RSA Admin

I need to watch for 74,000 unique domains!

Blog Post created by RSA Admin Employee on Aug 22, 2012

REPOST - ORIGINALLY POSTED OCTOBER 15, 2010

 

In the “malware of the minute” news,  information surrounding the “Murofet” trojan has hit some malware research blogs.

Details around this trojan, which shares code similarities with ZeuS, can be found here:

 

 

What’s interesting about Murofet is that it borrows a page from the Conficker playbook and uses an algorithm to generate command and control domain names on the fly based on the date and time on the infected host. This makes it very difficult to take down from a defender standpoint because coordinated effort is required to control all of the possible domain names as they are detected.

 

http://blog.threatexpert.com/2010/10/domain-name-generator-for-murofet.html

 

In this case, reverse engineering has revealed a way to generate the domain names used by the malware in advance, which allows us to build a list of all possible domains that will be used by the malware in its current state.

 

But that brings us to our challenge. Murofet can generate 1,020 usable domain names a day… which if we say, push that out for a few months in advance, quickly reaches into the tens of thousands of possible domain names. If I’m an incident responder at a large enterprise, I may need to parse through multiple gigabytes a day of proxy logs to attempt to locate these tens of thousands of possibly malicious domains. As you can imagine, this can quickly become a very tedious and unwieldy problem.

 

One of the many strengths of the NextGen framework is that it is built around addressing this sort of “needle in a haystack” problem. The NetWitness Live system is built around the concept of using external intelligence and applying it to *your* network in real-time, with alerting and in some cases we have feeds with *millions* of entries.

 

In this case, and given a big list of Murofet domains, it is a trivial exercise to create a custom feed that identifies when they are seen on the network. Add an Informer Alert, and you have real-time notification if any one of these 74,000 domains are accessed by any of your monitored hosts. This strategy was also successfully used to track Conficker infections at some of our clients.

 

If you’d like more information on creating your own custom feeds, please see this link in the community:

 

https://www.netwitness.com/community/showthread.php?t=320

Outcomes