Stories About Botnets - Part 1

The malware threat landscape is changing very fast. New and improved malware are hitting the attack surface on a daily basis. No wonder advanced malware like to operate in stealth mode. They try to change their behaviors, shapes and patterns as much as they can do to fool their enemies. Not only do we need a signature-less technology to handle such malware, but we also need a news resource continuously talking about these emerging threats, and this is where a series of blogs on this topic comes into play.

For the first of these series, I am going to talk about four different botnets that have recently been spotted randomizing their command and control domains. I will call these generically “New Botnet” A, B, C, and D so that we can focus on the details of the morphing behaviors. All of these botnets use custom algorithms to generate/locate their CnCs. The use of random CnC domains is not a new concept. In the past, we have seen Conficker, Srizbi, and Rustock using similar techniques, but in recent days we have seen more and more botnets adopting these stealth tactics.

1. New Botnet.A

On a typical day the CnC communication of Botnet A would look like a normal browser session, but don't be fooled.

hxxp://sr6fsdrf6e6rf6e67er77re7er.com/guy.php

This bot can generate hundreds of random domains in a single day. Bot herders who also know the domain generation algorithm can pick a domain of their choice and register it for issuing their commands. Once the domain is expired (normally within days) they move onto the next one and so on. Alongside the detection it also makes it very difficult for the research community to shutdown this botnet.

Here is a small sample of the domains this botnet generated across the FireEye MPC network.

   
narawertyopsanzaol7632.com
vvverdasentarycoolnew12233.com
ytfytty43234jbvj35.com
mum8um8y7t6r5e4w4ee45.com
sr6fsdrf6e6rf6e67er77re7er.com
jhbvyvuyvuyvuvujvuvrf6r66.com
bbgyujh6uh7l5y67567y5b7.com
tramoryvulty6319746.com
y6ged3dgf6g4f74f7g4f7g4f7g4f7g.com
gertmontald-fackystayle331177.com
vvbvndhhnhvjfhfbfhffbddj.com
dhshlwsw93893744gr4ggegbwg3wh.com
wuwowopeuryhfd7d7du4hjr4.com
ndmsnfdhfusdhe64yh5b5hr4.com
narawertyopsanzaol7632.com
vvverdasentarycoolnew12233.com
ytfytty43234jbvj35.com
mum8um8y7t6r5e4w4ee45.com
sr6fsdrf6e6rf6e67er77re7er.com
jhbvyvuyvuyvuvujvuvrf6r66.com
bbgyujh6uh7l5y67567y5b7.com
tramoryvulty6319746.com
y6ged3dgf6g4f74f7g4f7g4f7g4f7g.com
gertmontald-fackystayle331177.com
vvbvndhhnhvjfhfbfhffbddj.com
dhshlwsw93893744gr4ggegbwg3wh.com
wuwowopeuryhfd7d7du4hjr4.com
ndmsnfdhfusdhe64yh5b5hr4.com
uihv87tvg8475tg847t5g84ht54htb.com
vtg875gt87435t8745t8n48yt84yt8.com
erfn5346bbbffg4d435465.com
csfsdfvdbdbbfbnmcnq8858.com
cbvnvntt474378hsddddx.com
hgfdgdyege8993j43h4h5hh65j65.com
usrgf8w8943894hfygfugyuyu54gf.com
gdh678hbehhv6ejbhedud7bnvhf.com
faraonwexopltustran44220099.com
hdgewyt374yg54g5yh4u4yey4eg4g4.com
xmmcdklsdjedururuhr543867t4785.com
hsgewyeyhedyed7ed744hrhdwjwi.com
jhgr4yt57r4e3gghr4hr4yfdy.com
bumdrambumdram-ccc56.com
uihv87tvg8475tg847t5g84ht54htb.com
vtg875gt87435t8745t8n48yt84yt8.com
erfn5346bbbffg4d435465.com
csfsdfvdbdbbfbnmcnq8858.com
cbvnvntt474378hsddddx.com
hgfdgdyege8993j43h4h5hh65j65.com
usrgf8w8943894hfygfugyuyu54gf.com
gdh678hbehhv6ejbhedud7bnvhf.com
faraonwexopltustran44220099.com
hdgewyt374yg54g5yh4u4yey4eg4g4.com
xmmcdklsdjedururuhr543867t4785.com
hsgewyeyhedyed7ed744hrhdwjwi.com
jhgr4yt57r4e3gghr4hr4yfdy.com
bumdrambumdram-ccc56.com

2. New Botnet.B

An instance of Botnet B CnC URL looks like this:

hxxp://vistomyrton.co/file.php

But it's not that simple. The domain name is an ever-changing part of this URL.

     
avansimpsyd.com
altagenesibb.com
distrubypapa.com
donionetrysc.com
espringzapp.com
galonemastek.com
hitemserep.com
microtecher.com
pentamilnet.com
resiabandba.com
burnellare.com
divinicstorr.com
inancesanlie.com
montwheade.com
bringasoleps.com
diacrafireel.com
erectuality.com
nalinquenefi.com
reneoletnzan.com
scuorictor.com
shopiarytant.com
spheadventr.com
thinnettaff.com
wightlister.com
biophisentr.com
buttancert.com
confurrowor.com
firstomanad.com
matechamiset.com
mentrustrupp.com
noidgenert.com
raceauraphar.com
upleariser.com
kaufficomed.com
hitcharchim.com
nastegiangi.com
clickettast.com
ghsmaristic.com
luwizchometh.com
holthanetts.com
defosferal.com
mindchuhive.com
netelberive.com
parampseaste.com
berenceneur.com
brerereout.com
checklollog.com
cleopseyesiv.com
coretixongr.com
potalgeshead.com
selfrestage.com
spicebrokba.com
thstericance.om
avansimpsyd.com
altagenesibb.com
distrubypapa.com
donionetrysc.com
espringzapp.com
galonemastek.com
hitemserep.com
microtecher.com
pentamilnet.com
resiabandba.com
burnellare.com
divinicstorr.com
inancesanlie.com
montwheade.com
bringasoleps.com
diacrafireel.com
erectuality.com
nalinquenefi.com
reneoletnzan.com
scuorictor.com
shopiarytant.com
spheadventr.com
thinnettaff.com
wightlister.com
biophisentr.com
buttancert.com
confurrowor.com
firstomanad.com
matechamiset.com
mentrustrupp.com
noidgenert.com
raceauraphar.com
upleariser.com
kaufficomed.com
hitcharchim.com
nastegiangi.com
clickettast.com
ghsmaristic.com
luwizchometh.com
holthanetts.com
defosferal.com
mindchuhive.com
netelberive.com
parampseaste.com
berenceneur.com
brerereout.com
checklollog.com
cleopseyesiv.com
coretixongr.com
potalgeshead.com
selfrestage.com
spicebrokba.com
thstericance.om
briatimerame.co
coercesessm.co
dataapptorks.co
extraftwirr.co
galinkelis.co
harrectsou.co
materworatis.co
loredmanneca.co
headlegesoft.co
matilerized.co
infinciitech.co
promerganny.co
schoominews.co
upswiftedet.co
vertlefini.co
wiseiredourt.co
arraffeynics.co
bandtophold.co
basingtalw.co
careffixeno.co
diagonstafil.co
dogcalierac.co
drivapinxte.co
emptarmini.co
fanymplydata.co
garninersay.co
gayattocred.co
intertionot.co
lordererryte.co
oderexcometr.co
parablynner.co
sproulencel.co
terborksha.co
usageotegyo.co
alvernanah.co
brandbuchem.co
cemskevise.co
cyclemiast.co
delplastig.co
devasimicred.co
emmaybossel.co
gotrancentax.co
hopedristvo.co
sitomicalth.co
rycusermask.co
alrekahanti.co
axiagearie.co
beccampentu.co
coltrandata.co
briatimerame.co
coercesessm.co
dataapptorks.co
extraftwirr.co
galinkelis.co
harrectsou.co
materworatis.co
loredmanneca.co
headlegesoft.co
matilerized.co
infinciitech.co
promerganny.co
schoominews.co
upswiftedet.co
vertlefini.co
wiseiredourt.co
arraffeynics.co
bandtophold.co
basingtalw.co
careffixeno.co
diagonstafil.co
dogcalierac.co
drivapinxte.co
emptarmini.co
fanymplydata.co
garninersay.co
gayattocred.co
intertionot.co
lordererryte.co
oderexcometr.co
parablynner.co
sproulencel.co
terborksha.co
usageotegyo.co
alvernanah.co
brandbuchem.co
cemskevise.co
cyclemiast.co
delplastig.co
devasimicred.co
emmaybossel.co
gotrancentax.co
hopedristvo.co
sitomicalth.co
rycusermask.co
alrekahanti.co
axiagearie.co
beccampentu.co
coltrandata.co
ustimcativ.com
vortiondesp.com
boninession.co
fitchootheo.co
grotherwell.co
handclonica.co
iconortheum.co
inesburystam.co
innnobjeni.co
intectrigni.co
labcenseaccu.co
interbirster.co
neurosourea.co
partsmairie.co
nextatingha.co
plationnela.co
primeresteo.co
smandlambi.co
susleyeath.co
axillertyke.co
bovingensout.co
carestaris.co
escuafoxwax.co
firmrantech.co
globellerke.co
globertesli.co
idedialify.co
kingnajerley.co
kotwardoncm.co
minessiati.co
lutizenbrows.co
pacesriksen.co
posummersher.co
samuestvera.co
specinauter.co
vistomyrton.co
diicisamboilin.co
llisamboilin.co
inestailcoma.co
kabolgopickh.co
magnexwaxia.co
mixersaperj.co
placedicarl.co
selightvote.co
diatorkswe.co
entopleywac.co
herbasellic.co
multionesto.com
oplenterrack.com
oresmaller.com
ustimcativ.com
vortiondesp.com
boninession.co
fitchootheo.co
grotherwell.co
handclonica.co
iconortheum.co
inesburystam.co
innnobjeni.co
intectrigni.co
labcenseaccu.co
interbirster.co
neurosourea.co
partsmairie.co
nextatingha.co
plationnela.co
primeresteo.co
smandlambi.co
susleyeath.co
axillertyke.co
bovingensout.co
carestaris.co
escuafoxwax.co
firmrantech.co
globellerke.co
globertesli.co
idedialify.co
kingnajerley.co
kotwardoncm.co
minessiati.co
lutizenbrows.co
pacesriksen.co
posummersher.co
samuestvera.co
specinauter.co
vistomyrton.co
diicisamboilin.co
llisamboilin.co
inestailcoma.co
kabolgopickh.co
magnexwaxia.co
mixersaperj.co
placedicarl.co
selightvote.co
diatorkswe.co
entopleywac.co
herbasellic.co
multionesto.com
oplenterrack.com
oresmaller.com

In the case of Botnet.A we saw that the domain names had a visible pattern, a common side effect of machine enabled reasoning. But one can see that Botnet.B is using an advanced algorithm that can generate more realistic looking and human readable domains. Most certainly the creator(s) of this algorithm are trying to bypass the trivial techniques used by some IPS claiming to detect these types of domains by exploiting their excessive use of randomization and certain character frequencies, etc.

3. New Botnet.C

Here is how the Botnet.C variant talks to its CnCs:

hxxp://kemebrmewernrewroi43b3b3b3.com/32/c3ii.bin

Auto generated domains on a typical day look like these:

 
kemebrremewernrewroi43b3b3b3.com
kemeremewernrewroi43b3b3b3.com
kemebrremewernwroi43b3b3b3.com
kemebrremewrewroi43b3b3b3.com
kemebrmewernrewroi43b3b3b3.com
ffhsdf4747282e73472384234.com
ffbsdfsdbfhdsfhsdbfsdjhf.com
eryryweryuerndsfsfw.com
fehwurweyuddsmfnbznds.com
kemebrremewernrewroi43b3b3b3.com
kemeremewernrewroi43b3b3b3.com
kemebrremewernwroi43b3b3b3.com
kemebrremewrewroi43b3b3b3.com
kemebrmewernrewroi43b3b3b3.com
ffhsdf4747282e73472384234.com
ffbsdfsdbfhdsfhsdbfsdjhf.com
eryryweryuerndsfsfw.com
fehwurweyuddsmfnbznds.com

4. New Botnet.D

Botnet.D communicates to random CnCs like this:

hxxp://cuczsiim.cn/links.php?w=*&i=*

The list of generated domains for this botnet is as follows:

   
hsuaajql.cn
jcblzlto.cn
uqtcspcm.cn
afkzrmua.cn
etsedibb.cn
jhcehhsz.cn
iuuzunqx.cn
pebiautq.cn
kzqjcjau.cn
oslaeinn.cn
jcuixkvp.cn
lfbzcink.cn
ptteqmwi.cn
eekikjid.cn
bhqepnag.cn
yulzjhnf.cn
hmcceydw.cn
nkulbbvs.cn
vruivmjv.cn
tvbncooe.cn
ggtnekpr.cn
dasqxixn.cn
cwqbcprz.cn
rxlsqlqx.cn
zicqkayj.cn
wouomejh.cn
sjbspyca.cn
xptbjbpb.cn
nysebhxm.cn
cgsnace.cn
adgezmzw.cn
qrlisics.cn
wwcbrilig.cn
zxusdpmf.cn
hsuaajql.cn
jcblzlto.cn
uqtcspcm.cn
afkzrmua.cn
etsedibb.cn
jhcehhsz.cn
iuuzunqx.cn
pebiautq.cn
kzqjcjau.cn
oslaeinn.cn
jcuixkvp.cn
lfbzcink.cn
ptteqmwi.cn
eekikjid.cn
bhqepnag.cn
yulzjhnf.cn
hmcceydw.cn
nkulbbvs.cn
vruivmjv.cn
tvbncooe.cn
ggtnekpr.cn
dasqxixn.cn
cwqbcprz.cn
rxlsqlqx.cn
zicqkayj.cn
wouomejh.cn
sjbspyca.cn
xptbjbpb.cn
nysebhxm.cn
cgsnace.cn
adgezmzw.cn
qrlisics.cn
wwcbrilig.cn
zxusdpmf.cn
qnqnnjrj.cn
ajlnjugl.cn
jykeqjix.cn
iasicijz.cn
pjqnxpan.cn
lnlnwlnq.cn
iocoeidr.cn
miufcmve.cn
opbbvonv.cn
kjtsqkwt.cn
hnsonhjj.cn
jxqsbjam.cn
uwlbeuno.cn
ibtvyjcn.cn
iikaleue.cn
mlsjiabr.cn
omqcoblt.cn
cuczsiim.cn
nhuezjmo.cn
qbbvalhl.cn
aetinpej.cn
ftkeiefv.cn
vfszoaet.cn
tcqiibzr.cn
gelvlyce.cn
dzujanmq.cn
cqbcuuhx.cn
anuntpqd.cn
bybeditf.cn
yatirjcq.cn
mxcsiusy.cn
iwubojqe.cn
pdlehakk.cn
nvknnkfa.cn
qnqnnjrj.cn
ajlnjugl.cn
jykeqjix.cn
iasicijz.cn
pjqnxpan.cn
lnlnwlnq.cn
iocoeidr.cn
miufcmve.cn
opbbvonv.cn
kjtsqkwt.cn
hnsonhjj.cn
jxqsbjam.cn
uwlbeuno.cn
ibtvyjcn.cn
iikaleue.cn
mlsjiabr.cn
omqcoblt.cn
cuczsiim.cn
nhuezjmo.cn
qbbvalhl.cn
aetinpej.cn
ftkeiefv.cn
vfszoaet.cn
tcqiibzr.cn
gelvlyce.cn
dzujanmq.cn
cqbcuuhx.cn
anuntpqd.cn
bybeditf.cn
yatirjcq.cn
mxcsiusy.cn
iwubojqe.cn
pdlehakk.cn
nvknnkfa.cn

Newton's third law of motion says, "For every action there is always an equal and opposite reaction." This is pretty much what's happening when it comes to fighting against botnets. Increasing the use of built in domain generation algorithms can also be considered as a natural reaction to recent botnet shutdowns. It is also a good answer to popular community based domains blacklisting resources like Zeus tracker and Malware Domain List. The good news is that the bad guy’s reaction is well noticed and as Newton showed it's our turn now.