RSA FirstWatch team shines a spotlight in the darker corners of the Internet to better understand online fraud and criminal trends. When possible, RSA FirstWatch members will use this space to share information about some of our findings.
In one of our daily malware reports, I noticed that the same malware filename was being downloaded from multiple IPs and multiple Domain Names. The malware itself had a pretty high detection rate on VirusTotal, and most identified the malware as Kryptik/Tepfir/Zbot/Kazy, all names for a Zbot variant.
I also noticed that each of the domains appeared to be dynamically generated with seven or eight random characters. I focused in on the domain name that was used the most. This is how it looked in the RSA Security Analytics Investigation module:
Notice the single domain name and the twenty-two destination IP addresses used over the span of 6 days? This is a strong indication of this botnet author using Fast Flux DNS to keep his botnet distribution up and active. And this same domain is no longer pointing to any addresses. The botnet author kept his domain registered for just a short period of time and then he disabled his DNS resolution.
In fact, a whois lookup shows that this domain was registered in Panama just 10 days before it was used in this fast-flux malware distribution botnet.
There were many other domains that were also used to distribute the same malware family. Each domain is added to our malicious download domains feeds within RSA Security Analytics, but I wanted to see if there was a way I could pull out just the activity that was similar to this traffic. I noticed something very unusual about the server banners on the destination IP:
There were TWO server banners. Something else unusual was the fact that there was no User-Agent string, and no client whatsoever involved in the download request:
So to detect this traffic I made a custom query to go backwards in time in our malware sandbox. This query eventually also became a rule to detect this traffic going forward:
I named it Kryptik Fast Flux Domain Download and defined it as server=apache && server begins nginx && client !exists
When I went back in history to see what other domains were behaving in a similar fashion, I saw these results:
Notice how all of these names look dynamically generated? As it turns out, each domain registered as a .com top level domain were each registered privately in Panama. Likewise, the .RU,and the .US TLDs were also registered privately at a single registrar.
In summary, we seem to be seeing a single botnet author, using the same distribution tools, allowing segments of his botnet to become active for short periods of time to distribute malware. This may represent a pay-per-use activity of the Kryptik/Zbot malware, or perhaps the botnet author is just trying to be careful. Regardless, now you can detect this activity too.
Finally, I wanted a trend report on this activity, so I created one in the alerting (Informer) module and have attached it to this post.