Mailbot.f (a.k.a “Kraken”) gets stealthier – Update

Over the past week, Mailbot.f (a.k.a “Kraken”) was thoroughly studied and reverse engineered by various security researchers. As mentioned in my previous blog, we focused mainly towards the network behavior of the bot and observed a few interesting things.

After the bot installs on a victim machine, it attempts to contact mx.google.com via TCP destination port 25 (SMTP) 3 times. This looks to be a network connectivity test by the bot. If this test fails, the bot does not send out any spam at a later stage. (Note that the bot does not use mx.google.com to spam). Next, the bot downloads the front page of 3 different popular web sites (mostly news sites), such as nytimes.com, cbsnews.com, news.com, cnn.com, reuters.com, msn.com, google.com, etc. We have not observed the use of these web pages in the spam sent out by this bot, however.

The bot then tries to find its peers and communicates with them. If it is an older version of the bot, it uses UDP destination port 447 to communicate with the peers, sending information such as the bot version, outgoing smtp connectivity status and other machine specific information such as hostname, operating system, uptime, language, CPU specs, memory information etc. It also communicates the current modules and their versions. The older version of the bot then downloads an update from its peers by connecting on TCP destination port 447. We have observed that this update is around 100 to 200 kbytes. The bot then updates itself.

The new version of the bot (or updated bot from the previous step) contacts its peers using UDP on random destination ports and sends similar information as in the previous step. It then connects to one of the peers to update its modules using TCP destination port 80. If the peer is available on port 80, the bot communicates using HTTP POST messages and receives the updates from its peers.

In the case when the peer is not available on TCP port 80, the bot communicates on TCP destination port 443 to download the module updates. Though it communicates using TCP port 443, the data is not SSL.

The bot then downloads other modules from its peers, such as spam template, spam payload, and mx server addresses, etc. With this information it starts sending out spam email. After sending out a batch of spam, it downloads further updates and sends out spam again.

We made the above observations after looking at a number of Mailbot.f samples. Most of these samples were either v315 or v316 (as derived from the bot client registration packet). All of the command & control (c&c) communication is encrypted and we were able to decode some of the c&c communication using the wireshark plugin referenced by mnin security blog. Since the bot can be updated, at will by the bot author, some of these observations may/can be changed at any time.

Given that the bot uses

• encrypted data
• random UDP destination ports with random size packet payloads
• legitimate HTTP protocol on TCP destination port 80
• communication on TCP destination port 443

its c&c communication is very stealthy and difficult to detect. Although the bot is currently being used to send spam email, the stealthy c&c communication and the update infrastructure already in-place can pose a greater threat if used for more devastating purposes.

Tags: Kraken, Mailbot.f