your VMware path via safe mode if you do not know how to NOP within the exe.

The traffic is not encrypted, it is within plaintext only the some of the paths and variables within the program are encrypted which is strange in my view but none the less can be picked up quite easily. One interesting feature I should point out is the domain lock system within Kraken, because it’s ioncube decoded no one has an idea why if there mate sends them the panel it won’t work. What you get if you’re not on the domain is quite simply a poor message.

wowHere is some code to show why it gives you this message:

login

Here we see it’s checking for  SERVER_NAME which in this case would be localhost, I honestly can’t see a difference between DNS and DNS2 but they are both checked, if they equal to the SERVER_NAME then we are good to head the login part of the PHP script. A good hack around this is just to simply edit your host file and view it from the domain which I did. Funnily enough it seemed like ioncube was obfuscating to much and PDO functions weren’t correctly working. Fortunately I retrieved another panel from another server and this one was working, but this time it was an IP. I literally lost my shit when I read this, I totally forgot about this feature and it works like a charm for IPs (IPs won’t redirect in your host file) .

http://serverfault.com/questions/171850/redirect-request-to-an-external-ip-to-localhost-emulate-a-server

Here’s a video demonstration of Kraken sending plain text. I basically ripped out the idcontact code and awaited for these $_GET variables, as expected, plain text arrived.

Another interesting thing about Kraken is that it gives a full path disclosure for some reason, and with no authentication. For whatever reason, you can simply visit info.php and view the full path of the server.

fullpathIt’s always good to know the full path of a server. If you want to add a shell later you will most likely need to know this. So thanks Kraken. Another fatal mistake in which I hope has been fixed, as I may have an outdated panel. But the login details within the database seem to be held in plain text aswell, the password is not hashed whatsoever.

sql

I think that’s enough for now, I want to move on to something else.

5 Comments
February 21, 2015 @ 12:17 pm

Not to mention there’s a builder already available on TrojanForge. Ohh NoNh you… :blushes:

Reply
Kraken
February 21, 2015 @ 4:17 pm

Well good review.
Some informations are still true in the latest version.

Some information/details have be fixed sometime ago like the full path disclosure.

Anyway i go work to fix issue about Traffic & Anti’s.
I have already some idea in head =)

Reply
    jack
    February 22, 2015 @ 10:15 pm

    I got 1 panel which didn’t work due to ioncube and another I scraped off some site. Maybe it was 1.2 not 1.3

    Reply
February 21, 2015 @ 6:41 pm

i would’ve liked a rootkit analysis. To see how effective it is on x64.

Reply
    jack
    February 22, 2015 @ 10:14 pm

    Dont normally test x64, some of the rookit was put in the analysis.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *


*