[Decorative element] [Decorative element] [Decorative element]
Dynamic Network Services, corporate web site.

The Dynamic Discourse

Kraken and DynDNS

By Brad Goodwin, 8 days ago

We at DNS Inc. are committed to security, especially when it comes to the use of our services for illegal activities. Our White Hat reputation has been earned by proactively policing and cleaning our system and quickly responding to operators who report issues – law enforcement agencies locally, nationally, and internationally. We perform workshops for LEOs about how to better identify and recognize nefarious activities and we participate in various operator and security groups, forums, and lists – many of them private to the public.

Damballa, a security company which claims to protect “businesses from targeted attacks used for organized, online crime,” recently posted a research paper (PDF) regarding a “spamming botnet” called ‘Kraken’ which they claim to have “400,000 distinct victims observed daily”

In a related announcement, Damballa claims that hundreds of DynDNS hosts are being used by this botnet (PDF).

The Damballa list was a surprise to us and we diligently researched the hosts listed in this paper and found that none of them actually exist in our system. We want to assure everyone that we have researched these claims and found no DynDNS hosts are being used in conjunction with this supposed ‘botnet’.

Others have said…

We encourage lively and constructive discussion on any of the opinions expressed on our blog. You can read what others have said and share your own thoughts.

  1. On May. 02, Paul Royal said:

    I think you could be more rigorous. Even if the botmaster has already unregistered their domains, there’s an evidence trail that everybody has already seen.

    md5 | domain | ip | virus_name | process_date —————————————————+——————————-+———————-+——————————+———————

    88a94a282417ee2a8c17bc6ee3613de9 | ggwypum.dyndns.org | 66.29.71.239 | Spam-Mailbot | 2008-01-07

    00ec1421e9e661b54ce500b5d23e8933 | smhburg.dyndns.org | 66.148.72.106 | Spam-Mailbot.gen | 2008-03-01

    0e84eaa3690795853303f726312c1430 | smhburg.dyndns.org | 66.148.72.106 | Spam-Mailbot.gen | 2008-03-03

    2c1012e89212af4cc037733abfed8103 | smhburg.dyndns.org | 66.148.72.106 | Spam-Mailbot.gen | 2008-03-04 1d51463150db06bc098fef335bc64971 | gyuzohut.dyndns.org | 64.21.181.87 | Spam-Mailbot.f | 2008-03-21 236c2514eab1f64db12e09b165cb3fa8 | rffcteo.dyndns.org | 209.160.65.66 | Spam-Mailbot.f.gen | 2008-04-13 58b61f92f1369bdd6e6065639f951d01 | ggwypum.dyndns.org | 209.160.65.66 | Spam-Mailbot.gen | 2008-04-14 6c371a38aacf6a18f1efb48086f92e8d | ggwypum.dyndns.org | 209.160.65.66 | Spam-Mailbot.gen | 2008-04-24

    (8 rows)

  2. On May. 04, Jeremy Hitchcock said:

    We looked at a database dump before you published your “research” and found less than 10% of the hosts that you mentioned. Most of them were in your account that you created and the others (a total of 4) were deleted two days after your story but through no connection to the results you published. When we actually looked into your results several days afterwards, only your hosts remained. It isn’t a factor of us not catching it quickly enough, your data is weeks, months, or based on other data provided to us, years old.

    As with any security related activity, we aggressively take things down when we detect them or when they are reported. Since your practices are based on secrecy to generate subscriptions to your “list”.

    Even those results you post here don’t exist.

  3. On May. 05, Paul Royal said:

    The hosts published were those that Kraken bot malware has been
    engineered to look up and does look up, regardless of whether they are
    registered. The hosts I provided, which you remark on by writing “Even
    those results you post here don’t exist” also contain a process_date,
    which corresponds to the date Kraken malware was processed, the host
    looked up, and the resolve IP of the host at the time of host lookup.

    Further Kraken malware analysis and the domain name corpus it looks up
    is corroborated by ThreatExpert:

    http://blog.threatexpert.com/2008/04/kraken-is-finally-cracked.html
    http://www.threatexpert.com/blog/kraken/output_list.txt
    http://www.threatexpert.com/report.aspx?uid=52accf15-a173-4f90-9482-b2634c151d87

    TippingPoint:

    http://dvlabs.tippingpoint.com/blog/2008/04/28/owning-kraken-zombies
    http://dvlabs.tippingpoint.com/pub/cpierce/kraken_hosts_ordered.txt

    and others:

    http://malwaredomains.com/?p=151

    Are these people also making things up? Why would they, or we for that
    matter? That your service was used for for a large botnet and you’ve
    decided to deny that it happened does nothing to solve the problem.
    Josh Anderson (of the afraid.org DynDNS service) has made it such that
    the *.mooo.com Kraken domains can’t be registered and Damballa has
    directed a subset of the domains to the Georgia Tech Karstnet sinkhole
    to prevent their registration. Yet, anyone can still register
    unregistered the non-blocked hosts (which include the *.dyndns.org),
    which is exactly what TippingPoint did. They write, “Armed with this
    information we registered the first of the available hosts and
    immediately began getting requests from live Kraken infections in the
    wild.” If you really think that this botnet does not exist, register
    one of the *.dyndns.org Kraken hosts on that list and see whether you
    observe a high volume of TCP/UDP 447 traffic.

    Finally, FYI, we’ve received requests from LEO to discuss Kraken and
    will be providing them with evidence (malware samples, pcaps of
    sandbox runs, etc) soon. If you’d like us to give them a different
    position than “DynDNS.org denies Kraken’s obvious use of their dynamic
    DNS services and claims it doesn’t exist,” send us an email.

  4. On May. 09, asyasat said:

    asya.sat@hotmail.com

Comment

Previous articles