Kraken Botnet Infiltration

Via DVLabs Blog -

Earlier this month a number of articles surfaced on the research and disagreements with regards to the size and classification of a large bot net named Kraken. At the front line of the debate was SecureWorks and Damballa. Secureworks claims Kraken is actually Bobax and estimates the bot net to include over 185,000 compromised systems. Damballa disagrees stating that Kraken is an entirely new bot net with a size over twice as large as Storm. Semantics aside no one disagrees that Kraken/Bobax is among the largest of the known bot nets if not the largest.

Cody and I thought it would be interesting to examine Kraken with the specific goal of infiltrating the bot network. We started with a sample from Offensive Computing and working from there eventually concluded that we would indeed be able to infiltrate and take over increasingly larger portions of the Kraken bot net. Cody did most of the manual labor of protocol dissection, reverse engineering the encryption routines and eventually creating a fake Kraken server capable of overtaking a redirected zombie. His detailed write up on the reverse engineering process is available under "Owning Kraken".

...

Various estimates place the overall size of the botnet to be somewhere between 185,000 and 600,000 zombies. This means that within a single week we would have been able to take over anywhere from 4% to 14% of the infected population ... and this is where we entered into a moral dilemma and ethical discussion. We have the ability to successfully redirect infected systems. We have the ability to provide an 'update' through the existing Kraken protocol that can simply remove the Kraken zombie (again see "Owning Kraken" for a video demonstrating this capability). Is it wrong to do so? Although this discussion is similar to that of writing "good worms" that roam the internet patching vulnerable servers, there is a key difference in that a good worm can't be stopped. Once it has been released it is a self spreading uncontrollable entity. In our specific case however we have the ability to cease at any point. It is simply a one to one relationship. An infected system connects to us, we supply a simple binary to kill the target process, we never hear from the infected system again and neither can the actual botnet owners command and control servers.

Cody and I both are pro "cleansing". Dave Endler on the other hand is against. The arguments for pro-cleansing are obvious, the arguments against are a little more complicated. The most interesting of points that Dave brought up is the corner case of what happens if we accidentally crash the target system? What if that target system is responsible for someone's life support? Yes the system is already infected with a SPAM delivering zombie capable of receiving arbitrary updates from malicious actors, but at least for now it's running and carrying out the rest of it's functionality. As director of DVLabs, Dave's opinion overshadows that of our own so we simply sit and monitor. What are your personal thoughts on the matter?

--------------------------

The Tipping Point team brings up an interesting question.

Taking down the majority of the Kraken botnet with a rogue delete/shutdown command is a very "technically sweet" solution. However, it could have very serious consequences.

First, we don't know exactly what all of these computers are doing. As Dave pointed out, one could be controlling a life support system in a hospital. Another could be controlling some SCADA system. Another could be a server at a bank or another major corporation.

What if the command doesn't work perfectly on all the bots? Whats if the computer running the bot is already in an unstable condition due to massive infection? Will the computer crash or just reboot?

If the "cleansing" turns out to do physical damage in the real world, who will be responsible? Tipping point? The people that issued the command? Or the owner of the infected computer? Who knows.

From the standpoint of Tipping point, the idea of attempting to clean the bots sounds good but brings with it too much risk....risk that the corporation doesn't need.

It reminds me of the police pursuit question. Should police chase after a criminal if it will place innocent citizens in greater danger?

Its a grey-area for sure, but I think most people rather err on the side of caution...and not chase the everyday criminal if it will endanger the public.