M86 Security Labs

Bobax

 

March 20, 2009

Aliases

  • Kraken
  • Oderoor
  • Hacktool.spammer

Comments

Bobax, or Kraken, generated a lot of media attention in 2008, although in fact it has been around performing its spamming for at least two years, probably a lot longer. It has been responsible for a significant amount of spam, as much as 5-10% during the latter half of 2008.  It also appears to have attracted a lot of attention by researchers, and its control servers were disrupted in late 2008.  We still see sporadic activity, but it now appears Bobax is a shadow of its former self.

Features

  • Reports to control server on UDP port 447
  • Uses dynamic domain name providers such as dyndns.com for domains
  • Performs DNS MX lookups to send spam
  • Multiple recipients per message
  • Uses templates
  • Backdoor capabilities

Spamming Rate

  • 7200 messages per hour per bot

Command and Control


When run, Bobax checks for an SMTP connection by connecting to the following site using port 25:

  • wanamaker.mail.atl.earthlink.net
  • hotmail.com
  • msn.com

To connect to its control server, Bobax uses a complex algorithm to generate a pseudo-random domain name. Bobax generate a random string with a variable length of 6 to 12 characters, it then appends the generated string with one of the following domain suffixes:

  • mooo.com
  • dynserv.com
  • yi.org
  • dyndns.org

Example of generated domain name:

  • agdwgsptbxo.mooo.com
  • tjgpkyvtob.dynserv.com
  • tljzib.yi.org
  • mvcjpjbymby.dyndns.org
  • hshfmrobfjr.dynserv.com


If the DNS query fails, Bobax will append the domain name of your local network and perform a DNS query.

Example (assuming your local domain name is localhost.net):

  • agdwgsptbxo.mooo.com.localhost.net
  • tjgpkyvtob.dynserv.com.localhost.net
  • tljzib.yi.org.localhost.net
  • mvcjpjbymby.dyndns.org.localhost.net
  • hshfmrobfjr.dynserv.com.localhost.net

It then sends a UDP packet using port 447 (however we have seen sample not using port 447).

Bobax will continually regenerate domain name until it finds the command and control server and once successful, it sends an HTTP request that looks like this:


Malware Behavior on Host

Bobax will drop a copy of itself using filename format below:

  • %SystemRoot%\system32\<10-12 random letters>.exe (i.e. C:\WINDOWS\system32\cusajufou.exe)

(where %systemroot% is the Windows default folder i.e. "c:\windows")

The dropped file will be executed by the main component and exits from process.

It creates any of the following mutex values depending on the variant, to ensure that only one process of itself is running:

  • "672231679"
  • "672231680"
  • "672231681"
  • "672231682"

The following registry entries are created to automatically execute itself upon Windows startup:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    • "<random letters>" = %SystemRoot%\system32\<10-12 random letters>.exe (malware path)
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
    • "<random letters>" = %SystemRoot%\system32\<10-12 random letters>.exe (malware path)

The malware also registers itself as a service using one of the random Service Display name:

  • Electronic Arts Licensing Service
  • DQLWinService
  • Creative Labs Licensing
  • BT Modem Lock
  • Backbone Service
  • BlueSoleilCS
  • Axon Service
  • Aventail VPN Client
  • Ati HotKey
  • Amazon Unbox Video Service
  • Advanced Networking Service
  • ActiveSMART Service
  • Compaq DMI Web Agent
  • CommServer
  • Cognos ReportNet
  • CMG Shield
  • DigiCtrl
  • Dell Printer Status Watcher
  • DeepSight Extractor Service for NP08
  • Wireless Adapter Configurator
  • LXCCCustomerConnect
  • SolidWorks Licensing Service

Bobax may also duplicate a copy of itself using a random filename in Windows system directory to ensure execution of the malware in the infected system.

The following information is gathered by Bobax as part of a backdoor routine and sent back to the control server:

  • User Info
  • Windows Version
  • Processor Info
  • Hostname
  • Upspeed
  • Countrycode
  • Language
  • AV scanners
  • Memory Usage
  • CPU Uptime
  • Internet Bandwidth

Bobax also contains an email harvesting function to collect email addresses found in "c:\Documents and Settings". The following file extensions are being searched for potential email addresses as its target:

  • csv
  • txt
  • wab
  • c
  • asm
  • cpp
  • inc
  • nfo
  • info
  • h
  • wpd
  • sxw
  • xml
  • jtd
  • hwp
  • wps
  • dif
  • dbf
  • sdc
  • slk
  • wk1
  • wks
  • 123
  • eps
  • ps
  • ott
  • rtf
  • sdw
  • php
  • doc
  • pdf
  • htm
  • html
  • tmp
  • sys
  • chm

The malware then receives a spamming template from its server to send on to its targets.

Bobax also attempts to request on the following news website, it may use the content as part of its email body:

  • http://www.news.com/
  • http://www.msn.com/
  • http://www.nytimes.com/
  • http://www.cbsnews.com/
  • http://www.latimes.com/
  • http://www.reuters.com/
  • http://edition.cnn.com/

 

 


Last Reviewed: July 23, 2009 by Rodel Mendrez