Good versus Evil? - The reverse engineering of Kra...
Good versus Evil? - The reverse engineering of Kraken
Earlier on today I stumbled across a post by dgwebb on our Community Forums that paid mention to a recent news article published by The Register that quite took my interest. In this article, El Reg write about a couple of Software Engineers who have managed to reverse engineer the executable behind one of the most prolific botnets currently out in the wild. To quote from WikiPedia, "Internet bots, also known as web robots, WWW robots or simply bots, are software applications that run automated tasks over the Internet. Typically, bots perform tasks that are both simple and structurally repetitive, at a much higher rate than would be possible for a human alone." Whilst this description might sound fairly innocent, it's a sad fact that these botnets are also used by spammers, Internet criminals and other such miscreants as a catalyst with which to conduct fraudulent, malicious or morally questionable activities .
The botnet referred to in The Register article is the notorious 'Kraken'. This has been touted in the media as, "the biggest botnet ever. It allegedly comprises of over 400,000 infected machines, which is more than twice the size of Storm" - Storm having previously been thought to be the largest zombie network. Even so, botnets are nothing new and it's not the size of this particular threat that intrigues me. What does interest me is the reverse engineering of this particular nasty by the two software engineers I mentioned at the beginning of this article. Pedram Amini and Cody Pierce, of security provider TippingPoint basically took apart the executable file behind the Kraken bot, and with the information they acquired proceeded to build a fake server that would receive connections from infected machines. They monitored Kraken connections for a period of one week and in that time received over 1.8 million requests from infected systems worldwide. Of these requests over 65,000 came from unique IP addresses. You can see a list of these IP addresses here. You might at this point be questioning the relevance of this, but here comes the interesting bit. Amini writes on the TippingPoint DVLabs blog, "We have the ability to successfully redirect infected systems. We have the ability to provide an 'update' through the existing Kraken protocol that can simply remove the Kraken zombie. Is it wrong to do so?" So what he's basically saying is that this particular security vendor has it within their power to actually 'cure' many of these infected machines now they have been identified. They even link to a technical demonstration of such capability that can be seen here. The whole thing raises a number of interesting questions about the ethical and moral implications of carrying out such 'cleansing'. After all, it's likely such actions would be unbeknown to the machine's owner, so does this in itself make it wrong? What if in doing so the propriteors were to inadvertently take someone's machine down? What if it was to cause unintentional damage? Could there really be 100% safeguards against such a thing, and even if there wasn't should it matter given the damage an infected machine can do? What if the operation of the infected machine were in some way critical to the owner? Would you as an individual want somebody tampering with your computer, even if it was for an honest cause? All interesting questions I thought, and certainly food for thought. Some readers might also be interested to know that we located a handful of our own customers in the list of IP addresses identified by Amini and co. We've since contacted those customers to let them know. . Bob Pullen.