Well Well Well, seems like this has got some attention from various people on the internet. Interesting to see who my readers are and how fast information can be passed. Anyway, it’s time for part 2. One interesting thing to note for this ring3 rootkit. Is if we change the title from msconfig to anything that isn’t msconfig, we can still view the entry smss.exe with the value “Windows”.
Funny thing to note if you untick smss.exe to note run on startup, and restart msconfig, it has no idea what’s going on and leaves it. Which is pretty funny to me. None the less it does have its functionality. It first checks if msconfig or regedit is running (I’ve chose msconfig in these examples) and closes them, it then replaces them with another msconfig process, this time it’s a child.
To be honest I have been able to kill every single process that Kraken has thrown at me with Process Explorer, which it doesn’t search for by the way. I haven’t looked extensively into every detail of Kraken, but have had no problem with just stopping or suspending the processes while I check something, I guess that’s something to think about. This goes the same for the Fiddler and Wireshark checking, simply use change the Window titles so that it does not contain the string “fiddler”, “wireshark” or “msconfig”. You can also change your VMware path via safe mode if you do not know how to NOP within the exe.
The traffic is not encrypted, it is within plaintext only the some of the paths and variables within the program are encrypted which is strange in my view but none the less can be picked up quite easily. One interesting feature I should point out is the domain lock system within Kraken, because it’s ioncube decoded no one has an idea why if there mate sends them the panel it won’t work. What you get if you’re not on the domain is quite simply a poor message.
Here we see it’s checking for SERVER_NAME which in this case would be localhost, I honestly can’t see a difference between DNS and DNS2 but they are both checked, if they equal to the SERVER_NAME then we are good to head the login part of the PHP script. A good hack around this is just to simply edit your host file and view it from the domain which I did. Funnily enough it seemed like ioncube was obfuscating to much and PDO functions weren’t correctly working. Fortunately I retrieved another panel from another server and this one was working, but this time it was an IP. I literally lost my shit when I read this, I totally forgot about this feature and it works like a charm for IPs (IPs won’t redirect in your host file) .
Here’s a video demonstration of Kraken sending plain text. I basically ripped out the idcontact code and awaited for these $_GET variables, as expected, plain text arrived.
Another interesting thing about Kraken is that it gives a full path disclosure for some reason, and with no authentication. For whatever reason, you can simply visit info.php and view the full path of the server.
It’s always good to know the full path of a server. If you want to add a shell later you will most likely need to know this. So thanks Kraken. Another fatal mistake in which I hope has been fixed, as I may have an outdated panel. But the login details within the database seem to be held in plain text aswell, the password is not hashed whatsoever.
I think that’s enough for now, I want to move on to something else.