Two weeks ago, Arbor Networks released details on a malware campaign called Bedep. It is a good write-up but the most interesting data point in this is how malware authors are changing the way they create domain generation algorithms (DGAs) to make life more difficult for security researchers.
The use of DGAs in malware is a double-edged sword for malware operators. On the one hand, it gives them a great deal of resiliency against takedowns and blocklists. On the other, researchers can crack the DGA and predict the malware’s future domains for use in sinkholing, takedowns or predictive blocklists.
Most malware use date-based generation, some use static seeds in the malware and many use a combination of both. Tinybanker/Tinba, for instance, uses only a domain name seed to generate the domains but the seed changes frequently, making it difficult for researchers to keep up.
That being said, it appears some DGA operators have taken steps to help mitigate the risks of using predictable domains for their C2s. For instance, the Pushdo DGA written about in a recent Fidelis Threat Advisory uses the .kz top-level domain (TLD) for its domains. This creates two problems: the waiting period to use the domain and the lack of WHOIS privacy protection.
It is likely not an accident this TLD was chosen, it creates a hassle for researchers and, more importantly, requires a sinkhole operator or researcher to expose themselves or use fake information which is grounds for immediate suspension of the domain per ICANN rules. That said, these problems can be overcome.
This brings us back to Bedep which uses the data and foreign currency values from the European Central Bank to generate domains. The European Central Bank’s data looks back 90 days but obviously there is no future data available, which means there is no way to predict future domains.
It is hard to believe that this is an unintentional choice by malware actors. This means they know how we are generating domains ahead of time, the value of sinkholing for researchers and are actively taking steps to thwart our efforts. In short, the status quo prevails.