NEWS FROM THE LAB - Wednesday, April 9, 2008

Kraken, Not New But Still Newsworthy? Posted by Jusu @ 12:31 GMT

There's recently been quite much fuss about a botnet of spam trojans dubbed Kraken.

There've been some claims that the botnet is the biggest currently out there, massing over 400,000 infected computers. Most vendors in the industry have been wondering about the numbers, which seem to be a bit bloated when taking a look at received samples.

Yesterday, Brian Krebs of Security Fix revealed that Damballa, the initial breaker of the Kraken story, has hijacked some of Kraken's domain names and are using the hijacked DNS resource records to count infections.

After a little bit of digging, we found one of the hostnames that Kraken uses: [censored].1dumb.com. It currently resolves to an IP address owned by the Georgia Institute of Technology, which is where Damballa resides.

We first saw earlier variants of this particular malware around the summer of 2006, so it's not exactly breaking news. It's possible that the statistics collected from this DNS trap include old, now dysfunctional variants and thus bloating the amount of "new" Kraken infections.

There are many detection names for "Kraken"; Oderoor, Bobax, Agent, and many more. We believe that there is a single group of people behind Karken, updating their malware as time goes by. It's not new, it's just a new generation of something older. The latest variant is detected as: Trojan.Win32.Obfuscated.GY.

Updated to Add: Those interested in reading Damballa's point of view will find a link in this post's comments.