DGArchive A deep dive into domain generating malware Daniel Plohmann [email protected] 2015-12-03 | Botconf, Paris © 2015 Fraunhofer FKIE 1 About me Daniel Plohmann PhD candidate at University of Bonn, Germany Security Researcher at Fraunhofer FKIE Focus: Reverse Engineering / Malware Analysis / Automation Projects ENISA Botnet Study 2011 [1] Analysis Tools PyBox, IDAscope, DGArchive, … Botnet Analysis Gameover Zeus / P2P protocols [2] DGA-based Malware [1] http://www.enisa.europa.eu/act/res/botnets/botnets-measurement-detection-disinfection-and-defence [2] http://christian-rossow.de/publications/p2pwned-ieee2013.pdf © 2015 Fraunhofer FKIE 2 Agenda Intro: Domain Generation Algorithms / DGArchive Comparison of DGA Features Registration Status of DGA Domain Space Case Studies © 2015 Fraunhofer FKIE 3 Intro Domain Generation Algorithms © 2015 Fraunhofer FKIE 4 Domain Generation Algorithms Definitions Concept first described ~2008: Domain Flux Domain Generation Algorithm (DGA) An algorithm producing Command & Control rendezvous points dynamically Shared secret between malware running on compromised host and botmaster Seeds Collection of parameters influencing the output of the algorithm Algorithmically-Generated Domain (AGD) Domains resulting from a DGA © 2015 Fraunhofer FKIE 5 Domain Generation Algorithms Origin & History Feb 2006 Sality: dynamically generates 3rd-level domain part July 2007 Torpig: Report by Verisign includes DGA-like domains July 2007 Kraken: VirusTotal upload of binary using DDNS April 2008 Kraken DGA first publicly mentioned 3 big events in November 2008 – April 2009: Szribi: Takedown, but botmaster regained control through DGA Conficker: Well, you probably know about that one… Torpig: DGA-based takeover http://www.mcafee.com/threat-intelligence/malware/default.aspx?id=138354 http://fserror.com/pdf/Torpig.pdf ©https://isc.sans.edu/forums/diary/Kr 2015 Fraunhofer FKIE aken+Technical+Details+UPDATED+x3/4256/ https://www.fireeye.com/blog/threat-research/2008/11/technical-details-of-srizbis-domain-generation-algorithm.html https://seclab.cs.ucsb.edu/media/uploads/papers/torpig.pdf 6 Domain Generation Algorithms Motivation for Usage Aggravation of Analysis No hardcoded domains / dumping -> code analysis needed Evasion Many DGAs have short-lived domains -> avoid domain reputation Backup Registration only when needed Asymmetry Attacker needs one domain, defender needs to prohibit access to all Feasability of DGAs Domains are cheap (compared to profits) © 2015 Fraunhofer FKIE 7 DGArchive The idea DGAs are annoying! :( Idea: Reverse DGA, then generate and archive all possible domains since first spotting of a malware family pcxeyx.biz? Domain Blocklist Lookups Generation [...] Nymaim! "qetyxeg.com","simda" "puvywup.com","simda" Valid on: "gahyfow.com","simda" 2014-04-19 "lyryxen.com","simda" "vocyquc.com","simda" 2014-03-20 "qegyfil.com","simda" 2015-12-11 "puryxag.com","simda" DGArchive "gacyqys.com","simda" [...] © 2015 Fraunhofer FKIE 8 DGArchive Status Botconf 2014: Lightning talk 8 families, ~20 seeds, ~ 4 million domains DGArchive Today 43 families/variants, ~280 seeds, 20+ million domains © 2015 Fraunhofer FKIE 9 Finding DGAs Mining a Sandbox DNS feed Remix of academic approaches and common sense Input: List of domains, queried during a sandbox run DNS Feed by THANK YOU!!! 1,235,443 sandbox runs; 15,660,256 DNS queries (959,607 unique) 1. Alexa 1 million 2. Self-curated blacklist 1) Filtering 3. Query vs DGArchive 1. N-gram frequency New Seed? 2. Entropy 2) Scoring 3. Domain length ? tch 4. NX domain? a M Known Patterns of DGAs 1. Length 3) Matching New DGA? 2. Alphabets No Match / 3. TLDs © 2015 Fraunhofer FKIE Inconsistency 10 Parameter Extraction Automate all the things! Customized sandboxing system for selected malware families Processing malware feeds (<- THANK YOU) Part of TinyBanker DGA config in memory: Regex for extraction of relevant fields: 0000000: f9 b0 20 f3 aa 61 e8 00 00 00 00 58 2d 1b 68 40 .. ..a.....X‐.h@ 0000010: 00 ff 75 10 ff 75 0c ff 75 08 ff 90 33 4d 40 00 ..u..u..u...3M@. regex_config = ( 0000020: 83 c4 0c c9 c3 90 90 90 90 90 90 90 90 90 90 90 ................ r"\x90{4,16} " 0000030: 73 70 61 69 6e 65 73 2e 70 77 00 00 00 00 00 00 spaines.pw...... r"(?P<domain_name>[\S\s]{30})" 0000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 ...............P r"(?P<unknown_word>[\S\s]{2})" 0000050: 2f 45 69 44 51 6a 4e 62 57 45 51 2f 00 00 00 00 /EiDQjNbWEQ/.... r"(?P<uri>[\S\s]{32})" 0000060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ r"(?P<rc4_key>[a‐zA‐Z0‐9]{16})" 0000070: 47 50 51 61 74 5a 37 79 43 6b 4c 78 73 54 76 46 GPQatZ7yCkLxsTvF r"(?P<unknown_str>[\S\s]{8})" 0000080: 30 30 30 30 30 30 30 32 70 77 00 30 30 30 2c 01 00000002pw.000,. r"(?P<dga_tld>[\S\s]{6})" 0000090: 0a 00 e8 03 8c 00 00 00 45 ce a3 46 7d 32 b9 cc ........E..F}2.. r"(?P<unknown_dword>[\S\s]{4})" 00000a0: 1a 55 80 de f2 8e f3 a7 e4 53 60 ca 11 6f 08 55 .U.......S`..o.U r"(?P<num_dga_domains>[\S\s]{2})" 00000b0: 14 ad 76 a6 12 67 8f 7e dd 49 fe 04 b0 b5 08 c8 ..v..g.~.I...... r"(?P<static_config_len>[\S\s]{4})") © 2015 Fraunhofer FKIE 11 Comparison of DGA Features © 2015 Fraunhofer FKIE 12 DGA Features Intro Examples of DGA characteristics DGA class and generation scheme (+ use of well-known algorithms) Domain structure (length, alphabet) and TLDs Domain validity period and domains per cycle (covered indirectly) Domain randomness C&C Priority In short: DGA is basically always „last priority“ but 28 of 40 families use DGA as only C&C rendezvous method! (5 of them have hardcoded but basically unused domains) © 2015 Fraunhofer FKIE 13 DGA Features Taxonomy and Generation Schemes DGA Classes (Taxonomy by Barabosch et al. [1]): Type Time dependent Deterministic Example TID Kraken, TinyBanker TDD Conficker, Gameover Zeus TDN Torpig, Bedep TIN - Generation Schemes Type Example Family Example Domain Arithmetic (A) DirCrypt vlbqryjd.com Wordlist (W) Matsnu termacceptyear.com Hashing (H) Bamital b83ed4877eec1997fcc39b7ae590007a.info Permutation (P) VolatileCedar dotnetexplorer.info [1] https://net.cs.uni-bonn.de/fileadmin/user_upload/wichmann/Extraction_DNGA_Malware.pdf © 2015 Fraunhofer FKIE 14 Bamital Fobber Mewsei Pykspa 2 Simda Banjori Geodo Murofet 1 Suppobox QakBot Bedep Gameover DGA Murofet 2 Szribi Ramdo Conficker Gameover P2P Necurs Tempedreve Ramnit CoreBot Gozi Nymaim Ranbyus TinyBanker Cryptolocker Hesperbot Pushdo Redyms Torpig DirCrypt Kraken Pushdo TID UrlZone Rovnix Dyre Matsnu Pykspa 1 VolatileCedar Shifu Names© 2015 Fraunhofercontain FKIE clickable links to references for these families. 15 Bamital Fobber Mewsei Pykspa 2 Simda TDD TID TDD TDD TID Banjori Geodo Murofet 1 Suppobox QakBot TID TDD TDD TDD TDD Bedep Gameover DGA Murofet 2 Szribi Ramdo TDN TDD TDD TID TDD Conficker Gameover P2P Necurs Tempedreve Ramnit TDD TDD TDD TID TID CoreBot Gozi Nymaim Ranbyus TinyBanker TDD TDD TDD TDD TID Cryptolocker Hesperbot Pushdo Redyms Torpig TDD TID TDD TID TDD / TDN DirCrypt Kraken Pushdo TID UrlZone Rovnix TID TID TID TID TID Dyre Matsnu Pykspa 1 VolatileCedar Shifu TDD TDD TDD TID TID © 2015 Fraunhofer FKIE Classes: 22 (55%) TDD, 16 (40%) TID, 2 (5%) TDN 16 Bamital Fobber Mewsei Pykspa 2 Simda H (MD5) A (LCG) A (LCG) A( LCG) A Banjori Geodo Murofet 1 Suppobox QakBot A A A (MD5) A (Mersenne) W Bedep Gameover DGA Murofet 2 Szribi Ramdo A A (MD5) A (MD5) A A Conficker Gameover P2P Necurs Tempedreve Ramnit A A (MD5) A A (LCG) A (LCG) CoreBot Gozi Nymaim Ranbyus TinyBanker A (LCG) W (LCG) A (Xorshift) A A Cryptolocker Hesperbot Pushdo Redyms Torpig A A A (MD5) A A DirCrypt Kraken Pushdo TID UrlZone Rovnix A (LCG) A A (LCG) A (LCG) A Dyre Matsnu Pykspa 1 VolatileCedar Shifu H (SHA256) W A A (LCG) P © 2015 Fraunhofer FKIE Classes: 34 (85%) A, 3 (7.5%) W, 2 (5%) H, 1 (2.5%) P 17 Bamital Fobber Mewsei Pykspa 2 Simda The Linear Congruential Generator (LCG) H A (LCG) A (LCG) A( LCG) A Pseudo-RandomBanjori NumberGeodo GeneratorMurofet (PRNG)1 QakBot Suppobox AXn+1 = ( a * Xn + c)A mod m A (MD5) A (Mersenne) W BedepNumerous variantsGameoverofDGA LCG withMurofetregard2 to parameters (a, c, m) Szribi Ramdo Numerical Recipes, MSVC, Park & Miller, own values, … A A (MD5) A (MD5) A A Conficker Gameover P2P Necurs Ramnit Tempedreve Trivial example DGA: Pushdo TID A A (MD5) A A (LCG) A (LCG) def generateDomain(): CoreBot Gozi Nymaim Ranbyus TinyBanker domain = "" A (LCG)tlds = [".com",W (LCG) ".net", ".org",A (Xorshift) ".ru", ".tv"] A A for i in xrange(10): Cryptolocker domain Hesperbot+= chr(0x61 + lcg()Pushdo % 26) Redyms Torpig domain += tlds[lcg() % 5] A return domain A A (MD5) A A DirCrypt Kraken Pushdo TID UrlZone ################# Rovnix A"xirgbebore.tv" (LCG) A A (LCG) A (LCG) A "bsbuhapqbw.org" "pgdudgjypi.ru"Dyre Matsnu Pykspa 1 VolatileCedar Shifu H (SHA256) W A A (LCG) P Digression© 2015 Fraunhofer FKIE Time! 18 Bamital Fobber Mewsei Pykspa 2 Simda Banjori Geodo Murofet 1 Suppobox QakBot Bedep Gameover DGA Murofet 2 Szribi Ramdo Conficker Gameover P2P Necurs Tempedreve Ramnit CoreBot Gozi Nymaim Ranbyus TinyBanker Cryptolocker Hesperbot Pushdo Redyms Torpig DirCrypt Kraken Pushdo TID UrlZone Rovnix Dyre Matsnu Pykspa 1 Shifu VolatileCedar © 2015 Fraunhofer FKIE Domain Structure. 19 Bamital Fobber Mewsei Pykspa 2 Simda 32 | 4 | 16 10 - 17 | 2 | 26 8 - 15 | 1 | 23 6 - 12 | 4 | 26 5 - 11 (F) | 4 | 26 Banjori Geodo Murofet 1 Suppobox QakBot 11 – 26 (F) | 1 | 26 16 | 1 | 25 8 - 15 | 5 | 26 8 - 25 | 5 | 26 8