Earlier this year, the Federal Bureau of Investigation disrupted the activities of the Gameover botnet. That disruption had a significant effect on the scale of the ZBOT threat, but it was unlikely that cybercriminals would not respond in some fashion.
The use of domain generation algorithms (DGAs) is a key part of Gameover, but new variants like TROJ_ZBOT.YUYAQ have made this tactic even more powerful. How exactly does this variant use this technique?
The domains are based on the results of an MD5 hash generated by the system. The factors that go into computing the hash are:
- current day/month/year
- hardcoded value of 0x35190501
- tick count (time since the system was started)
How does the malware generate a domain name from this hash value? This is best demonstrated with a sample hash value. Let us suppose that the resulting MD5 value is 0xf1d73a971e50a68419c7f70764f34f1e. This can be split into four 4-byte words: from most significant to least significant, these would be:
Each word is processed using the same algorithm with the word as the initial value, as follows:
- Divide the input number by 0x24.
- Take the remainder from #1 and add this value to the numbers 0x30 and 0x57. Let’s call these x and y.
- Convert x and y to ASCII characters using standard values. Of the two resulting characters, use the result which is either a number or a lower-case character.
- To generate the next character, repeat the algorithm with the quotient from step #1 as the input. If the quotient is zero, the algorithm is finished running and the resulting string is complete.
The above algorithm converts 0xf1d73a97 into the string tdcly51. The malware reverses this string, resulting in 15ylcdt.
Each word is converted into a string in this manner, and then the resulting strings are concatenated together into one longer string: in this case, our MD5 hash is converted into 15ylcdt10t00m627l7a18es4f8. This string is used as the hostname for the command-and-control server.
The top-level domain (TLD) used is one of the following: .biz, .com, .net, or .org. Which TLD is used depends on the tick count of the system.
Every time this malware is run, it generates up to 500 distinct domain names, with up to 1500 unique domains generated per day. While it may be capable of generating this large number of domains, in practice relatively few are used. We have found only 23 domains related to this specific variant of Gameover. More than three-fourths of the victims of this variant are located in the United States. The heat map below shows the distribution of the victims around the world, with the blue circles showing where the C&C servers are located:
Figure 1. Heat map of victims and C&C servers
This incident was not the first time that a DGA was used by malware to try and hide its network traffic, and it won’t be the last. So long as it is an effective way to help make detection of C&C traffic difficult, malware will continue to use this technique – to the detriment of users.
The hash involved in this attack is :
With additional analysis from Marilyn Melliang and Marco Dela Vega