Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Susp DGA from PDNS: A fix length of 16, mix a-z and 0-9, tlds: [org, ru, cn, net, info, biz] #1

Closed
suqitian opened this issue Aug 9, 2016 · 2 comments
Closed

Susp DGA from PDNS: A fix length of 16, mix a-z and 0-9, tlds: [org, ru, cn, net, info, biz] #1

suqitian opened this issue Aug 9, 2016 · 2 comments

Comments

@suqitian
Copy link
Member

suqitian commented Aug 9, 2016
edited
Loading

  • MD5
    55c447191d9566c7442e25c4caf0d2fe
  • These suspicious domains had been noticed for a long time from PDNS system, but until weeks ago, we found a new method to map these domains to the target MD5. Domains sampled on Aug 07, 2016:
    53ptxfec6a4mwbrl.org
    ou16nagv4pashauc.ru
    cav36gi2q7sw1quk.cn
    vnbbj9a2udxpfq2c.cn
    fqtk3dzc23momnpg.org
    4w30kxhvkfel0oup.net
    9n78kfujyzmip0qv.info
    w2ot29dbfzg6keue.ru
    d9tan26jpjpz9snt.cn
    guf7vdg5eutsacyj.ru
    l1sfcoafyl7x1gkr.biz
    jq1i45ll407n59fi.info
    p5oaqfyxb94yig2t.org
    9q02paxvmei1v6sp.ru
    jayzvrpixxlc58bc.info
    eseu24pzdd5f72vv.biz
    dcydfwpx6g5to34s.cn
    ydd3i2lh6afrfmw1.ru
  • Malware sample[ 55c447191d9566c7442e25c4caf0d2fe] DNS queries, very similar to those domains in the list above.
    0aa05rcmqxnz7vzj.net
    29cqdf6obnq462yv.com
    2s3txyhr1ptozde7.info
    5qip6brukxyf9lhk.ru
    7vzlqhsisdgk1diw.net
    8ccl6qveudd642rq.ru
    etkxskxjy8sn4niz.ru
    gkczbuwjza2s1khf.net
    nhamoigj5jd1qyn4.cn
    o47xa659ueqorz57.org
    p7rmkau94thlq1tb.cn
    qowhi81jvoid4j0m.biz
    tjklzgosi2xivjs4.biz
    zinna4ltt9yx9bih.com
    0aa05rcmqxnz7vzj.net
    29cqdf6obnq462yv.com
    2s3txyhr1ptozde7.info
    5qip6brukxyf9lhk.ru
    7vzlqhsisdgk1diw.net
    8ccl6qveudd642rq.ru
    dahs7d52v40cyxgi.info
    etkxskxjy8sn4niz.ru
    gkczbuwjza2s1khf.net
    gnjvn08gxgd2u6dh.info
    nhamoigj5jd1qyn4.cn
    o47xa659ueqorz57.org
    p7rmkau94thlq1tb.cn
    qowhi81jvoid4j0m.biz
  • So, really looking forward to reverse engineer this binary and feed back the implementation of DGA, then we can filter out these malicious domains in PDNS system.
@suqitian suqitian changed the title From PDNS: A fix length of 16, mix a-z and 0-9, tlds: [org, ru, cn, net, info, biz] Susp DGA from PDNS: A fix length of 16, mix a-z and 0-9, tlds: [org, ru, cn, net, info, biz] Aug 9, 2016
@suqitian suqitian closed this as completed Aug 9, 2016
@suqitian suqitian reopened this Aug 9, 2016
@suqitian
Copy link
Member Author

suqitian commented Aug 30, 2016
edited
Loading

Some details about this malware:
https://blog.malwarebytes.com/threat-analysis/2015/06/unusual-exploit-kit-targets-chinese-users-part-2/

Run this sample in my virtualbox, it drop a file named 4VJzegtSr.exe into path C:\Windows\system\JkLtFzICS.
Double click 4VJzegtSr.exe, wait for a minutes, hundreds of domains will be seen in wireshark.

@suqitian
Copy link
Member Author

The DGA of Chinad
1000 domains per day

Test:

$ date +%s -d "2016-08-7 12:00:00"  
1470542400
$ python dga.py -t 1470542400 -n 1000 -l 16 | less
...
53ptxfec6a4mwbrl.org
gyzn61atzscg0uik.info
9j5k16z7x0zdh1ro.net
...
ou16nagv4pashauc.ru
neblb4lwt5jknbo4.com
uknvzqus9y71mo1y.info
...

The output are well-matched to those domains which observed from PDNS on Aug 07, 2016.
And file dga.py is here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@suqitian