You may remember hearing about Domain Generating Algorithms, aka DGAs, from our coverage of the PushDo malware or from the malware we dubbed DGA.Changer, or more recently from our post on the Tinba Trojan. Malware threats that contain DGAs are not new, but they are more difficult to prevent and detect.
The experts in Seculert’s Research Lab have identified an increasingly disturbing trend in the use of DGAs by cyber criminals. Malware families that feature DGAs, as a means to evade traditional security products, are incorporating increasingly sophisticated Domain Generating Algorithms.
These evolving DGAs, such as Matsnu, are creating domains that are comprised of a noun, verb, noun, verb combination until the domain is 24 characters long. This is an attempt to bypass machine learning phonetic algorithms that are looking for domain names with no meaning, e.g. ldfjdiehwslgoeh.com.
Figure 1a: The Evolution of DGAs
| December 2008 | Conflickr generates a list of 250 domains based on a randomizing function that is seeded with the current UTC system date. The list is generated every 3 hours. |
| July 2009 | Sinowal (aka Torpig & Mebroot) generates a week-based domain and day-based domain which is also used as a failsafe |
| September 2011 | ZeuS P2P uses alphanumerics to create domains 33 and 45 characters long as a contingency plan to try and recover from losing connection with the C&C. ZeuS P2P is an old version of Gameover ZeuS. |
| October 2012 | XPAJ resurfaced with a DGA designed to be a fallback mechanism which can generate up to 197 URLs. |
| May 2013 | PushDo originally generated 138 “.com” domains daily as a fallback mechanism for situations when the C&C was not accessible. After realizing they were being investigated, the creators adapted the DGA to create “.kz” domains instead. |
| October 2013 | Bayrob is the first DGA based on a word bank from which is generates domains consisting of pairs of real words. |
| December 2013 | DGA.Changer is capable of generating an infinite number of domains. The bot can also receive a command from the C&C to change the DGA seed. |
| June 2014 | Rovnix uses words from the US Constitution to generate domains |
| June 2014 | Matsnu features a configurable DGA based on nouns and verbs in a wordlist. |
| July 2014 | Gameover ZeuS changed its DGA from generating 1,000 domains per week to generating 1,000 domains per day and is the recent version of ZeuS P2P. |
| September 2014 | Tinba uses a DGA based on a hard-coded domain and seed which are unique to each sample generating 1,000 unique domains. |
Figure 1b: The Evolution of DGAs and their New Capabilities
The New Matsnu- A Case Study
A prime example of the evolution of Domain Generating Algorithms (Figure 1) can be seen in a recently discovered, new variant of the Matsnu trojan. The previous version of Matsnu, also referred to as Trustezeb, was seen a little over a year ago. The DGA in the new Matsnu variant is configurable. This allows the user to set the number of domains he wants to generate daily as well as how many days in the past he wants to reuse previously generated domains (Figure 2). Also, this variant comes with about 10 hardcoded domains.
Figure 2: Code showing the configurable DGA
As visible in the above code, Matsnu’s DGA includes inputs for nouns and verbs, and can even pull from a word list (Figure 3). The word list includes 878 nouns and 444 verbs. A verb list also includes another mixture of nouns at the end of the list. This is similar to Rovnix which used words from the U.S. Constitution to create its domains.
Figure 3: Matsnu’s World List for Generating Domains
In addition to a configurable DGA, the Matsnu trojan can have other capabilities added to it through extension DLL download. It gets the added functions by using HTTP requests (Figure 4).
Figure 4: HTTP requests used by Matsnu to communicate with its C&C
Infection Cycle
Once Matsnu has been delivered, its first attempt to call home and communicate with the command and control server includes the following information about infected host: system information (UserName, ComputerName, WinVer, OS bitness, CPU, GPU, VM environment (if present), Language locale, Drives info, installed AVs). Subsequent communications contain instructions on actions to execute based on commands from the C&C (Figure 5). Items in bold are new to this variant.
Figure 5: Bot supported commands
Additionally, the bot monitors the Registry to make sure its Run Key is still present. If the key has been removed, then the bot will automatically renew it. All data downloaded from the command and control server is encrypted and compressed in addition to communication obfuscation. The bot also reports back to the C&C on the VM environment using a registry query (Figure 6).
Figure 6: Registry based VM detection
This variant of Matsnu with the new DGA was first seen in June 2014 and has been targeting mainly German speakers, with 89% of infected users being located in the DE region (Figure 7).
Figure 7: Top Countries by Number of Infected Users
It uses a parameter stack pushing style similar to that used in Tinba, i.e. mixing data and code (Figure 8).
Figure 8: Parameter stack pushing style
The Seculert Research Lab has seen approximately 9,000 bots per day communicating with our sinkholed server (Figure 9). To date, it is thought that Matsnu is spreading mainly by spam email messages (in German) relating to online shopping sites.
Figure 9: Number of Bots Communicating with Seculert’s Sinkhole Server
So while this new version of the Matsnu trojan has shown some flair, the real news is the ongoing evolution of Domain Generating Algorithms. The new DGAs are designed to avoid even the latest detection technologies. But as the DGAs continue to evolve, so does the technology behind Seculert’s Platform, protecting customers from Matsnu and the next cyber threat.
Contributors: Yevgeniy Kulakov and Shimon Zvirin
New variant
Sha256: 8bfa2d39be44de91958226983d983a07c1bcf75b007ab17b295215d08a63f032
MD5: 43ecaeb983683f57af842c8993e242e6
Old variant
Sha256: 23e5dbb6b51e056ecd17805ae31adb3f515b747924445b5e0b73af1b815301c0
MD5: 361ac442e0074826f7af16f5e897cf4c
The post DGAs: A Domain Generation Evolution appeared first on Seculert Blog on Breach Detection.
