The Kraja botnet has managed to compromise 185,645 computers, the vast majority of which are located in Russia. Of the 199,513 unique IP addresses recorded from compromised computers, 87.88% are in IP address ranges assigned to Russia. The name “Kraja botnet” comes from an image located on the command and control server which was originally discovered by malwaredomainlist.com. The Kraja botnet is related to the “Shiz” malware that was recently documented by Arbor Networks. Arbor concluded that this malware is also related to the “rohimafo” family. One of the more interesting observations made by Arbor is that the “shiz” malware will attempt to null-route specific IP address ranges that include a variety of security companies such as F-SECURE, KASPERSKY, SOPHOS, SYMANTEC, MCAFEE and TREND MICRO as well as various sandbox and analysis tools.
My analysis of the command and control infrastructure reveals that between Sept 11, 2010 to Sept 27, 2010 there were 185,645 compromised computers (using 199,513 unique IP addresses) that requested one of the following PHP files on the command and control servers: knock.php, knok.php and socks.php. In addition to recording the IP addresses of the compromised machines, I was able to record what appears to be a unique ID number for each compromised computer. The vast majority of the compromised computers requested knock.php.
knock.php – sends a configuration file to the compromised machine with what appear to be alternative command and control locations as well as the “magic” URL which appears to be a monetization strategy based on pay-per-click.
knok.php – sends the name of the operating system to the control server (may determine which computers to install a socks proxy on).
socks.php – sends the SOCKS proxy port number to control server.
While there was geographic distribution, a total of 87.88 percent of the IP addresses of the compromised hosts are in ranges assigned to Russia. This is significant because Russian and CIS are often not targeted by botnets because most of the PPC/PPI affiliates do not pay for clicks and installs from Russian IP addresses. It is also significant because Russian law enforcement generally requires there to be Russian victims in order to proceed with investigations. In this case, Russian appear to be the target of this botnet.