From the botnet battlegrounds – The tale of UnknownDGA17

A new cluster formation showing popping up on our radar!

October 9th 2013, 2pm GMT

http://www.photo-dictionary.com/photofiles/list/686/12318radar.jpg

 

A cluster formation is essentially a group of nodes that share similarities on how they interact with other nodes on the same universe.

One of the very efficient techniques we use to detect behavior consistent with what we would expect from new botnets, is basically detecting the formation of new clusters, tracking their progress, from inception to demise, and leverage that information both as direct security feeds for Cyberfeed and for triggering sinkholing procedures when possible.

New clusters are of course of a particular interest, since they will usually map to some new malicious behavior kicking in (although sometimes clusters aren’t necessary evil – such an example would be bit torrent tracker communication).

Often, it happens that we will spot such behavior at very early stages, particularity when there are DGAs involved (Domain Generation Algorithms).

Today, in the early afternoon, we could see very clearly such an event taking place based on the information we were collecting from our sensor network.

Some hours later, around 6pm GMT, it had grown already to an interesting formation:

The orange nodes that can be clearly identified on the above diagram represent C&C domains, whereas the white nodes represent single devices connecting to the C&Cs.

Such diagrams are easily created by piping real time data from Cyberfeed into your preferred visualization platform (in this case, we used Gephi to generate this diagram).

Tracking the cluster formation at its early stages, immediately revealed some interesting indicators:

  • A world wide presence. Based on the information collected from our sensors, it was very clear that it didn’t stick to a particular region.
  • The growth rate was also a bit of unexpected. It was forming really really fast, as more and more devices would join the cluster
  • The domain names used for C&C seamed pseudo-random, but always using the .su extension (old Soviet Union)
  • A total of 21 different domain names were being used at the time of the initial analysis
  • A binary payload being transmitted over HTTP, indicating a possible encrypted communication

Immediately, we triggered our sink holing procedures so that we could have full visibility over this particular malware, beyond just the sampling of what we get from our sensors.

Doing so, allows us not only to accurately map the botnet, but also of to publish the available information to Cyberfeed customers, giving details  about which devices are part of this particular network, at a world wide scale.

From the point where the sinkhole kicked in (which can take some time with SU domains), we can see on this chart below the progression in terms of growth, expressed by the number of unique IP addresses trying to contact the C&Cs.

At the moment of writing, the growth rate shows no signs of slowing down significantly, and we are currently tracking over 150,000 infected devices already.

It is expected that this number will be a lot higher within our usual measurement window of 24 hours.

The example below shows all the metadata and raw payload, as available to Cyberfeed customers.


Note: The raw POST data encrypted payload can be quite large, so if this is something not relevant to you, it’s always best to filter with ‘fields=-data’ on the API.

A quick snapshot, taken tonight by using the Cyberfeed GUI on a about 10 minutes worth of traffic, gives a pretty good idea of how wide spread this bug is:

 

The reason why this particular malware family is currently tagged on Cyberfeed as ‘UnknownDGA17′ (trojanfamily=unknowndga17), is to follow our own convention when we detect this type of clusters, which means:

  • Seams to employ a DGA for C&C domains
  • It is for now ‘unknown’ the purpose of this botnet and the actual malware family behind it (can be a new trojan, or some new variation of an older one). This is likely to change soon, at which point it will get a proper name.
  • It is the 17th DGA we detect using this methodology
Our recommendation is always to treat Unknown threats as critical and keep any infection tell tales under close inspection.
——-
UPDATE: October 9th 2013, 2pm GMT
UnknownDGA17 has reached over 416,000 infections on a 24 hour period, and is still growing.
Here are some updated charts with its progress and geo distribution:
2 Comments
  1. To all our customers and Partners using our Email and Web Products:
    This information is automatically integrated into our Global Threat Intel Platforms (which provides the Intel for all our products, meaning it is available to our Products’ IP Reputation systems!)