Stories About Botnets - Part 1

The malware threat landscape is changing very fast. New and improved malware are hitting the attack surface on a daily basis. No wonder advanced malware like to operate in stealth mode. They try to change their behaviors, shapes and patterns as much as they can do to fool their enemies. Not only do we need a signature-less technology to handle such malware, but we also need a news resource continuously talking about these emerging threats, and this is where a series of blogs on this topic comes into play.

For the first of these series, I am going to talk about four different botnets that have recently been spotted randomizing their command and control domains. I will call these generically “New Botnet” A, B, C, and D so that we can focus on the details of the morphing behaviors. All of these botnets use custom algorithms to generate/locate their CnCs. The use of random CnC domains is not a new concept. In the past, we have seen Conficker, Srizbi, and Rustock using similar techniques, but in recent days we have seen more and more botnets adopting these stealth tactics.

1. New Botnet.A

On a typical day the CnC communication of Botnet A would look like a normal browser session, but don't be fooled.


This bot can generate hundreds of random domains in a single day. Bot herders who also know the domain generation algorithm can pick a domain of their choice and register it for issuing their commands. Once the domain is expired (normally within days) they move onto the next one and so on. Alongside the detection it also makes it very difficult for the research community to shutdown this botnet.

Here is a small sample of the domains this botnet generated across the FireEye MPC network.

2. New Botnet.B

An instance of Botnet B CnC URL looks like this:


But it's not that simple. The domain name is an ever-changing part of this URL.

In the case of Botnet.A we saw that the domain names had a visible pattern, a common side effect of machine enabled reasoning. But one can see that Botnet.B is using an advanced algorithm that can generate more realistic looking and human readable domains. Most certainly the creator(s) of this algorithm are trying to bypass the trivial techniques used by some IPS claiming to detect these types of domains by exploiting their excessive use of randomization and certain character frequencies, etc.

3. New Botnet.C

Here is how the Botnet.C variant talks to its CnCs:


Auto generated domains on a typical day look like these:

4. New Botnet.D

Botnet.D communicates to random CnCs like this:


The list of generated domains for this botnet is as follows:

Newton's third law of motion says, "For every action there is always an equal and opposite reaction." This is pretty much what's happening when it comes to fighting against botnets. Increasing the use of built in domain generation algorithms can also be considered as a natural reaction to recent botnet shutdowns. It is also a good answer to popular community based domains blacklisting resources like Zeus tracker and Malware Domain List. The good news is that the bad guy’s reaction is well noticed and as Newton showed it's our turn now.