This blog post was originally published on 05 August 2014, by Sebastian Garcia, at https://mcfp.weebly.com/analysis/archives/08-2014.
Yesterday we found out a malware that uses a DGA algorithm to find out the domains of their C&C servers. It become interesting when we noted that the DGA communication is not using periodic requests on purpose. In fact it seems to be specifically generating the requests times of its DGA packets in order to avoid being periodic.
The malware, which MD5 is c740789d5b226668f8a37626883fd0b7, is detected by AVAST as Win32:Dropper-KRG [Drp] and by Sophos as Mal/Steppa-A. The dataset where this behavior was found can be downloaded from CTU-Malware-Capture-Botnet-31 and took place between Nov 2013 and Jan 2014 in our capture facility. In the capture file 2013-11-25_capture-win7-3.pcap it can be seen that there is a large group of packets going to the IP address 192.35.51.30, destination port 53/TCP. The content of these packets are DNS requests asking for domains being generated with a DGA. For example:
- kbzmyrj.net
- gczdamdbyahv.net
- dgcfpcofdwmt.net
- kxfighr.com
- fqmtpgifhiyb.net
- jpagdbaepbm.net
These connections differentiate from a normal DNS requests because:
- They use the TCP protocol instead of UDP.
- They are being made to a DNS server chosen by the attacker and not to the one defined by the network.
Even more, the simple trick of using TCP works well because some analysis tools, such as passivedns, fail to find the requests.
The analysis of all these DNS request using our behavioral state model (CCDetector.py tool) shows that the requests are not periodic. The following are a sample of the flows sent in these DNS requests:
"Time" "Time Difference 1 (T1)" "Time Difference 2 (T2)" "Difference of Time Differences (TD)" 01:03:07.901969, T1=-1, T2=-1, TD= 0.0 01:03:13.099428, T1=-1, T2=5.197459, TD= 0.0 01:03:13.970381, T1=5.197459, T2=0.870953, TD= -4.3 01:04:32.543049, T1=0.870953, T2=78.572668, TD= 77.7 01:05:29.735165, T1=78.572668, T2=57.192116, TD= -21.4 01:05:35.954195, T1=57.192116, T2=6.21903, TD= -51.0 01:05:45.808630, T1=6.21903, T2=9.854435, TD= 3.6 01:05:57.415327, T1=9.854435, T2=11.606697, TD= 1.8 01:06:43.150694, T1=11.606697, T2=45.735367, TD= 34.1 01:07:00.225639, T1=45.735367, T2=17.074945, TD= -28.7
The columns mean:
- "Time of flow": Time when the flow was seen.
- "Time Difference 1-2": Time between the current flow and the previous one.
- "Time Difference 2-3": Time between the previous flow and the 2nd previous flow.
- "Difference of Time Differences": Difference between Time Difference 1 and Time Difference 2.
The TD value is a good indicator of the periodicity of the requests. When TD is close to 0, it means that the flows are more periodic. In this case we can see that there is no periodicity. However, it is interesting that the T1 values seem to be very different, and this is not usually the case with programs that try to communicate with their C&C server often. So we decided to analyze the values of the T1 column to see if there was a relationship between them. A quick plot of its probability distribution show us this:
Histogram of time differences between packets for the DGA.
This plot shows how the times between DNS requests may follow a probability distribution with these parameters:
- Median = 23 seconds
- Mean = 44 seconds
- Max value = 55200 seconds
- Stdev = 556
This is a strong indicator that the times between packets of this DGA are not random and are not periodic. Moreover, there seems to be an underlying probability distribution generating the packets. If this is confirmed, this can be the first time that the requests related to a C&C channel are not periodically generated on purpose by the malware with a fixed frequency, but instead it uses a probability distribution function to send the packets.