EmergingThreats> Main Web>OdeRoor (revision 1)EditAttach

Oderoor / Kraken / Bobax

Whatever it turns out to be, we have some test sigs for it.

2008103 2008104 2008105 2008106 2008107 2008108 2008109 2008110

This was reported as a new botnet by Damballa, but appears to be an established one. We have samples going back to april of 2007.

The bot uses port 447 UDP mostly to communicate, but also seems to once in a while do a large transfer on TCP 447. This port is reserved for ddm-dfm Distributed File Management. Very rarely used as far as we can tell. The signatures above count on the fact that even if this is used it's likely not used over public networks. Please let us know if this isn't true. If you do use this protocol locally please consider a pass or suppression rule until we get better sigs.

References:

http://www.incidents.org/diary.html?storyid=4256

http://isc.sans.org/diary.html?storyid=4250

http://www.darkreading.com/document.asp?doc_id=144919 (May be FUD)

http://www.theregister.co.uk/2008/04/07/kraken_botnet_menace/ (also may be FUD)

Please update and add any information at all!

-- MattJonkman - 07 Apr 2008

Edit | Attach | Print version | History: r3 < r2 < r1 | Backlinks | Raw View | Raw edit | More topic actions...
Topic revision: r1 - 2008-04-07 - MattJonkman
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats