Beruflich Dokumente
Kultur Dokumente
Of the multiple new DGAs uncovered by Damballa Labs, six could be attributed to known (but previously poorly studied) crimeware families. These crimeware families are Shiz, Bamital, BankPatch, Expiro.Z, Bonnana, and a recent Zeus variant.
New discovery techniques pioneered through joint research between Damballa Labs, Georgia Tech and the University of Georgia have revealed the extent of this new threat. Some of the newly confirmed DGA-based crimeware families have been in operation and evading network defenses since at least November 2011. Using this new detection technology, as of February 2012, Damballa Labs has also identified up to six additional families of DGAs, which are yet to be conclusively associated with community-captured crimeware binaries. Research report highlights: Six new crimeware families were identified as employing DGAs for evasion purposes. Six additional DGAs have been uncovered that have yet to be associated with any previously known or captured crimeware samples. The C&C servers supporting modern DGA crimeware are predominantly located in Eastern bloc countries. The most frequently abused top-level domains (TLDs) are .com, .ru and .org. Cybercriminals have registered their C&C domain(s) less than an hour before they are candidate domains for DGAs and disposed of them within 24 hours.
White Paper
While offering increased resiliency, crimeware reliant on configuration updates is still vulnerable to timely analysis and C&C takedown. In response, cybercriminals have designed algorithms that, given a particular date, time and seed value, will produce and then test a number of candidate domains and determine whether a C&C server is listening. One of the earliest and most analyzed DGA-based crimeware families is that of Conficker (aka Downup, Downadup and Kido). Originally detected in late 2008, Conficker.A employed a pseudorandom DGA that selected 250 candidate domains from five possible top-level domains (TLDs). By early 2009, the fourth variant, Conficker.D, randomly selected and tested 500 candidate domains of a possible 50,000 generated domains spread over 110 TLDs each day. Since then, the algorithms used by the various DGA-based crimeware have diversified and become more efficient at locating their hidden C&C servers. The purpose of a domain generation algorithm is to: Make it impossible for static reputation systems to maintain an accurate list of all possible C&C domains. Allow the cybercriminals to evade perimeter based network filtering technologies. Maintain a small but agile physical C&C infrastructure that only needs to be configured and turned on for short periods of time. Provide "just-in-time" registration of domain names to avoid reactive counter-measures and law enforcement. Allow crimeware agents to propagate and establish a large infection base without exposing the C&C infrastructure.
www.damballa.com
Page | 2
White Paper
Figure 1: NXDomain traffic from a large ISP over a three month period.
The irregular and sizable volume of NXDomain traffic ensures that signature or rule-based detection systems that attempt to identify previously studied and dissected DGA crimeware communications will fail and likely generate significant rates of false positive alerts. In order to study the nature of the threat, Damballa research initially focused on the thousands of Murofet (an old, well-known and extensively studied crimeware family that employs an early generation DGA) infected devices within the 2.5 million subscriber network segment. Damballa Labs found that 90% of Murofet victims generate more than 10 NXDomains per day, meanwhile 92% of all devices within the network create less than 10 NXDomains per day. DGAs by their very nature must generate a statistically significant number of pseudo-random domain names in order to evade static reputation and domain blacklist detection systems, and yet the number of possible domain names the crimeware must actively attempt to locate and connect to must be finite and manageable for the cybercriminal. Damballa Labs made use of unsupervised and supervised machine learning techniques to dynamically track candidate DGAs based on two key properties - the structural properties of NXDomain names and the association between "herds" of devices generating groups of NXDomains. Damballa Labs then employed previously proven techniques to "learn" new statistical models that describe any new DGA clusters that were automatically discovered without needing to obtain samples of the crimeware nor gain knowledge of the particular algorithm employed by the DGA.
www.damballa.com
Page | 3
White Paper
DGA Usage and Infections
A growing number of crimeware families employ DGA-based techniques as either their primary or secondary evasion strategies. The majority of previously well-studied threats such as Conficker, Murofet, Bobax and Sinowal employ DGAs as their primary network evasion technology. Meanwhile, Zeus variants are now utilizing DGAs as backup strategies for locating their respective C&C servers should their static lists and other connection methods be defeated by enterprise network protection technologies. Of the multiple new DGAs uncovered by Damballa Labs, six could be attributed to known (but previously poorly studied) crimeware families. These crimeware families are Shiz, Bamital, BankPatch, Expiro.Z, Bonnana, and a recent Zeus variant. Crimeware that employs DGA evasion technologies tends to be used by the larger "professional" cybercrime organizations and is generally more advanced than the average malware encountered by Internet users and today. However, this does not imply that its usage is limited or of a smaller scale. The top-5 largest DGA-based crimeware families of 2011 were: Top-5 Most Prevalent DGA-based Crimeware Families 1 2 3 4 5 Conficker (all versions combined) Murofet BankPatch Bonnana Bobax
Damballa Labs also discovered that a new Zeus variant (not present in the Top-5 Most Prevalent DGA-based Crimeware Families) employs DGA-based evasion techniques as a secondary strategy, as a back-up plan when the primary connection technique fails (in this case using peer-to-peer). It was also found to have infected several hundred devices by the first half of February 2012 and continues to grow. The variant is distributed as part of various infection campaigns. This new Zeus botnet is the focus of a separate Damballa Labs DGA Case Study.
C&C Infrastructure
Cybercriminals that add DGA capabilities to their crimeware ensure that the C&C infrastructure can be hidden from both security researchers and law enforcement until a specific date and time at which time any crimeware infected devices will automatically locate, connect, upload stolen data, and receive a new batch of commands. Once complete, the cybercriminals can then disengage their C&C from the Internet making it impossible for law enforcement to obtain access to the servers. Through its continuous enumeration of victims of the newly identified DGA-based crimeware, Damballa Labs was able to track the C&C infrastructure for six related botnets. Despite the agility offered by DGA systems at the domain name registration level, Damballa Labs was able to identify the IP hosting infrastructure.
www.damballa.com
Page | 4
White Paper
The following table lists the top-5 countries hosting the C&C servers used by these half-dozen DGA-dependent botnets. Top-5 Countries Hosting DGA-based Crimeware C&C UA Ukraine RO Romania RU Russia HU Hungary TR Turkey 22 servers 17 servers 16 servers 14 servers 12 servers
Summary
DGAs are being adopted by criminal operators at a growing rate due to the certainty that they can evade all blacklists, signature filters and static reputation systems. They are specifically being adopted by criminals who want their campaigns to be especially stealthy. There is more work involved for the criminal operator to maintain a DGA-based crimeware network, but there is also a much better chance that they will go completely undetected and that their C&C infrastructure will remain intact.
www.damballa.com
Page | 5
White Paper
With the leak of the Zeus source code, we should anticipate more and more variants, similar to Zeus, using DGA, as a primary or a back-up connection technique. An example uncovered by Damballa is highlighted in the related Damballa Labs DGA Case Study. Damballa has found that for most of the DGA-based threats that we have uncovered, the malware eventually associated with the DGA activity has been insufficiently (or only partially) analyzed by the security community. Either the DGA capabilities were missed all together because DGA is being used as a secondary connection technique when the primary connection technique fails (e.g. static lists or peer-to-peer), or the successful domain connections for that day were misconstrued to be the C&C infrastructure. It is very interesting to note that the multiple variants listed in this report are designed to steal similar information. This could be because the domain names can be very short lived, therefore hard to observe during malware analysis, especially in the absence of passive DNS data and related analysis capabilities. This would make attribution to the criminal operators very difficult. And if the attackers also segment the infected population and have different domain names active for different time zones, then this becomes even harder for the analysts. For all the reasons stated in this report, criminal DGAs are going largely undetected by the security community and most certainly by the enterprise customers they aim to protect. Damballa Labs has been monitoring this trend for years and has developed patent-pending technologies specifically designed to identify these threats in their early days, long before the malware has been discovered and analyzed by the security community. These inventions are now providing automated detection capabilities for our customers - rapidly detecting and pinpointing devices infected with DGA-based malware, automatically classifying the malware family (without having to see the malware or infection), and providing attribution for the threat. About Damballa Damballa is a pioneer in the fight against cybercrime. Damballa provides the only network security solution that detects the remote control communication that criminals use to breach networks to steal corporate data and intellectual property, and conduct espionage or other fraudulent transactions. Patent-pending solutions from Damballa protect networks with any type of server or endpoint device including PCs, Macs, Unix, smartphones, mobile and embedded systems. Damballa customers include mid-size and large enterprises that represent every major market, telecommunications and Internet service providers, universities, and government agencies. Privately held, Damballa is headquartered in Atlanta. http://www.damballa.com
ID.30.109.0223
www.damballa.com
Page | 6