Kraken bot produces bogus email headers on the fly

By

A new variant of the Kraken bot uses a word generator to produce bogus headers and random URLs in an attempt to evade host intrusion prevention technologies, according to security vendor PC Tools.


Also known as Bobax, the new variant poses a considerable threat in its new form, said PC Tools, warning the Kraken bot is now capable of dynamically constructing words with properly matched vowels and consonants.

“Essentially what we are looking at is an artificial English word generator, which follows common English grammar rules and produces words of similar appearance to those in the English language,” said Sergei Shevchenko, senior malware researcher at PC Tools.

“It is these new techniques employed by the new Kraken variant that makes it a significant threat,” he added.

Australia and New Zealand have been infected in the last 24 hours, warned PC Tools, as well as several other countries around the world including Thailand, US, UK and Lebanon.

According to PC Tools, the bot selects from a list of 33 common English nouns, verbs, adjectives and adverb suffixes, such as -able, -dom, -hood, -ment, -ship, -ly, or –ency followed with one of the domain suffixes: dyndns.org, yi.org, mooo.com, dynserv.com, com, cc or net for example.

“The random word generator is possibly designed to evade spam filters and
algorithms that have the ability to distinguish the randomness,” Shevchenko said. "[However], if a rule or algorithm cannot be built to distinguish such a word then it cannot be detected or blocked.”

Earlier in the month the size of the Kraken bot was disputed by security vendors F-secure and Damballa after Damballa claimed the bot was twice as big as the Storm worm triggering a war of words between the two.
Got a news tip for our journalists? Share it with us anonymously here.
Tags:

Most Read Articles

CBA using facial recognition logins to verify disputed payments

CBA using facial recognition logins to verify disputed payments

Qantas contacted by "potential cyber criminal"

Qantas contacted by "potential cyber criminal"

SA Power Networks tackles IAM, cloud security under five-year strategy

SA Power Networks tackles IAM, cloud security under five-year strategy

Qantas facing 'significant' data theft after cyber attack

Qantas facing 'significant' data theft after cyber attack

Log In

  |  Forgot your password?