DGArchive A deep dive into domain generating malware
Daniel Plohmann [email protected]
2015-12-03 | Botconf, Paris
© 2015 Fraunhofer FKIE 1 About me
Daniel Plohmann
PhD candidate at University of Bonn, Germany
Security Researcher at Fraunhofer FKIE
Focus: Reverse Engineering / Malware Analysis / Automation
Projects
ENISA Botnet Study 2011 [1]
Analysis Tools
PyBox, IDAscope, DGArchive, …
Botnet Analysis
Gameover Zeus / P2P protocols [2]
DGA-based Malware
[1] http://www.enisa.europa.eu/act/res/botnets/botnets-measurement-detection-disinfection-and-defence [2] http://christian-rossow.de/publications/p2pwned-ieee2013.pdf © 2015 Fraunhofer FKIE 2 Agenda
Intro: Domain Generation Algorithms / DGArchive
Comparison of DGA Features
Registration Status of DGA Domain Space
Case Studies
© 2015 Fraunhofer FKIE 3 Intro
Domain Generation Algorithms
© 2015 Fraunhofer FKIE 4 Domain Generation Algorithms Definitions
Concept first described ~2008: Domain Flux
Domain Generation Algorithm (DGA)
An algorithm producing Command & Control rendezvous points
dynamically Shared secret between malware running on compromised host and
botmaster Seeds
Collection of parameters influencing the output of the algorithm
Algorithmically-Generated Domain (AGD)
Domains resulting from a DGA
© 2015 Fraunhofer FKIE 5 Domain Generation Algorithms Origin & History
Feb 2006 Sality: dynamically generates 3rd-level domain part
July 2007 Torpig: Report by Verisign includes DGA-like domains
July 2007 Kraken: VirusTotal upload of binary using DDNS
April 2008 Kraken DGA first publicly mentioned
3 big events in November 2008 – April 2009:
Szribi: Takedown, but botmaster regained control through DGA
Conficker: Well, you probably know about that one…
Torpig: DGA-based takeover
http://www.mcafee.com/threat-intelligence/malware/default.aspx?id=138354 http://fserror.com/pdf/Torpig.pdf ©https://isc.sans.edu/forums/diary/Kr 2015 Fraunhofer FKIE aken+Technical+Details+UPDATED+x3/4256/ https://www.fireeye.com/blog/threat-research/2008/11/technical-details-of-srizbis-domain-generation-algorithm.html https://seclab.cs.ucsb.edu/media/uploads/papers/torpig.pdf 6 Domain Generation Algorithms Motivation for Usage
Aggravation of Analysis
No hardcoded domains / dumping -> code analysis needed
Evasion
Many DGAs have short-lived domains -> avoid domain reputation
Backup
Registration only when needed
Asymmetry
Attacker needs one domain, defender needs to prohibit access to all
Feasability of DGAs
Domains are cheap (compared to profits)
© 2015 Fraunhofer FKIE 7 DGArchive The idea
DGAs are annoying! :(
Idea:
Reverse DGA, then generate and archive all possible domains since first spotting
of a malware family
pcxeyx.biz? Domain Blocklist Lookups Generation [...] Nymaim! "qetyxeg.com","simda" "puvywup.com","simda" Valid on: "gahyfow.com","simda" 2014-04-19 "lyryxen.com","simda" "vocyquc.com","simda" 2014-03-20 "qegyfil.com","simda" 2015-12-11 "puryxag.com","simda" DGArchive "gacyqys.com","simda" [...]
© 2015 Fraunhofer FKIE 8 DGArchive Status
Botconf 2014: Lightning talk
8 families, ~20 seeds, ~ 4 million domains
DGArchive Today
43 families/variants, ~280 seeds, 20+ million domains
© 2015 Fraunhofer FKIE 9 Finding DGAs Mining a Sandbox DNS feed
Remix of academic approaches and common sense
Input: List of domains, queried during a sandbox run
DNS Feed by THANK YOU!!!
1,235,443 sandbox runs; 15,660,256 DNS queries (959,607 unique)
1. Alexa 1 million
2. Self-curated blacklist 1) Filtering 3. Query vs DGArchive
1. N-gram frequency New Seed? 2. Entropy 2) Scoring 3. Domain length ? tch 4. NX domain? a M Known Patterns of DGAs
1. Length 3) Matching New DGA? 2. Alphabets No Match / 3. TLDs © 2015 Fraunhofer FKIE Inconsistency 10 Parameter Extraction Automate all the things!
Customized sandboxing system for selected malware families
Processing malware feeds (<- THANK YOU)
Part of TinyBanker DGA config in memory: Regex for extraction of relevant fields:
0000000: f9 b0 20 f3 aa 61 e8 00 00 00 00 58 2d 1b 68 40 .. ..a.....X‐.h@ 0000010: 00 ff 75 10 ff 75 0c ff 75 08 ff 90 33 4d 40 00 ..u..u..u...3M@. regex_config = ( 0000020: 83 c4 0c c9 c3 90 90 90 90 90 90 90 90 90 90 90 ...... r"\x90{4,16} " 0000030: 73 70 61 69 6e 65 73 2e 70 77 00 00 00 00 00 00 spaines.pw...... r"(?P
© 2015 Fraunhofer FKIE 11 Comparison of
DGA Features
© 2015 Fraunhofer FKIE 12 DGA Features Intro
Examples of DGA characteristics
DGA class and generation scheme (+ use of well-known algorithms)
Domain structure (length, alphabet) and TLDs
Domain validity period and domains per cycle (covered indirectly)
Domain randomness
C&C Priority
In short: DGA is basically always „last priority“
but 28 of 40 families use DGA as only C&C rendezvous method! (5 of them have hardcoded but basically unused domains)
© 2015 Fraunhofer FKIE 13 DGA Features Taxonomy and Generation Schemes
DGA Classes (Taxonomy by Barabosch et al. [1]):
Type Time dependent Deterministic Example
TID Kraken, TinyBanker
TDD Conficker, Gameover Zeus
TDN Torpig, Bedep
TIN -
Generation Schemes
Type Example Family Example Domain
Arithmetic (A) DirCrypt vlbqryjd.com
Wordlist (W) Matsnu termacceptyear.com
Hashing (H) Bamital b83ed4877eec1997fcc39b7ae590007a.info
Permutation (P) VolatileCedar dotnetexplorer.info
[1] https://net.cs.uni-bonn.de/fileadmin/user_upload/wichmann/Extraction_DNGA_Malware.pdf
© 2015 Fraunhofer FKIE 14 Bamital Fobber Mewsei Pykspa 2 Simda
Banjori Geodo Murofet 1 Suppobox QakBot
Bedep Gameover DGA Murofet 2 Szribi Ramdo
Conficker Gameover P2P Necurs Tempedreve Ramnit
CoreBot Gozi Nymaim Ranbyus TinyBanker
Cryptolocker Hesperbot Pushdo Redyms Torpig
DirCrypt Kraken Pushdo TID UrlZone Rovnix
Dyre Matsnu Pykspa 1 VolatileCedar Shifu
Names© 2015 Fraunhofercontain FKIE clickable links to references for these families. 15 Bamital Fobber Mewsei Pykspa 2 Simda
TDD TID TDD TDD TID
Banjori Geodo Murofet 1 Suppobox QakBot TID TDD TDD TDD TDD
Bedep Gameover DGA Murofet 2 Szribi Ramdo TDN TDD TDD TID TDD
Conficker Gameover P2P Necurs Tempedreve Ramnit TDD TDD TDD TID TID
CoreBot Gozi Nymaim Ranbyus TinyBanker TDD TDD TDD TDD TID
Cryptolocker Hesperbot Pushdo Redyms Torpig TDD TID TDD TID TDD / TDN
DirCrypt Kraken Pushdo TID UrlZone Rovnix TID TID TID TID TID
Dyre Matsnu Pykspa 1 VolatileCedar Shifu TDD TDD TDD TID TID
© 2015 Fraunhofer FKIE Classes: 22 (55%) TDD, 16 (40%) TID, 2 (5%) TDN 16 Bamital Fobber Mewsei Pykspa 2 Simda
H (MD5) A (LCG) A (LCG) A( LCG) A
Banjori Geodo Murofet 1 Suppobox QakBot A A A (MD5) A (Mersenne) W
Bedep Gameover DGA Murofet 2 Szribi Ramdo A A (MD5) A (MD5) A A
Conficker Gameover P2P Necurs Tempedreve Ramnit A A (MD5) A A (LCG) A (LCG)
CoreBot Gozi Nymaim Ranbyus TinyBanker A (LCG) W (LCG) A (Xorshift) A A
Cryptolocker Hesperbot Pushdo Redyms Torpig A A A (MD5) A A
DirCrypt Kraken Pushdo TID UrlZone Rovnix A (LCG) A A (LCG) A (LCG) A
Dyre Matsnu Pykspa 1 VolatileCedar Shifu H (SHA256) W A A (LCG) P
© 2015 Fraunhofer FKIE Classes: 34 (85%) A, 3 (7.5%) W, 2 (5%) H, 1 (2.5%) P 17 Bamital Fobber Mewsei Pykspa 2 Simda The Linear Congruential Generator (LCG) H A (LCG) A (LCG) A( LCG) A
Pseudo-RandomBanjori NumberGeodo GeneratorMurofet (PRNG)1 Suppobox QakBot AXn+1 = ( a * Xn + c)A mod m A (MD5) A (Mersenne) W
BedepNumerous variantsGameoverofDGA LCG withMurofetregard2 to parameters (a, c, m) Szribi Ramdo Numerical Recipes, MSVC, Park & Miller, own values, … A A (MD5) A (MD5) A A Conficker Gameover P2P Necurs Ramnit Tempedreve Trivial example DGA: Pushdo TID A A (MD5) A A (LCG) A (LCG) def generateDomain(): CoreBot Gozi Nymaim Ranbyus TinyBanker domain = "" A (LCG)tlds = [".com",W (LCG) ".net", ".org",A (Xorshift) ".ru", ".tv"] A A for i in xrange(10): Cryptolocker domain Hesperbot+= chr(0x61 + lcg()Pushdo % 26) Redyms Torpig domain += tlds[lcg() % 5] A return domain A A (MD5) A A DirCrypt Kraken Pushdo TID UrlZone ################# Rovnix A"xirgbebore.tv" (LCG) A A (LCG) A (LCG) A "bsbuhapqbw.org" "pgdudgjypi.ru"Dyre Matsnu Pykspa 1 VolatileCedar Shifu H (SHA256) W A A (LCG) P Digression© 2015 Fraunhofer FKIE Time! 18 Bamital Fobber Mewsei Pykspa 2 Simda
Banjori Geodo Murofet 1 Suppobox QakBot
Bedep Gameover DGA Murofet 2 Szribi Ramdo
Conficker Gameover P2P Necurs Tempedreve Ramnit
CoreBot Gozi Nymaim Ranbyus TinyBanker
Cryptolocker Hesperbot Pushdo Redyms Torpig
DirCrypt Kraken Pushdo TID UrlZone Rovnix
Dyre Matsnu Pykspa 1 VolatileCedar Shifu
© 2015 Fraunhofer FKIE Domain Structure. 19 Bamital Fobber Mewsei Pykspa 2 Simda
32 | 4 | 16 10 - 17 | 2 | 26 8 - 15 | 1 | 23 6 - 12 | 4 | 26 5 - 11 (F) | 4 | 26
Banjori Geodo Murofet 1 Suppobox QakBot 11 – 26 (F) | 1 | 26 16 | 1 | 25 8 - 15 | 5 | 26 8 - 25 | 5 | 26 8 - 26 | 1 | 26
Bedep Gameover DGA Murofet 2 Szribi Ramdo 12 - 18 | 1 | 36 20 - 28 | 4 | 36 32 - 47 | 6 | 36 16 | 1 | 13 8 | 1 | 15
Conficker Gameover P2P Necurs Tempedreve Ramnit 4 - 11 | 123 | 26 11 - 32 | 6 | 26 7 - 21 | 43 | 25 8 - 19 | 1 | 25 7 - 11 | 4 | 26
CoreBot Gozi Nymaim Ranbyus TinyBanker 12 - 23 | 1 | 34 12 - 24 | 12 | 26 6 - 11 | 8 | 26 14 | 8 | 25 12 | 15 | 25
Cryptolocker Hesperbot Pushdo Redyms Torpig 12 - 15 | 7 | 25 8 - 24 | 1 | 26 8 - 12 | 2 | 26 9 - 15 | 1 | 27 7 - 9 | 3 | 30
DirCrypt Kraken Pushdo TID UrlZone Rovnix 8 - 20 | 1 | 26 6 - 11 | 4 | 26 10 | 5 | 26 18 | 5 | 34 9 - 15 | 2 | 32
Dyre Matsnu Pykspa 1 VolatileCedar Shifu 34 | 8 | 36 12 - 24 | 1 | 27 6 - 15 | 6 | 26 7 | 1 | 25 14 | 1 | 9
© 2015 Fraunhofer FKIE Scheme: Minlength -Maxlength (Fixed per seed) | TLDs | Size of Alphabet 20 Bamital Fobber Mewsei Pykspa 2 Simda
32 | 4 | 16 10 - 17 | 2 | 26 8 - 15 | 1 | 23 6 - 12 | 4 | 26 5 - 11 (F) | 4 | 26
Banjori Geodo Murofet 1 Suppobox QakBot 11 – 26 (F) | 1 | 26 16 | 1 | 25 8 - 15 | 5 | 26 8 - 25 | 5 | 26 8 - 26 | 1 | 26
Bedep Gameover DGA Murofet 2 Szribi Ramdo 12 - 18 | 1 | 36 20 - 28 | 4 | 36 32 - 47 | 6 | 36 16 | 1 | 13 8 | 1 | 15
Conficker Gameover P2P Necurs Tempedreve Ramnit 4 - 11 | 123 | 26 11 - 32 | 6 | 26 7 - 21 | 43 | 25 8 - 19 | 1 | 25 7 - 11 | 4 | 26
CoreBot Gozi Nymaim Ranbyus TinyBanker 12 - 23 | 1 | 34 12 - 24 | 12 | 26 6 - 11 | 8 | 26 14 | 8 | 25 12 | 15 | 25
Cryptolocker Hesperbot Pushdo Redyms Torpig 12 - 15 | 7 | 25 8 - 24 | 1 | 26 8 - 12 | 2 | 26 9 - 15 | 1 | 27 7 - 9 | 3 | 30
DirCrypt Kraken Pushdo TID UrlZone Rovnix 8 - 20 | 1 | 26 6 - 11 | 4 | 26 10 | 5 | 26 18 | 5 | 34 9 - 15 | 2 | 32
Dyre Matsnu Pykspa 1 VolatileCedar Shifu 34 | 8 | 36 12 - 24 | 1 | 27 6 - 15 | 6 | 26 7 | 1 | 25 14 | 1 | 9
TLDs:© 2015 Fraunhofer 10+, FKIE 5+, … (per seed) – thankfully, most use only few TLDs 21 Bamital Fobber Mewsei Pykspa 2 Simda
32 | 4 | 16 10 - 17 | 2 | 26 8 - 15 | 1 | 23 6 - 12 | 4 | 26 5 - 11 (F) | 4 | 26
Banjori Geodo Murofet 1 Suppobox QakBot 11 – 26 (F) | 1 | 26 16 | 1 | 25 8 - 15 | 5 | 26 8 - 25 | 5 | 26 8 - 26 | 1 | 26
Bedep Gameover DGA Murofet 2 Szribi Ramdo 12 - 18 | 1 | 36 20 - 28 | 4 | 36 32 - 47 | 6 | 36 16 | 1 | 13 8 | 1 | 15
Conficker Gameover P2P Necurs Tempedreve Ramnit 4 - 11 | 123 | 26 11 - 32 | 6 | 26 7 - 21 | 43 | 25 8 - 19 | 1 | 25 7 - 11 | 4 | 26
CoreBot Gozi Nymaim Ranbyus TinyBanker 12 - 23 | 1 | 34 12 - 24 | 12 | 26 6 - 11 | 8 | 26 14 | 8 | 25 12 | 15 | 25
Cryptolocker Hesperbot Pushdo Redyms Torpig 12 - 15 | 7 | 25 8 - 24 | 1 | 26 8 - 12 | 2 | 26 9 - 15 | 1 | 27 7 - 9 | 3 | 30
DirCrypt Kraken Pushdo TID UrlZone Rovnix 8 - 20 | 1 | 26 6 - 11 | 4 | 26 10 | 5 | 26 18 | 5 | 34 9 - 15 | 2 | 32
Dyre Matsnu Pykspa 1 VolatileCedar Shifu 34 | 8 | 36 12 - 24 | 1 | 27 6 - 15 | 6 | 26 7 | 1 | 25 14 | 1 | 9
Size© 2015of Fraunhofer Alphabet? FKIE 22 Bamital Fobber Mewsei Pykspa 2 Simda Not sure if intentional or bugs… 32 | 4 | 16 10 - 17 | 2 | 26 8 - 15 | 1 | 23 6 - 12 | 4 | 26 5 - 11 (F) | 4 | 26
def generateDomain(): Banjori Geodo Murofet 1 QakBot Suppobox domain = "" 11 – 26 (F) |tlds 1 | 26 = [".com",16 | 1 | ".ne25 t", ".org",8 - 15 | 5".ru", | 26 ".tv"]8 - 25 | 5 | 26 8 - 26 | 1 | 26 for i in xrange(10): Bedep domainGameover += chr(0x61DGA + lcg()Murofet % 262 ) Szribi Ramdo domain += tlds[lcg() % 5] 12 - 18 | 1 | 36 20 - 28 | 4 | 36 32 - 47 | 6 | 36 16 | 1 | 13 8 | 1 | 15 return domain Conficker Gameover P2P Necurs Tempedreve Ramnit 4 - 11PushdoTID | 123 | 26 has11 an - 32alphabet | 6 | 26 size7 of- 21 26! | 43 | 25 8 - 19 | 1 | 25 7 - 11 | 4 | 26
However, if you use modulo 25… CoreBot Gozi Nymaim Ranbyus TinyBanker 12 - 23CryptoLocker, | 1 | 34 12 - Geodo,24 | 12 | 26 Necurs,6 Ramnit,- 11 | 8 | 26 Ranbyus,14 Shifu, | 8 | 25 Tinybanker12 | 15 | 25
Or do this twice (on vowels and consonants, or chars and numbers) … Cryptolocker Hesperbot Pushdo Redyms Torpig 12 - 15CoreBot | 7 | 25 (34),8 Mewsei- 24 | 1 | 26(23), Rovnix8 - 12 |(34) 2 | 26 9 - 15 | 1 | 27 7 - 9 | 3 | 30
Or do something even more special … DirCrypt Kraken Pushdo TID UrlZone Rovnix Ramdo (13), Szribi (15), Torpig (30), UrlZone (32) 8 - 20 | 1 | 26 6 - 11 | 4 | 26 10 | 5 | 26 18 | 5 | 34 9 - 15 | 2 | 32
Dyre Matsnu Pykspa 1 VolatileCedar Shifu 34 | 8 | 36 12 - 24 | 1 | 27 6 - 15 | 6 | 26 7 | 1 | 25 14 | 1 | 9
Size© 2015of Fraunhofer Alphabet: FKIE Some DGAs use truncated alphabets. 23 Bamital Fobber Mewsei Pykspa 2 Simda
Banjori Geodo Murofet 1 Suppobox QakBot
Bedep Gameover DGA Murofet 2 Szribi Ramdo
Conficker Gameover P2P Necurs Tempedreve Ramnit
CoreBot Gozi Nymaim Ranbyus TinyBanker
Cryptolocker Hesperbot Pushdo Redyms Torpig
DirCrypt Kraken Pushdo TID UrlZone Rovnix
Dyre Matsnu Pykspa 1 VolatileCedar Shifu
Domain© 2015 Fraunhofer length FKIE analysis out of scope 24 DGA Domain Space and
Registration Status
© 2015 Fraunhofer FKIE 25 DGA Domain Space as seen by DGArchive
So we reversed many DGAs and extracted a lot of seeds…
How many potential DGA domains are there?
Are there collisions between DGAs?
How many of these domains are registered?
No ground-truth available :(
© 2015 Fraunhofer FKIE 26 DGA Domain Space as seen by DGArchive
Study conducted on data set fixed on 22nd September 2015
Domains generated from first spotting of family until 31.12.2015
Eternal thanks to Michael Klatt & DomainTools!
Provided historic WHOIS data for all domains in DGArchive
Evaluation of WHOIS features for majority of DGAs
Identified characteristics about domains
Sinkholes
Mitigations (registration turned to sinkhole at later point)
Pre-registrations (registration before appearence of the family)
Domain Parking
Random fact: 25 / 40 DGAs surfaced 2013 and later!
© 2015 Fraunhofer FKIE 27 Bamital Fobber Mewsei Pykspa 2 Simda
Banjori Geodo Murofet 1 Suppobox QakBot
Bedep Gameover DGA Murofet 2 Szribi Ramdo
Conficker Gameover P2P Necurs Tempedreve Ramnit
CoreBot Gozi Nymaim Ranbyus TinyBanker
Cryptolocker Hesperbot Pushdo Redyms Torpig
DirCrypt Kraken Pushdo TID UrlZone Rovnix
Dyre Matsnu Pykspa 1 VolatileCedar Shifu
How© 2015 many Fraunhofer FKIEdomains are generated by these DGAs? 28 Bamital Fobber Mewsei Pykspa 2 Simda
197,000 | 1 2,000 | 2 1,984 | 1 775,342 | 2 11,528 | 12
Banjori Geodo Murofet 1 Suppobox QakBot 421,390 | 30 90,232 | 2 4,063,680 | 2 385,000 | 1 98,304 | 3
Bedep Gameover DGA Murofet 2 Szribi Ramdo 3,806 | 4 6,182,000 | 2 262,000 | 1 3000 | 3 2,949 | 1
Conficker Gameover P2P Necurs Tempedreve Ramnit 125,118,625 | 3 262,000 | 1 3,551,232 | 6 18,000 | 18 204 | 1
CoreBot Gozi Nymaim Ranbyus TinyBanker 18,160 | 2 16,963 | 9 65,040 | 3 64,400 | 7 81,930 | 90
Cryptolocker Hesperbot Pushdo Redyms Torpig 1,108,000 | 1 178 | 3 124,021 | 4 34 | 1 17,610 | 2
DirCrypt Kraken Pushdo TID UrlZone Rovnix 420 | 14 300 | 1 6,000 | 1 10,000 | 1 10,009 | 6
Dyre Matsnu Pykspa 1 VolatileCedar Shifu 592,000 | 1 3,346 | 2 22,764 | 1 1,554 | 2 170 | 1
Sum© 2015 of Fraunhofer unique FKIE domains: 143,584,257 or 18,465,647 without Conficker 29 DGA Domain Space Domain Collisions
DGA domains may collide
Within a DGA
With other DGAs
© 2015 Fraunhofer FKIE 30 Bamital Fobber Mewsei Pykspa 2 Simda
197,000 2,000 1,984 775,342 11,528
Banjori Geodo Murofet 1 Suppobox QakBot 421,390 90,232 4,063,680 385,000 98,304
Bedep Gameover DGA Murofet 2 Szribi Ramdo 3,806 6,182,000 262,000 3000 2,949
Conficker Gameover P2P Necurs Tempedreve Ramnit 125,118,625 262,000 3,551,232 18,000 204
CoreBot Gozi Nymaim Ranbyus TinyBanker 18,160 16,963 65,040 64,400 81,930
Cryptolocker Hesperbot Pushdo Redyms Torpig 1,108,000 178 124,021 34 17,610
DirCrypt Kraken Pushdo TID UrlZone Rovnix 420 300 6,000 10,000 10,009
Dyre Matsnu Pykspa 1 VolatileCedar Shifu 592,000 3,346 22,764 1,554 170
How© 2015 many Fraunhofer FKIEdomain collisions between Conficker and the other DGAs? 31 Pykspa 2
775,342 | 11!
Conficker Necurs
125,118,625 | 15! 3,551,232 | 3!
Nymaim
65,040 | 1!
Not© 2015 that Fraunhofer many. FKIE 32 Bamital Fobber Mewsei Pykspa 2 Simda
197,000 2,000 1,984 775,342 11,528
Banjori Geodo Murofet 1 Suppobox QakBot 421,390 90,232 4,063,680 385,000 98,304
Bedep Gameover DGA Murofet 2 Szribi Ramdo 3,806 6,182,000 262,000 3000 2,949
Conficker Gameover P2P Necurs Tempedreve Ramnit 125,118,625 262,000 3,551,232 18,000 204
CoreBot Gozi Nymaim Ranbyus TinyBanker 18,160 16,963 65,040 64,400 81,930
Cryptolocker Hesperbot Pushdo Redyms Torpig 1,108,000 178 124,021 34 17,610
DirCrypt Kraken Pushdo TID UrlZone Rovnix 420 300 6,000 10,000 10,009
Dyre Matsnu Pykspa 1 VolatileCedar Shifu 592,000 3,346 22,764 1,554 170
And© 2015 now Fraunhofer without FKIE Conficker? 33 Pykspa 2
775,342 | 1!
„wttttf.net“
Nymaim
65,040 | 1!
One© 2015 single Fraunhofer FKIEcollision 34 Bamital Fobber Mewsei Pykspa 2 Simda Conclusions: 197,000 2,000 1,984 775,342 11,528
SoBanjori if there are so Geodofew collisions betweenMurofet 1 DGAs… Suppobox QakBot using pre-calculated AGDs to identify malware is pretty accurate! 421,390 90,232 4,063,680 385,000 98,304 BedepActually forGameoverboth familyDGA and campaign!Murofet 2 Szribi Ramdo 3,806 6,182,000 262,000 3000 2,949
Conficker Gameover P2P Necurs Tempedreve Ramnit 125,118,625 262,000 3,551,232 18,000 204
CoreBot Gozi Nymaim Ranbyus TinyBanker 18,160 16,963 65,040 64,400 81,930
Cryptolocker Hesperbot Pushdo Redyms Torpig 1,108,000 178 124,021 34 17,610
DirCrypt Kraken Pushdo TID UrlZone Rovnix 420 300 6,000 10,000 10,009
Dyre Matsnu Pykspa 1 VolatileCedar Shifu 592,000 3,346 22,764 1,554 170
Inter-DGA© 2015 Fraunhofer domain FKIE collisions: Basically non-existent! 35 DGA Domain Space Registrations and Domain Collisions
DGA domains may collide
With already registered (benign) domains
So first: How many domains are registered?
© 2015 Fraunhofer FKIE 36 Bamital Fobber Mewsei Pykspa 2 Simda
197,000 2,000 1,984 775,342 11,528
Banjori Geodo Murofet 1 Suppobox QakBot 421,390 90,232 4,063,680 385,000 98,304
Bedep Gameover DGA Murofet 2 Szribi Ramdo 3,806 6,182,000 262,000 3000 2,949
Conficker Gameover P2P Necurs Tempedreve Ramnit 125,118,625 262,000 3,551,232 18,000 204
CoreBot Gozi Nymaim Ranbyus TinyBanker 18,160 16,963 65,040 64,400 81,930
Cryptolocker Hesperbot Pushdo Redyms Torpig 1,108,000 178 124,021 34 17,610
DirCrypt Kraken Pushdo TID UrlZone Rovnix 420 300 6,000 10,000 10,009
Dyre Matsnu Pykspa 1 VolatileCedar Shifu 592,000 3,346 22,764 1,554 170
Registrations?© 2015 Fraunhofer FKIE 37 Bamital Fobber Mewsei Pykspa 2 Simda 8,340 (4.22%) 13 (0.65%) DDNS 1,927 (0.25%) 379 (3.29%) 197,000 2,000 1,984 775,342 11,528 Banjori Geodo Murofet 1 Suppobox QakBot 683 (0.16%) 107 (0.12%) 3,172 (0.08%) 1,088 (0.28%) 11,338 (11.53%) 421,390 90,232 4,063,680 385,000 98,304 Bedep Gameover DGA Murofet 2 Szribi Ramdo 654 (17.18%) 1,081 (0.02%) 559 (0.21%) 47 (1.57%) 54 (1.83%) 3,806 6,182,000 262,000 3000 2,949 Conficker Gameover P2P Necurs Tempedreve Ramnit - 74,755 (28.53%) 295 (0.01%) 939 (5.22%) 20 (9.80%) 125,118,625 262,000 3,551,232 18,000 204 CoreBot Gozi Nymaim Ranbyus TinyBanker DDNS 305 (1.80%) 656 (1.01%) 98 (0.15%) 1,733 (2.12%) 18,160 16,963 65,040 64,400 81,930 Cryptolocker Hesperbot Pushdo Redyms Torpig 3,820 (0.34%) 15 (8.43%) 453 (0.37%) 11 (32.35%) 139 (0.79%) 1,108,000 178 124,021 34 17,610 DirCrypt Kraken Pushdo TID UrlZone Rovnix 86 (20.48%) DDNS 245 (4.08%) 1 (0.01%) 127 (1.27%) 420 300 6,000 10,000 10,009 Dyre Matsnu Pykspa 1 VolatileCedar Shifu 850 (0.14%) 610 (18.23%) 455 (2.00%) 11 (0.71%) 13 (7.65%) 592,000 3,346 22,764 1,554 170 Registrations:© 2015 Fraunhofer FKIE 115,079 (0.62%) of 18,465,427 unique domains we had data for. 38 Bamital 7,891 / 8,340
197,000
Gameover P2P
72,713 / 74,755
262,000
Cryptolocker 2,899 / 3,820
1,108,000
Takedowns© 2015 Fraunhofer FKIE actually account for 72,56% of all considered DGA registrations. 39 DGA Domain Space Domain Collisions
DGA domains may collide
With already registered (benign) domains
© 2015 Fraunhofer FKIE 40 Bamital Fobber Mewsei Pykspa 2 Simda 0 / 8,340 0 / 13 757 / 1,927 66 / 379 (17.41%) 197,000 2,000 (39.28%) 11,528 Banjori Geodo Murofet 1 Suppobox QakBot 0 / 683 0 / 107 0 / 3,172 0 / 1,088 8.434 / 11,338 421,390 90,232 4,063,680 385,000 (74.39%) Bedep Gameover DGA Murofet 2 Szribi Ramdo 0 / 654 0 / 1,081 0 / 559 0 / 47 0 / 54 3,806 6,182,000 262,000 3000 2,949 Conficker Gameover P2P Necurs Tempedreve Ramnit 0 / 74,755 10 / 295 (3.34%) 0 / 939 0 / 20 262,000 3,551,232 18,000 204 CoreBot Gozi Nymaim Ranbyus TinyBanker 48 / 305 (15.74%) 70 / 656 (10.67%) 0 / 98 0 / 1,733 16,963 65,040 64,400 81,930 Cryptolocker Hesperbot Pushdo Redyms Torpig 0 / 3,820 0 / 15 3 / 453 (0.66%) 0 / 11 2 / 139 (1.44%) 1,108,000 178 124,021 34 17,610 DirCrypt Kraken Pushdo TID UrlZone Rovnix 0 / 86 0 / 245 0 / 1 0 / 127 420 6,000 10,000 10,009 Dyre Matsnu Pykspa 1 VolatileCedar Shifu 0 / 850 244 / 610 (40.00%) 12 / 455 (2.64%) 0 / 11 0 / 13 592,000 3,346 22,764 1,554 170 Pre-Registrations:© 2015 Fraunhofer FKIE Wordlist-DGAs and short domains cause the most collisions. 41 Bamital Fobber Mewsei Pykspa 2 Simda Conclusions:0 / 8,340 0 / 13 757 / 1,927 66 / 379 (17.41%) 197,000 2,000 (39.28%) 11,528 BreakdownBanjori of Pre-RegistrationsGeodo (9,646)Murofet 1 Suppobox QakBot 0 / Wordlist-DGAs:683 0 / 107 0 / 3,172 8,726 (90.46%)0 / 1,088 8.434 / 11,338 421,390 90,232 4,063,680 385,000 (74.39%) BedepRemainder:Gameover DGA Murofet 2 920 Szribi Ramdo 0 / 654„Short“ domains0 / 1,081(length 5-6):0 / 559 856 (93.04%)0 / 47 0 / 54 3,806 6,182,000 262,000 3000 2,949 Conficker Remainder:Gameover P2P Necurs 64 Tempedreve Ramnit Accidentally0 / 74,755„real“ words:10 / 295 (3.34%)„veterans.kz“0 / 939 0 / 20 262,000 3,551,232 18,000 204 Pronounceable „words“: „kankanana.com“ CoreBot Gozi Nymaim Ranbyus TinyBanker 48 / 305 (15.74%) 70 / 656 (10.67%)„kandilmed.com“0 / 98 0 / 1,733 16,963 65,040 64,400 81,930 Cryptolocker Hesperbot Pushdo Redyms Torpig 0Basically / 3,820 no collisions0 / 15with non-Wordlist3 / 453 (0.66%)DGAs or „long“0 / 11 domains2 / 139 (1.44%) 1,108,000 178 124,021 34 17,610 Using DGArchive for blocking -> very low FP rate for blocking! DirCrypt Kraken Pushdo TID UrlZone Rovnix 0 / 86 0 / 245 0 / 1 0 / 127 420 6,000 10,000 10,009 Dyre Matsnu Pykspa 1 VolatileCedar Shifu 0 / 850 244 / 610 (40.00%) 12 / 455 (2.64%) 0 / 11 0 / 13 592,000 3,346 22,764 1,554 170 Pre-Registrations:© 2015 Fraunhofer FKIE With some exclusions basically non-existent. 42 DGA Domain Space Registration Timings
Consider time-dependent DGAs
Sets of domains have a window of validity!
What is „registration lookahead“?
Relative „offset“ between start of validity and registration time
In the following: Evaluation of registration lookaheads
For sinkholes
For „non-sinkholes“
© 2015 Fraunhofer FKIE 43 Overview of registration lookaheads © 2015 Fraunhofer FKIE 44 Domains registered BEFORE, ON, AFTER the first day they became valid in the DGA © 2015 Fraunhofer FKIE 45 However, red bars show how long domains REMAIN valid © 2015 Fraunhofer FKIE 46 Observation: Sinkholes are often registered earlier than „non“-sinkholes © 2015 Fraunhofer FKIE 47 Observation: Some domains are registered far into the future Bamital: Same day registrations for domains 1, 2, 3 years in advance
Nymaim: Same day registrations for domains 1, 2 years in advance © 2015 Fraunhofer FKIE Murofet: Same day registrations for domains 1, 2, 3, 4 years in advance 48 Observation: Gameover P2P was killed completely! Yay! :) © 2015 Fraunhofer FKIE 49 Observation: Reversing Fail by some sinkholer?
32 domains registered exactly one month after validity? © 2015 Fraunhofer FKIE 50 Wrapping up
Conclusion
© 2015 Fraunhofer FKIE 51 Conclusion Wrapping it up
DGArchive
Looking for more users / contributors!
Request free access: [email protected]
Required: basic proof of identity (e.g. no freemailer) or vetting
Future plans
Document everything in detail (paper in preparation)
Heuristical Domain Classifier
More automation
DGA Hunting Collaboration / Community?
© 2015 Fraunhofer FKIE 52 DGArchive Thanks for your contributions
Johannes Bader, Michael Klatt
Chris Baker, John Bambenek, Thomas Barabosch, Adam Brunner, Steffen
Enders, Christopher Kannen, Peter Kleissner, Felix Leder, Thorsten Jenke, Jason Jones, Alexandr Matrosov, Sandor Nemes, Isaac Palmer, Dennis
Schwarz, Brett Stone-Gross, Tillmann Werner, Zhang Zaifang Anubisnetworks, Checkpoint, DomainTools, GovCERT.ch,
Quarantainenet.nl, Shadowserver, SWITCH.ch, Symantec
© 2015 Fraunhofer FKIE 53