The malware, which MD5 is c740789d5b226668f8a37626883fd0b7, is detected by AVAST as Win32:Dropper-KRG [Drp] and by Sophos as Mal/Steppa-A. The dataset where this behavior was found can be downloaded from CTU-Malware-Capture-Botnet-31 and took place between Nov 2013 and Jan 2014 in our capture facility. In the capture file 2013-11-25_capture-win7-3.pcap it can be seen that there is a large group of packets going to the IP address 126.96.36.199, destination port 53/TCP. The content of these packets are DNS requests asking for domains being generated with a DGA. For example:
These connections differentiate from a normal DNS requests because:
- They use the TCP protocol instead of UDP.
- They are being made to a DNS server chosen by the attacker and not to the one defined by the network.
Even more, the simple trick of using TCP works well because some analysis tools, such as passivedns, fail to find the requests.
The analysis of all these DNS request using our behavioral state model (CCDetector.py tool) shows that the requests are not periodic. The following are a sample of the flows sent in these DNS requests:
"Time" "Time Difference 1 (T1)" "Time Difference 2 (T2)" "Difference of Time Differences (TD)"
01:03:07.901969, T1=-1, T2=-1, TD= 0.0
01:03:13.099428, T1=-1, T2=5.197459, TD= 0.0
01:03:13.970381, T1=5.197459, T2=0.870953, TD= -4.3
01:04:32.543049, T1=0.870953, T2=78.572668, TD= 77.7
01:05:29.735165, T1=78.572668, T2=57.192116, TD= -21.4
01:05:35.954195, T1=57.192116, T2=6.21903, TD= -51.0
01:05:45.808630, T1=6.21903, T2=9.854435, TD= 3.6
01:05:57.415327, T1=9.854435, T2=11.606697, TD= 1.8
01:06:43.150694, T1=11.606697, T2=45.735367, TD= 34.1
01:07:00.225639, T1=45.735367, T2=17.074945, TD= -28.7
The columns mean:
- "Time of flow": Time when the flow was seen.
- "Time Difference 1-2": Time between the current flow and the previous one.
- "Time Difference 2-3": Time between the previous flow and the 2nd previous flow.
- "Difference of Time Differences": Difference between Time Difference 1 and Time Difference 2.
The TD value is a good indicator of the periodicity of the requests. When TD is close to 0, it means that the flows are more periodic. In this case we can see that there is no periodicity. However, it is interesting that the T1 values seem to be very different, and this is not usually the case with programs that try to communicate with their C&C server often. So we decided to analyze the values of the T1 column to see if there was a relationship between them. A quick plot of its probability distribution show us this:
- Median = 23 seconds
- Mean = 44 seconds
- Max value = 55200 seconds
- Stdev = 556