The malware threat landscape is changing very fast. New and improved malware are hitting the attack surface on a daily basis. No wonder advanced malware like to operate in stealth mode. They try to change their behaviors, shapes and patterns as much as they can do to fool their enemies. Not only do we need a signature-less technology to handle such malware, but we also need a news resource continuously talking about these emerging threats, and this is where a series of blogs on this topic comes into play.
For the first of these series, I am going to talk about four different botnets that have recently been spotted randomizing their command and control domains. I will call these generically “New Botnet” A, B, C, and D so that we can focus on the details of the morphing behaviors. All of these botnets use custom algorithms to generate/locate their CnCs. The use of random CnC domains is not a new concept. In the past, we have seen Conficker, Srizbi, and Rustock using similar techniques, but in recent days we have seen more and more botnets adopting these stealth tactics.
1. New Botnet.A
On a typical day the CnC communication of Botnet A would look like a normal browser session, but don't be fooled.
hxxp://sr6fsdrf6e6rf6e67er77re7er.com/guy.php
This bot can generate hundreds of random domains in a single day. Bot herders who also know the domain generation algorithm can pick a domain of their choice and register it for issuing their commands. Once the domain is expired (normally within days) they move onto the next one and so on. Alongside the detection it also makes it very difficult for the research community to shutdown this botnet.
Here is a small sample of the domains this botnet generated across the FireEye MPC network.
| narawertyopsanzaol7632.com vvverdasentarycoolnew12233.com ytfytty43234jbvj35.com mum8um8y7t6r5e4w4ee45.com sr6fsdrf6e6rf6e67er77re7er.com jhbvyvuyvuyvuvujvuvrf6r66.com bbgyujh6uh7l5y67567y5b7.com tramoryvulty6319746.com y6ged3dgf6g4f74f7g4f7g4f7g4f7g.com gertmontald-fackystayle331177.com vvbvndhhnhvjfhfbfhffbddj.com dhshlwsw93893744gr4ggegbwg3wh.com wuwowopeuryhfd7d7du4hjr4.com ndmsnfdhfusdhe64yh5b5hr4.com narawertyopsanzaol7632.com vvverdasentarycoolnew12233.com ytfytty43234jbvj35.com mum8um8y7t6r5e4w4ee45.com sr6fsdrf6e6rf6e67er77re7er.com jhbvyvuyvuyvuvujvuvrf6r66.com bbgyujh6uh7l5y67567y5b7.com tramoryvulty6319746.com y6ged3dgf6g4f74f7g4f7g4f7g4f7g.com gertmontald-fackystayle331177.com vvbvndhhnhvjfhfbfhffbddj.com dhshlwsw93893744gr4ggegbwg3wh.com wuwowopeuryhfd7d7du4hjr4.com ndmsnfdhfusdhe64yh5b5hr4.com |
uihv87tvg8475tg847t5g84ht54htb.com vtg875gt87435t8745t8n48yt84yt8.com erfn5346bbbffg4d435465.com csfsdfvdbdbbfbnmcnq8858.com cbvnvntt474378hsddddx.com hgfdgdyege8993j43h4h5hh65j65.com usrgf8w8943894hfygfugyuyu54gf.com gdh678hbehhv6ejbhedud7bnvhf.com faraonwexopltustran44220099.com hdgewyt374yg54g5yh4u4yey4eg4g4.com xmmcdklsdjedururuhr543867t4785.com hsgewyeyhedyed7ed744hrhdwjwi.com jhgr4yt57r4e3gghr4hr4yfdy.com bumdrambumdram-ccc56.com uihv87tvg8475tg847t5g84ht54htb.com vtg875gt87435t8745t8n48yt84yt8.com erfn5346bbbffg4d435465.com csfsdfvdbdbbfbnmcnq8858.com cbvnvntt474378hsddddx.com hgfdgdyege8993j43h4h5hh65j65.com usrgf8w8943894hfygfugyuyu54gf.com gdh678hbehhv6ejbhedud7bnvhf.com faraonwexopltustran44220099.com hdgewyt374yg54g5yh4u4yey4eg4g4.com xmmcdklsdjedururuhr543867t4785.com hsgewyeyhedyed7ed744hrhdwjwi.com jhgr4yt57r4e3gghr4hr4yfdy.com bumdrambumdram-ccc56.com |
2. New Botnet.B
An instance of Botnet B CnC URL looks like this:
hxxp://vistomyrton.co/file.php
But it's not that simple. The domain name is an ever-changing part of this URL.
| avansimpsyd.com altagenesibb.com distrubypapa.com donionetrysc.com espringzapp.com galonemastek.com hitemserep.com microtecher.com pentamilnet.com resiabandba.com burnellare.com divinicstorr.com inancesanlie.com montwheade.com bringasoleps.com diacrafireel.com erectuality.com nalinquenefi.com reneoletnzan.com scuorictor.com shopiarytant.com spheadventr.com thinnettaff.com wightlister.com biophisentr.com buttancert.com confurrowor.com firstomanad.com matechamiset.com mentrustrupp.com noidgenert.com raceauraphar.com upleariser.com kaufficomed.com hitcharchim.com nastegiangi.com clickettast.com ghsmaristic.com luwizchometh.com holthanetts.com defosferal.com mindchuhive.com netelberive.com parampseaste.com berenceneur.com brerereout.com checklollog.com cleopseyesiv.com coretixongr.com potalgeshead.com selfrestage.com spicebrokba.com thstericance.om avansimpsyd.com altagenesibb.com distrubypapa.com donionetrysc.com espringzapp.com galonemastek.com hitemserep.com microtecher.com pentamilnet.com resiabandba.com burnellare.com divinicstorr.com inancesanlie.com montwheade.com bringasoleps.com diacrafireel.com erectuality.com nalinquenefi.com reneoletnzan.com scuorictor.com shopiarytant.com spheadventr.com thinnettaff.com wightlister.com biophisentr.com buttancert.com confurrowor.com firstomanad.com matechamiset.com mentrustrupp.com noidgenert.com raceauraphar.com upleariser.com kaufficomed.com hitcharchim.com nastegiangi.com clickettast.com ghsmaristic.com luwizchometh.com holthanetts.com defosferal.com mindchuhive.com netelberive.com parampseaste.com berenceneur.com brerereout.com checklollog.com cleopseyesiv.com coretixongr.com potalgeshead.com selfrestage.com spicebrokba.com thstericance.om |
briatimerame.co coercesessm.co dataapptorks.co extraftwirr.co galinkelis.co harrectsou.co materworatis.co loredmanneca.co headlegesoft.co matilerized.co infinciitech.co promerganny.co schoominews.co upswiftedet.co vertlefini.co wiseiredourt.co arraffeynics.co bandtophold.co basingtalw.co careffixeno.co diagonstafil.co dogcalierac.co drivapinxte.co emptarmini.co fanymplydata.co garninersay.co gayattocred.co intertionot.co lordererryte.co oderexcometr.co parablynner.co sproulencel.co terborksha.co usageotegyo.co alvernanah.co brandbuchem.co cemskevise.co cyclemiast.co delplastig.co devasimicred.co emmaybossel.co gotrancentax.co hopedristvo.co sitomicalth.co rycusermask.co alrekahanti.co axiagearie.co beccampentu.co coltrandata.co briatimerame.co coercesessm.co dataapptorks.co extraftwirr.co galinkelis.co harrectsou.co materworatis.co loredmanneca.co headlegesoft.co matilerized.co infinciitech.co promerganny.co schoominews.co upswiftedet.co vertlefini.co wiseiredourt.co arraffeynics.co bandtophold.co basingtalw.co careffixeno.co diagonstafil.co dogcalierac.co drivapinxte.co emptarmini.co fanymplydata.co garninersay.co gayattocred.co intertionot.co lordererryte.co oderexcometr.co parablynner.co sproulencel.co terborksha.co usageotegyo.co alvernanah.co brandbuchem.co cemskevise.co cyclemiast.co delplastig.co devasimicred.co emmaybossel.co gotrancentax.co hopedristvo.co sitomicalth.co rycusermask.co alrekahanti.co axiagearie.co beccampentu.co coltrandata.co |
ustimcativ.com vortiondesp.com boninession.co fitchootheo.co grotherwell.co handclonica.co iconortheum.co inesburystam.co innnobjeni.co intectrigni.co labcenseaccu.co interbirster.co neurosourea.co partsmairie.co nextatingha.co plationnela.co primeresteo.co smandlambi.co susleyeath.co axillertyke.co bovingensout.co carestaris.co escuafoxwax.co firmrantech.co globellerke.co globertesli.co idedialify.co kingnajerley.co kotwardoncm.co minessiati.co lutizenbrows.co pacesriksen.co posummersher.co samuestvera.co specinauter.co vistomyrton.co diicisamboilin.co llisamboilin.co inestailcoma.co kabolgopickh.co magnexwaxia.co mixersaperj.co placedicarl.co selightvote.co diatorkswe.co entopleywac.co herbasellic.co multionesto.com oplenterrack.com oresmaller.com ustimcativ.com vortiondesp.com boninession.co fitchootheo.co grotherwell.co handclonica.co iconortheum.co inesburystam.co innnobjeni.co intectrigni.co labcenseaccu.co interbirster.co neurosourea.co partsmairie.co nextatingha.co plationnela.co primeresteo.co smandlambi.co susleyeath.co axillertyke.co bovingensout.co carestaris.co escuafoxwax.co firmrantech.co globellerke.co globertesli.co idedialify.co kingnajerley.co kotwardoncm.co minessiati.co lutizenbrows.co pacesriksen.co posummersher.co samuestvera.co specinauter.co vistomyrton.co diicisamboilin.co llisamboilin.co inestailcoma.co kabolgopickh.co magnexwaxia.co mixersaperj.co placedicarl.co selightvote.co diatorkswe.co entopleywac.co herbasellic.co multionesto.com oplenterrack.com oresmaller.com |
In the case of Botnet.A we saw that the domain names had a visible pattern, a common side effect of machine enabled reasoning. But one can see that Botnet.B is using an advanced algorithm that can generate more realistic looking and human readable domains. Most certainly the creator(s) of this algorithm are trying to bypass the trivial techniques used by some IPS claiming to detect these types of domains by exploiting their excessive use of randomization and certain character frequencies, etc.
3. New Botnet.C
Here is how the Botnet.C variant talks to its CnCs:
hxxp://kemebrmewernrewroi43b3b3b3.com/32/c3ii.bin
Auto generated domains on a typical day look like these:
| kemebrremewernrewroi43b3b3b3.com kemeremewernrewroi43b3b3b3.com kemebrremewernwroi43b3b3b3.com kemebrremewrewroi43b3b3b3.com kemebrmewernrewroi43b3b3b3.com ffhsdf4747282e73472384234.com ffbsdfsdbfhdsfhsdbfsdjhf.com eryryweryuerndsfsfw.com fehwurweyuddsmfnbznds.com kemebrremewernrewroi43b3b3b3.com kemeremewernrewroi43b3b3b3.com kemebrremewernwroi43b3b3b3.com kemebrremewrewroi43b3b3b3.com kemebrmewernrewroi43b3b3b3.com ffhsdf4747282e73472384234.com ffbsdfsdbfhdsfhsdbfsdjhf.com eryryweryuerndsfsfw.com fehwurweyuddsmfnbznds.com |
4. New Botnet.D
Botnet.D communicates to random CnCs like this:
hxxp://cuczsiim.cn/links.php?w=*&i=*
The list of generated domains for this botnet is as follows:
| hsuaajql.cn jcblzlto.cn uqtcspcm.cn afkzrmua.cn etsedibb.cn jhcehhsz.cn iuuzunqx.cn pebiautq.cn kzqjcjau.cn oslaeinn.cn jcuixkvp.cn lfbzcink.cn ptteqmwi.cn eekikjid.cn bhqepnag.cn yulzjhnf.cn hmcceydw.cn nkulbbvs.cn vruivmjv.cn tvbncooe.cn ggtnekpr.cn dasqxixn.cn cwqbcprz.cn rxlsqlqx.cn zicqkayj.cn wouomejh.cn sjbspyca.cn xptbjbpb.cn nysebhxm.cn cgsnace.cn adgezmzw.cn qrlisics.cn wwcbrilig.cn zxusdpmf.cn hsuaajql.cn jcblzlto.cn uqtcspcm.cn afkzrmua.cn etsedibb.cn jhcehhsz.cn iuuzunqx.cn pebiautq.cn kzqjcjau.cn oslaeinn.cn jcuixkvp.cn lfbzcink.cn ptteqmwi.cn eekikjid.cn bhqepnag.cn yulzjhnf.cn hmcceydw.cn nkulbbvs.cn vruivmjv.cn tvbncooe.cn ggtnekpr.cn dasqxixn.cn cwqbcprz.cn rxlsqlqx.cn zicqkayj.cn wouomejh.cn sjbspyca.cn xptbjbpb.cn nysebhxm.cn cgsnace.cn adgezmzw.cn qrlisics.cn wwcbrilig.cn zxusdpmf.cn |
qnqnnjrj.cn ajlnjugl.cn jykeqjix.cn iasicijz.cn pjqnxpan.cn lnlnwlnq.cn iocoeidr.cn miufcmve.cn opbbvonv.cn kjtsqkwt.cn hnsonhjj.cn jxqsbjam.cn uwlbeuno.cn ibtvyjcn.cn iikaleue.cn mlsjiabr.cn omqcoblt.cn cuczsiim.cn nhuezjmo.cn qbbvalhl.cn aetinpej.cn ftkeiefv.cn vfszoaet.cn tcqiibzr.cn gelvlyce.cn dzujanmq.cn cqbcuuhx.cn anuntpqd.cn bybeditf.cn yatirjcq.cn mxcsiusy.cn iwubojqe.cn pdlehakk.cn nvknnkfa.cn qnqnnjrj.cn ajlnjugl.cn jykeqjix.cn iasicijz.cn pjqnxpan.cn lnlnwlnq.cn iocoeidr.cn miufcmve.cn opbbvonv.cn kjtsqkwt.cn hnsonhjj.cn jxqsbjam.cn uwlbeuno.cn ibtvyjcn.cn iikaleue.cn mlsjiabr.cn omqcoblt.cn cuczsiim.cn nhuezjmo.cn qbbvalhl.cn aetinpej.cn ftkeiefv.cn vfszoaet.cn tcqiibzr.cn gelvlyce.cn dzujanmq.cn cqbcuuhx.cn anuntpqd.cn bybeditf.cn yatirjcq.cn mxcsiusy.cn iwubojqe.cn pdlehakk.cn nvknnkfa.cn |
Newton's third law of motion says, "For every action there is always an equal and opposite reaction." This is pretty much what's happening when it comes to fighting against botnets. Increasing the use of built in domain generation algorithms can also be considered as a natural reaction to recent botnet shutdowns. It is also a good answer to popular community based domains blacklisting resources like Zeus tracker and Malware Domain List. The good news is that the bad guy’s reaction is well noticed and as Newton showed it's our turn now.
