Wednesday, July 29, 2015

Indicators - Banking Trojan

Threat: Banking Trojan / ZeuS

These domain requests lit up the DNS logs. After executing an executable file from an email, the malware will attempt many DNS requests to the below sites. There are some good indicators here, along with some regex to help you find the activity in your logs or PCAP files.

Network Analysis:

The malware will make multiple DNS type A queries and HTTP POST connections to the following second level domains (SLDs):
  • dwhxopmcgpix
  • hrjyvfeduuts
  • ipjbvvnjobll
  • jmdwnsmripqn
  • lgccwnffuuwx
  • ncdebbobqmyi
  • njbkkylgqqqp
  • nmhvbbgccckx
  • nnqksrgtdhjk
  • omiwfmnejorf
  • owvcjnfuwtoo
  • pckffwcqdebn
  • pdvxqjnssltt
  • piwxvumpyptp
  • ruutsckgffnj
  • smqwonbiiymq
  • ttsjrnffxovu
  • wwxthsqmupii
Now, each one of these SLDs is followed by one of four top level domains (TLDs):
  • .com
  • .in
  • .net
  • .ru
So all together it will constantly make 72 DNS type A requests. It will also make a single request to the following host:
  • f02783mat0i5r1t.cc
There is also a unique HTTP URI path used when the malware attempts to make HTTP requests:
  • /for193gd63891mat/
Observations:

Each SLD is 12 characters long followed by one of the above four TLDs; the odd ball domain (f02783mat0i5r1t.cc) is the only exception. The SLDs contain all characters in the English alphabet except for the 'a' and 'z' characters; again the f02783mat0i5r1t.cc domain is the only exception.  All HTTP requests are POST over port 80.

Regex:

The following regex should find any of the above hosts.
  • ([b-y]{12})([\.](com|in|net|ru))
Further Information:

No comments:

Post a Comment

Please feel free to leave a comment that is relevant to the post.