Kraken worm dissected

 Kraken were recently believed to be twice as big as the infamous Storm worm. There are debates on its estimated size, but it should have the army of at least several hundreds of thousands of zombie to take up such big headlines. 

 I blogged about Storm worm being a hot research topic not very long time ago. It found the way to some of the most prestigious conferences, NDSI for example. As revealed, Storm's army of zombies are organized into a structured P2P overlay, namely Kademlia. Controls can be initiated from any bot in the network and more importantly, such structure enables the bot-net to scale seamlessly.

 Now, not long after taking over the headlines from Storm, Kraken (I really struggle with being in constant awareness of not typing this name as Karen !) was hacked. A more general, statistical analysis is present here, while all the ugly details are hidden elsewhere.  In summary, Kraken works as follows:

• The bot-net relies on dynamic DNS.  Essentially, the DNS server allows the DNS records to points to dynamic IP addresses. It means users can change the record to point to a total different host as frequently 5 to 10 minutes.  The bot-net owner, whoever he is, further depends on free DDNS providers, from whom he acquires a large numbers of DDNS records. As far as I know (and read), there is no evidence suggesting that he can have an arbitrary number of such records.
• Now once downloaded and ran, the Kraken worm resolves a random DDNS record and contact the zombie that is pointed by that record.  The random seed is hard coded into the binary. The worm's download from the remote zombie could be another binary, or just commands to perform some illegitimate activities. Remember that the DDNS record is changed frequently, plus the worm can download update that generates new set of DDNS records. In other words, it is almost impossible to trace down the one masterminds the whole bot-net

One crucial component of this bot-net is the DDNS provider. Unless the zombies run some sort of DNS servers themselves, in my humble opinion, this bot-net is not on Storm's league, as far as the system's scalability is concerned. In particular, the DDNS provider presents the single point of failure. Had the bot-net reached a critical point and the damage caused were substantial, the DDNS provider would be forced to shutdown, even if he is living in China. 

On a non-technical note, the research group that hacked Kraken put forward a so-called social dilemma. Basically, they successfully infiltrated the bot-net and claimed to have control of a substantial number of zombie in the bot-net. They could either shut them down all together and potentially collapse the entire bot-net, or just sit back, relax and enjoy. At first thought, there seems to be only one rational answer: shut them down.  The argument against it, as said on the website, is that doing so may be life-threatening, especially for zombies that also run some sorts of life support software in the hospital. Well,  this is far from convincing, but I can imagine how they could get into troubles if they now just go and shut down thousands of bots all at once

• It seems to be illegal to tamper with (not even control) a stranger's machine without his or her consent. After all, it is the same as breaking in someone's house and nick his stuff. I believe before using the AntiVirus software, you must have click Yess/I Agree on some obscure document/agreement, which should contains a statement saying that you agree for the software to delete files on your PC. 
• That being said,  if they did it without letting the user knows, there would probably be no consequences at all, since the user doesn't even know that his PC is a zombie at the first place. However, now that they have published the dilemma on the Website, the whole world are informed. A wise move now would be to get the user's consent first, before doing anything. For example, have a pop-up or send emails saying that their machines are infected, then show them where to delete the file. But hang on a minute, many people have bumped into such pop-ups and emails before, and following the instruction surely cause them anything but troubles. In deed, spam filters are smart enough to put those email straight to the Spam folders. 

Any who, if I were them, I would wait before doing anything. But while waiting, try to see if there is a way to efficiently knock down the entire bot, to its root. It's also nice to catch the one behind this whole thing, it seems no longer impossible, since they are now in control of many insiders. Use them.