360netlab/DGA

Susp DGA from PDNS: A fix length of 16, mix a-z and 0-9, tlds: [org, ru, cn, net, info, biz]

suqitian opened this issue · 2 comments

suqitian commented
  • MD5
    55c447191d9566c7442e25c4caf0d2fe
  • These suspicious domains had been noticed for a long time from PDNS system, but until weeks ago, we found a new method to map these domains to the target MD5. Domains sampled on Aug 07, 2016:
    53ptxfec6a4mwbrl.org
    ou16nagv4pashauc.ru
    cav36gi2q7sw1quk.cn
    vnbbj9a2udxpfq2c.cn
    fqtk3dzc23momnpg.org
    4w30kxhvkfel0oup.net
    9n78kfujyzmip0qv.info
    w2ot29dbfzg6keue.ru
    d9tan26jpjpz9snt.cn
    guf7vdg5eutsacyj.ru
    l1sfcoafyl7x1gkr.biz
    jq1i45ll407n59fi.info
    p5oaqfyxb94yig2t.org
    9q02paxvmei1v6sp.ru
    jayzvrpixxlc58bc.info
    eseu24pzdd5f72vv.biz
    dcydfwpx6g5to34s.cn
    ydd3i2lh6afrfmw1.ru
  • Malware sample[ 55c447191d9566c7442e25c4caf0d2fe] DNS queries, very similar to those domains in the list above.
    0aa05rcmqxnz7vzj.net
    29cqdf6obnq462yv.com
    2s3txyhr1ptozde7.info
    5qip6brukxyf9lhk.ru
    7vzlqhsisdgk1diw.net
    8ccl6qveudd642rq.ru
    etkxskxjy8sn4niz.ru
    gkczbuwjza2s1khf.net
    nhamoigj5jd1qyn4.cn
    o47xa659ueqorz57.org
    p7rmkau94thlq1tb.cn
    qowhi81jvoid4j0m.biz
    tjklzgosi2xivjs4.biz
    zinna4ltt9yx9bih.com
    0aa05rcmqxnz7vzj.net
    29cqdf6obnq462yv.com
    2s3txyhr1ptozde7.info
    5qip6brukxyf9lhk.ru
    7vzlqhsisdgk1diw.net
    8ccl6qveudd642rq.ru
    dahs7d52v40cyxgi.info
    etkxskxjy8sn4niz.ru
    gkczbuwjza2s1khf.net
    gnjvn08gxgd2u6dh.info
    nhamoigj5jd1qyn4.cn
    o47xa659ueqorz57.org
    p7rmkau94thlq1tb.cn
    qowhi81jvoid4j0m.biz
  • So, really looking forward to reverse engineer this binary and feed back the implementation of DGA, then we can filter out these malicious domains in PDNS system.
suqitian commented

Some details about this malware:
https://blog.malwarebytes.com/threat-analysis/2015/06/unusual-exploit-kit-targets-chinese-users-part-2/

Run this sample in my virtualbox, it drop a file named 4VJzegtSr.exe into path C:\Windows\system\JkLtFzICS.
Double click 4VJzegtSr.exe, wait for a minutes, hundreds of domains will be seen in wireshark.

suqitian commented

The DGA of Chinad
1000 domains per day

Test:

$ date +%s -d "2016-08-7 12:00:00"  
1470542400
$ python dga.py -t 1470542400 -n 1000 -l 16 | less
...
53ptxfec6a4mwbrl.org
gyzn61atzscg0uik.info
9j5k16z7x0zdh1ro.net
...
ou16nagv4pashauc.ru
neblb4lwt5jknbo4.com
uknvzqus9y71mo1y.info
...

The output are well-matched to those domains which observed from PDNS on Aug 07, 2016.
And file dga.py is here.