Bitdefender Labs Exploits Team had monitored the Rovnix Botnet (papras/ursnif/gozi), Malware Andromeda (Andromeda Virus) and analyzed the Malware DGA (Domain generation algorithm), sinkholed it, and observed its communication protocol to map current infection campaigns and get an idea of the overall size of the botnet.
Bitdefender Labs advises users to keep their operating system, antivirus solution and other software up to date and to be aware of social engineering tricks prompting them to execute code on their computers.
Domain Generation Algorithm
The DGA (Domain Generation Algorithm) generates 5 or 10 domains per 3 months. Specifically, 5 or 10 domains will be generated for each of the following group of months:
- January, February, March
- April, May, June
- July, August, September
- October, November, December
The domain names are obtained by concatenating words or their first half as long as the domain name is composed of minimum 12 and maximum 23 characters. Both the words contained in the domain name and its top level domain are chosen in a pseudo-random way from provided lists. The randomness is ensured by a fixed seed number and by the year and months for which the domains are being generated.
The word list is extracted from a publicly available text file, which has a very small probability of being changed in the future, like United States Declaration of Independence, GNU Lesser General Public License, Request for Comments (RFC) pages, and specifications. In order to be part of the list of candidate words, they must contain only letters and be at least 3 characters long. Before being used, they are converted to lower case.
Different versions of the malware use different files from which the words are selected. Interestingly, the versions targeting United Kingdom use the US Declaration of Independence.
For example, the domain names generated by the first version of the DGA for months January, February and March, 2014 are:
- theseforbiddentandthe.eu
- allsuchsuchreturned.com
- landslegisrighthumble.eu
- consentrulerallpretended.net
- humthethcertainevi.com
- theunhasthatinestthmust.net
- otheovtheeatci.net
- eathapublishtthe.eu
- whichdepositoryswath.cn
- dissolutionsconvufrom.com
We have sinkholed so far one domain for each of the 6 versions we found in the wild. In the following table, the seed, the words file and the used top level domains are specified for each version.
| Domain | Seed | Words File | TLDs |
|---|---|---|---|
| taxes[removed].net | 0x35678930 | United States Declaration of Independence | com net biz cn eu |
| dissour[removed].biz | 0xEDBA8930 | United States Declaration of Independence | com net biz ru eu |
| bufa[removed].tk | 0xEDBA8930 | Netstrings Specification | net com biz ru tk |
| operation[removed].eu | 0xCE728930 | United States Declaration of Independence | com net biz ru eu |
| youorig[removed].de | 0xEDBA8930 | GNU Lesser General Public License | com net de tk ru |
| specific[removed].biz | 0xEDBA8930 | Request for Comments (RFC) 4288 | net com biz ru tk |
Most domains are still valid for the bots. For example, the last four domains listed in the next table have been receiving requests only two weeks, but are still to receive them in the following two months. Because of this, the number of infected bots contacting them is still expected to increase considerably, like the ones for the first 2 domains did.
| Domain | Sinkholing Date | Targeted Countries | Total Number of Reported Infections |
|---|---|---|---|
| taxes[removed].net | 04 August 2014 | Netherlands, France, Belgium | 27.455 |
| dissour[removed].biz | 10 September 2014 | United Kingdom | 129.754 |
| bufa[removed].tk | 14 October 2014 | Bulgaria | 11.441 |
| operation[removed].eu | 22 Octomber 2014 | Poland | 10.055 |
| youorig[removed].de | 22 October 2014 | Bulgaria | 1.630 |
| specific[removed].biz | 22 October 2014 | Bulgaria | 3.394 |
However, the countries being targeted are already obvious. Proof lies in the fact that the number of infections reported for the most infected country is much higher than the second most infected country. For illustration purposes, note the top 5 most infected countries for each version.
The following images illustrate the number of infections reported for every country, emphasizing on top 5, for each version since sinkholing date. Note how various campaigns target specific countries.
Campaign 1 (targeting Netherlands, France, and Belgium) with taxes[removed].net
![taxes[removed].net](http://labs.bitdefender.com/wp-content/uploads/2015/11/taxesremoved.net_.png)
Top 5 most infected countries are:
- 1. Netherlands 9255 (33.70%)
- 2. France 8574 (31.22%)
- 3. Belgium 5017 (18.27%)
- 4. Spain 1377 (5.01%)
- 5. United Kingdom 960 (3.49%)
![dissour[removed].biz](http://labs.bitdefender.com/wp-content/uploads/2015/11/dissourremoved.biz_.png)
Top 5 most infected countries are:
- 1. United Kingdom 113051 (87.12%)
- 2. Islamic Republic of Iran 5258 (4.05%)
- 3. Italy 846 (0.65%)
- 4. United States 838 (0.64%)
- 5. Germany 738 (0.56%)
![operation[removed].eu](http://labs.bitdefender.com/wp-content/uploads/2015/11/operationremoved.eu_.png)
Top 5 most infected countries are:
- 1. Poland 9894 (98.39%)
- 2. Netherlands 44 (0.43%)
- 3. Belgium 18 (0.17%)
- 4. France 15 (0.14%)
- 5. Spain 13 (0.12%)
bufa[removed].tk
![bufa[removed].tk](http://labs.bitdefender.com/wp-content/uploads/2015/11/bufaremoved.tk_.png)
Top 5 most infected countries are:
- 1. Bulgaria: 10124 (88,48%)
- 2. Poland: 804 (7.02%)
- 3. United States 127 (1.11%)
- 4. Germany 57 (0.49%)
- 5. Japan 57 (0.49%)
![youorig[removed].de](http://labs.bitdefender.com/wp-content/uploads/2015/11/youorigremoved.de_.png)
Top 5 most infected countries are:
- 1. Bulgaria 911 (55.88%)
- 2. Germany 361 (22.14%)
- 3. Croatia 123 (7.54%)
- 4. Thailand 113 (6.93%)
- 5. Japan 44 (2.69%)
![specific[removed].biz](http://labs.bitdefender.com/wp-content/uploads/2015/11/specificremoved.biz_.png)
Top 5 most infected countries are:
- 1. Bulgaria 2990 (88.09%)
- 2. United States 84 (2.47%)
- 3. Czech Republic 82 (2.41%)
- 4. China 69 (2.03%)
- 5. Japan 65 (1.91%)
The last campaign seems to be the most recent one as it is the only one in which the data being reported to the Command and Control server is first encrypted and after this a base64 is applied. On the data sent by the other three campaigns, only a base64 is applied.
There are three different types of requests:
- 1. Configuration report is performed by a request following the
template: GET /c[random].php?[random]=[data] Examples of Requests for
Configuration Report are as follows:
- GET /cyxvlupmo.php?ufdmvtuyo=aIEtGpd9MKhBWZUUrwvelPSuJwdK1bOFcMrnzy4
IgqImVLq02QOcWRvKAmwvPwoI9uugxXMuF88lV0WSHnXxLjZ+XTOIYWyGKkHLvf1oraf
UYvtJMepRhQh9QCQEs9HFalVWBHKtzvJyGAl5INBHTt== - GET /cvqxk.php?ocobnw=ktTqj88vJuAjSxtF4HOZsorLbs2N8Rju8E2X3tsXSKbp5r
82UARWCQwZpqruc8rXjoEh5tzYSqUnr4oS3NC/Fbljpes/gI1fjcLzLYWJ7qgUJ6COXh
w5gKQ1PqpfqHVhLsCvGjninwHSN15Hz7jYX7== - GET /cmvo.php?hoayb=u0FGQmsrxiBs3Bnv5XqzhutXHNUOL/sGTjsrnM/Dvm1RHOzH
c4IMKCg/vjs2Fapn3BoVN6ikcPbII7HvVKsz5IPIen1W4HlrGEpdsmexiEkXzQtMpzle
HfWR+MtG8sPgfdvZsO7hEkuWyjaGlOTfru==
- GET /cyxvlupmo.php?ufdmvtuyo=aIEtGpd9MKhBWZUUrwvelPSuJwdK1bOFcMrnzy4
- 2. Data upload is performed with a POST request of the following
form: POST /d[random].php?[random]=[data] Examples of Requests for Data
Upload are as follows:
- POST /dnif.php?hpeup=XgbxB7thEb2GwjnpgZAf/FeQvhmXS8+ab49SE/KVXHrY+rch
mvd50q+u7MPeW/sTgx4IXyNkJjD++60SYnAuFFBUVOOtOAweXgyrGtHvwKaf4G0E+drz1
wCfu1wuvMiHs4XFysfTsYbTdMSDPz5QMj== - POST /dsvcxt.php?cxwojcg=HwzlB1erUEdqX1KNVt5weqVMO8Vppsz/QYYtD/+M9SVt
LoyYIpkVH/P9tf6KGWWH8Q4a0eqmZgNvyMZebTmiHgDPnbDoT6RKzzVE55NTmj22Zw66q
3iuf5mIyzPYS31NDfmu1aKr59v8ms6vPIGs1o== - POST /dxkxonav.php?ndicride=28pa1PWvBnTgKwbghiIRrz3q1dEuyI5kwNA/q8nQ3
WeXG7393r/i5/Pcl2GFtrDalo2sFqSER+GyU9tATyFLo7CCvO4HYK7lnzWiKCoFio/X8N
c3kRURcTBqUA/kdzT8q72FTWArmzUo2knUwX6hQ3==
- POST /dnif.php?hpeup=XgbxB7thEb2GwjnpgZAf/FeQvhmXS8+ab49SE/KVXHrY+rch
- 3. Task request consists of a GET request: GET /t[random]?[random]=[data] Examples of Requests for Task Request are as follows:
- GET /ttckr.php?cnhl=dwI547qlLTfweO3KK9o1FFKAX5jndBzbwfY+qFXcOybdtjVn
E4bygKLvPMc6bS4zXuCvSCvmkSCcKZetwZWzrAEXwOpHB/jjVT57xd/PDG8iQCWgarhj
4kLrGu4/Omqeha2BdXPOZqS+W8MQMBIhRB== - GET /tslqspk.php?xahmbb=0m40k6goMx3P0QG5TsNl6OQve7IrQ53JcmBbq4MN
MlgbAamjs5Aqo4JPOoKg9jkC04LcIkNtfLikE1qirX/YzRzIyvEEqd3kEByG2FI773KK
s2PXEsH+cxqv64fhd75gfPOVOFfIBo8ixYvP2rygs7== - GET /tcnulkckj.php?lfekhw=ZC+d+1r9DLI1CdFep0hUkdCYmXH+udC1BVpccJ
68XOBGqV85I/lk1GjZ4fNpRCcGkVzEAyg6d1fuuL0sjeoICc+kDdEloVjI5ixRedBM0y
/cpBGQ1iufyFMJs92CTJIT/JsquRMckxso7WG2IUfmNk==
- GET /ttckr.php?cnhl=dwI547qlLTfweO3KK9o1FFKAX5jndBzbwfY+qFXcOybdtjVn
In the case of the unencrypted requests, we can apply a base64 decoding on the [data] field and extract the information. For example, the configuration request
- GET /cjbgaahoi.php?syeiv=YXlicGpvYWZmPWdodXllaHBxJnZlcnNpb249MjEyMzA5
JnVzZXI9ZGYwZGU1NjRkNGEyMjNiMDI2NGQ0ODA3M2JiOTU2YmUmc2VydmVyPTEyJmlkP
TcxMjg4OSZjcmM9MmUxZWZmNjMmd2RhdGE9MjAxNDEwMjk=
- aybpjoaff=ghuyehpq&version=212309&user=df0de564d4a223b0264d48073bb956be&
server=12&id=712889&crc=2e1eff63&wdata=20141029
- POST /txlv.php?hldf=d2N0Z3FhZmY9Z3JmbGd4aiZ2ZXJzaW9uPTIxMjMwOSZ1c2Vy
PWRjZDRjMDFiOTMxNGQ2OTAzZDc4Nzc2YWY4NGUyZmRjJnNlcnZlcj0xMiZpZD03MTI4
ODkmY3JjPTQ0Y2VkOTUmd2RhdGE9MjAxNDEwMjk=
- wctgqaff=grflgxj&version=212309&user=dcd4c01b9314d6903d78776af84e2fdc&
server=12&id=712889&crc=44ced95&wdata=20141029
Note that the first parameter has both the name and value randomly
generated which ensures that different base64 encodings / encryptions
are received for the same request (that is for the same user contacting
the same server with the same bot version and requesting/reporting the
same data).
For more information visit: http://labs.bitdefender.com/2014/11/tracking-rovnix-2/
0 comments:
Post a Comment