DGA in Mirai variant
Release time: 2016-12-12 16:02:57
Author: 360 Network Security Research Institute
Submission method: send an email to linwei#360.cn, or log in to the web version to submit online
The Mirai that led to the disconnection of the Internet in the United States has a DGA variant with a built-in domain name generation algorithm.
The Mirai malware, which has successively led to the disconnection of the Internet in the United States and Germany, not only infects and controls more and more Internet-connected devices such as cameras, forming a potentially more threatening botnet, but also constantly emerges new variants. Recently, 360 Network Security For the first time in the world, the research institute confirmed the DGA mechanism in the earlier Mirai 7547 port propagation sample.
Overview
Two weeks ago, 360 Network Security Research Institute discovered that 2 new infection vectors (namely TCP port 7547 and 5555 variants) were used to spread Mirai malware.
<A Few Observations of The New Mirai Variant on Port 7547>
Ye Genshen of the institute quickly set up some honeypots, and the harvest came quickly: 11 samples were captured in one day on November 28. To date, our honeypot has captured 53 independent samples from 6 hosted servers.
While analyzing one of the new samples, our colleague Qu Wenji found some DGA-like code and guessed that the variant contained DGA functionality, a guess that was quickly verified from our sandbox data. Detailed reverse work shows that DGA signatures are indeed present in Mirai samples distributed over TCP ports 7547 and 5555. These latest findings will be presented in this paper, summarizing the properties of the DGA we found as follows:
1. Use 3 top-level domains: online/tech/support;
2. The L2 domain name has a fixed length of 12 characters, and each character is randomly selected from "a" to "z";
3. The domain name is determined only by the month, day and a hardcoded seed string;
4. Only one domain name is generated every day, so there are at most 365 DGA domain names;
5. The DGA domain name is only used when the hard-coded C2 domain name cannot be resolved.
With the DGA knowledge acquired in reverse, we reimplemented the DGA in the program and used it to predict all 365 possible domains. When we further confirmed the registration information of these domain names, we found that some of them have been registered by MIRAI authors. The list is as follows:
Figure 0, DGA domain names that have been registered
It is worth mentioning that the author [email protected] has registered other Mirai C2 domains earlier:
zugzwang.me email [email protected]
Samples and Analysis
The samples used for illustration in this article are as follows:
1. MD5: bf136fb3b350a96fd1003b8557bb758a
2. SHA256: 971156ec3dca4fa5c 53723863966ed165d546a184f3c8ded008b029fd59d6a5a
3. File type: ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
The samples are desymbolized but unpacked. Based on our experience with analyzing Mirai samples, we quickly identified its main modules. Comparing the code found that the CFG (flow control graph) of the resolvcncaddr function is very different from the previously found samples. The new version of CFG is shown in Figure 1.
Figure 1, the new version of resolv_cnc_addr flow control diagram
At the beginning of the function, since up to 3 C2 domain names are hardcoded in the sample, random numbers are generated to randomly select one of the first and second C2 domain names, as shown in Figure 2.
Figure 2, the first part of the resolv_cnc_addr function
If the selected C2 domain name cannot be resolved, the bot will not resolve the unselected domain name or the third domain name, but will decide whether to execute the DGA code branch or resolve the third C2 domain name according to the current date, as shown in Figure 3 .
Figure 3, Deciding whether to enter the DGA code branch
From the above code snippet we can see that if the current date is between November 1st and December 3rd, the 3rd C2 domain name will be resolved. Otherwise the DGA code branch will be executed. This can be understood as the author does not want the DGA domain name to be activated before December 4th, which is also confirmed by the aforementioned first registered Mirai DGA domain name corresponding to December 4th. The DGA main function is named dgagendomain. Domain names are generated entirely based on the seed number and the current date. The seed is converted from a hardcoded hex format string by calling strtol(). It looks like the string "x90x91x80x90x90x91x80x90" is a bad configuration, which causes strtol() to always return 0.
The code obtains the local date by calling the C library functions of time() and localtime(). But only the month and day are used, as shown in Figure 4.
Figure 4, dga_gen_domain function snippet
The L2 domain name is generated by repeatedly executing the code block shown in Figure 5. Its length is determined by $t5 and $t2, and their values are set in Figure 4, from which we can determine that the L2 domain length is 12.
Figure 5, the loop code snippet for generating the L2 domain name
The TLD (Top Level Domain) is determined by the residual value in register $S0, as shown in Figure 6. We can see that 3 TLDs are used here.
Figure 6, Determining the code branch of the TLD
IOC
Currently, DGA-related features exist in the following samples, all of which have identical seed strings and algorithms:
005241cf76d31673a752a76bb0ba7118
05891dbabc42a36f33c30535f0931555
0eb51d584712485300ad8e8126773941
15b35cfff4129b26c0f07bd4be462ba0
2da64ae2f8b1e8b75063760abfc94ecf
41ba9f3d13ce33526da52407e2f0589d
4a8145ae760385c1c000113a9ea00a3a
551380681560849cee3de36329ba4ed3
72bbfc1ff6621a278e16cfc91906109f
73f4312cc6f5067e505bc54c3b02b569
7d490eedc5b46aff00ffaaec7004e2a8
863dcf82883c885b0686dce747dcf502
bf136fb3b350a96fd1003b8557bb758a
bf650d39eb603d92973052ca80a4fdda
d89b1be09de36e326611a2abbedb8751
dbd92b08cbff8455ff76c453ff704dc6
eba670256b816e2d11f107f629d08494The hardcoded C2 domain names in the sample are as follows:
zugzwang.me
tr069.online
tr069.tech tr069.supportWe will keep an eye out for subsequent changes to the DGA variant, so stay tuned for subsequent updates.
Attachment: Mirai tracking process by 360 Network Security Research Institute
Based on the understanding of the two disconnection events in the United States and Germany and the mirai botnet, the 360 Network Security Research Institute has sorted out the context of Miral’s tracking (the following are all Beijing time):
2016-11-07, kenzo released a TR-069/TR-064 related security bulletin for routers and other devices on port 7547;
2016-11-26 21:27:23 360 Network Security Research Institute first detected that the mirai botnet initiated a scan on port 7547;
From 2016-11-26 to 2016-11-28, the scale of the mirai botnet on port 7547 has accumulated enough to affect a large area of the network;
2016-11-27 17:04, 360 Network Security Research Institute detected another variant, similar to the new variant on the 26th, this time the variant has the behavior of scanning TCP port 5555.
As of 2016-11-28 telekom Deutsche Telekom has accumulated about 900,000 routers that were disrupted by the scanning process of the mirai botnet, and the network was affected in a large area;
2016-11-28 ~ So far telekom Deutsche Telekom has taken measures within its own network to curb the scanning process of the mirai botnet.
As of December 9, the honeypot set up by the 360 Network Security Research Institute has captured 53 independent samples from 6 hosting servers.
In early December 2016, while analyzing one of the new samples, Qu Wenji of 360 Network Security Research found some DGA-like code and guessed that the variant contained DGA functionality, which was quickly verified from our sandbox data .
This article was originally published and
reprinted , please refer to the reprint statement and indicate the source: https://www.anquanke.com/post/id/85102