RSA Admin

New Kazy Variant Evades Research Detection Using "Chameleon Encoding"

Blog Post created by RSA Admin Employee on Oct 16, 2013

A new variant of Kazy botnet was detected last week.  The VirusTotal report on this variant is here.  Once infected, a victim host checks into a Russian hosted domain which was registered by a Chinese registrant in Mid-September, and downloads scripts to spam search engines in order to manipulate search results.  This is a typical behavior for a botnet like this and the activity is really unremarkable in every aspect.  Every aspect that is, except that the domain names are actually HEX codes for the colors of lavender, dark slate blue, and according to the VirusTotal report, a shade of green too.

 

Screenshots below will show what it did in our lab:

 

69681

 

And here are the search engine queries designed to influence search results.

 

69682

 

What makes this part of this malware truly remarkable is that Google will refuse to return quoted search results for the domain name.  If you try to Google search for these domain names, all you get is hex color codes on webpages around the world.  Even if you add additional keywords such as "malware", "virus" or "botnet", all you get are color code results.  This makes researching this threat online almost impossible, and it was likely intended to be this way by the malware authors.  And since it uses color codes and hides from researchers, we are calling this evasion technique "Chameleon Encoding."

 

If you subscribe to the FirstWatch live feeds, you already have detection in place to detect this Chameleon Encoded Kazy Variant.

 

Now back to the hunt!

Outcomes