In the first part of this series, I talked about a few botnets that are using random domain generation algorithms in order to conceal their Command and Control (CnC) servers. But that’s not the only type of evasion being used by advanced malware. There are other types of polymorphism as well.
Some of the polymorphic strains found in these malware are as follows:
- Random domain generation (as I talked about in Part 1)
- Random URL and HTTP header generation
- Custom obfuscated protocols
- Disguised as legitimate objects like a gif or jpeg image file, etc.
Today, I would like to talk about type 2—botnets that are good at randomizing their HTTP communication. Readers will see shortly how intelligently these malware are bypassing signature-based defenses.
Some of these malware do not have any publicly known names so for simplicity, I would like to call them Bot.A, Bot.B, and so on.
Bot.A
POST /fpvxpnhnwqmxhateawxvekrjaxymunqqtrpqvics.rar
POST /upotaflpifewjktagy.cgi
POST /stwmhinqgxtzrzavmsisqaemespvmlytkogsexshbf.doc
POST /rnprtkfbobwlizfupoxvdrgwjwtxhrqzgegznaazhdpfssafktpreklwbxx.php3
POST /giudnjxopcgmmkzrmzljojpfsnpcjirdkjaefarf.rar
POST /dsqxifbgizgofovhpzxjgqvypomoljxevsfeleojcy.rar
POST /jqkszowocuyjffuxy.cgi
POST /shypxczuhiqcwzlezjnjdmbuwkyuvkabwlarlmdu.doc
Bot.A is mixing its URIs quite well. One can see that there are three different polymorphic attributes in a given set of URIs.
- Random file names
- File name length
- Various valid file extensions
Bot.B
POST /forum/65a9534326f288454ece3884f92596a8.php
POST /forum/00089842880169c2ef6b3ede7a885ce1.php
POST /forum/a41544c23412691deabdae0e4c41c0ec.php
POST /forum/be08676aa6521d6d8c60ea587a8e144a.php
Like Bot.A, Bot.B is randomizing its URIs as well. The only difference is that the length and extension (.php) remain the same.
Bot.C
GET /bv5EQu16/nXsAjp.exe
GET /78TYobbu/KrbVq.exe
GET /XRHRM3r.exe
GET /m4LL.exe
GET /kXHtk.exe
GET /wN7iM.exe
GET /sVK4XT.exe
GET /4M6.exe
GET /50dw.exe
GET /7U0ASvP9/AZz.exe
GET /zqDQMaNF/SRivXt.exe
Here, Bot.C is randomizing its URI while downloading other malware components. Clearly, the file names and their lengths are variable.
Bot.D
GET /1.exe HTTP/1.1
User-Agent: fvfeo
GET /2.exe HTTP/1.1
User-Agent: nvjqn
GET /3.exe HTTP/1.1
User-Agent: vsidw
GET /4.exe HTTP/1.1
User-Agent: fkflo
GET /5.exe HTTP/1.1
User-Agent: wvjor
GET /6.exe HTTP/1.1
User-Agent: ixvst
Bot.D is one step ahead of other botnets: not only does it shuffle its URIs, it also shuffles user agent strings. There is a built-in mechanism that can generate random user agents of fixed length five while downloading secondary payloads.
The time has come to rethink the way we catch malware CnC communication. Writing signatures for these kinds of malware is a battle where bot herders are keeping themselves one step ahead of their opponents.
