C&C sends UDP/447 to the victim with packet lengths varying between 66, 115, 116 and 117 bytes. There does not appear to be an obvious pattern in the payload itself.
From - http://isc.sans.org/diary.html?storyid=4256

This can be detected by simple snort rule, as I don't think you would have any legitimate traffic over that port ( esp. udp )

alert udp $HOME_NET any -> $EXTERNAL_NET 447 ( msg:"Kraken is cracking"; sid:1; rev:1; )