Wednesday, November 28, 2012

Observation on RunForestRun Pseudo Random Domain

RunForestRun has known for its technique that inject an iframe along with the use of pseudo random domain in its source.

Despite that its pseudo random algorithm are available to analyze, and we can predict the attack domain every day, but it still seems to be immune like no body knows what domain it going to use tomorrow.


As for me, even though the technique that it used is not new, I find the technique interesting since this approach is not commonly use for web malwares.

Looking at the code below, we can see that it inject an iframe that will redirect users to malicious site. A pseudo random domain is generated through generatePseudoRandomString() function and return a 16 random character of .ru domain that'll be used inside the iframe src along with "runforestrun?sid=botnet2".


The initial component in this technique that help generate pseudo random domain is Date() value. By manipulating the Date() value, it can provide us with the attack domain that will be used on any given date.

The manipulation, obviously can be done by changing Date() into a form where we can add or subtract any value to represent the date of tomorrow or yesterday.

var d = new Date();
var n = d.valueOf();
print(d);
print(n);

>> Wed Nov 28 2012 11:51:07 GMT+0000 (UTC)
>> 1354103467874

var d = new Date(new Date().setDate(new Date().getDate()));
var n = d.valueOf();
print(d);
print(n);

>> Wed Nov 28 2012 11:51:07 GMT+0000 (UTC)
>> 1354103467874

The code above are just a workaround for me to say that the value of Date() and Date(new Date().setDate(new Date().getDate())) is equivalent, so we can manipulate to get the value for any date especially on sequential manner.

var d = new Date(new Date().setDate(new Date().getDate()-1));
var n = d.valueOf();
print(d);
print(n);

>> Tue Nov 27 2012 12:01:51 GMT+0000 (UTC)
>> 1354017711629

By modifying the line, var unix = Math.round(+new Date()/1000); on the malicious iframe code with the workaround code above, we can get the valid generated domain name according to this exploit kit.

Observation

As I mentioned earlier, with pseudo random domain generator in RunForestRun, it help us list-down and identify what domain that it'll use for the whole year. We can also identify which domain has been registered and whether or not it currently pointing to any IP.

From my observation from Jun 08 2012 until Nov 27 2012, there is 98 registered domains out of 173, and 2 domains are up and pointing to IP 91.233.244.102.

Below are some of the results that I during analysis:


Date() - i      Generated Domain         Status          Registered on   IP Address
=======================================================================================
2012-06-08      kwlefwlcclsjavfk.ru      Not registered
2012-06-09      wiombejwxrddpkkx.ru      Registered      2012.06.08
2012-06-10      jwqbrhwarzjrglbn.ru      Registered      2012.06.08
2012-06-11      uitjsdpvrfgfdhff.ru      Registered      2012.06.08
2012-06-12      hvuwhwqtoyidfrjg.ru      Registered      2012.06.08
2012-06-13      thxgfffpsvjdxcal.ru      Not registered
2012-06-14      gvztjrlasdnlbiei.ru      Registered      2012.06.13
2012-06-15      shderldqiqdtdcmu.ru      Registered      2012.06.13
2012-06-16      fufsbovwfzjumtle.ru      Registered      2012.06.13
2012-06-17      qhibjmjlnpyovmbn.ru      Registered      2012.06.13
2012-06-18      dujovshpvbxgrikw.ru      Registered      2012.06.13
2012-06-19      pgmxykzlqomziebp.ru      Registered      2012.06.13
2012-06-20      ctolfpcqldrvxvml.ru      Registered      2012.06.13
2012-06-21      ogrtlmpkqtwmweff.ru      Registered      2012.06.13
2012-06-22      atsihkcljrqlzvku.ru      Registered      2012.06.13
...
...
...
2012-11-04      chejtfoppvupcbhb.ru      Not registered
2012-11-05      otfrbymbgbedozxa.ru      Not registered
2012-11-06      bhigmqckbqhleqlo.ru      Registered      2012.11.06      91.233.244.102
2012-11-07      nsjosicxuhpidhlp.ru      Registered      2012.11.06      91.233.244.102
2012-11-08      yemwipgbsfdgxtwi.ru      Not registered
2012-11-09      lsokebdprtyhsbso.ru      Not registered
2012-11-10      xertaijuellzduaa.ru      Not registered
2012-11-11      krthwjspcpcdpxec.ru      Not registered
2012-11-12      wewpsgubuacxxkyj.ru      Not registered
2012-11-13      jrxeivysebbxnnty.ru      Not registered
2012-11-14      udbofptfthduxtto.ru      Not registered
2012-11-15      hqdcbscxwipgaobv.ru      Not registered
2012-11-16      tdglwoshlnadoxsd.ru      Not registered
2012-11-17      gqhybmnnxsndsdvj.ru      Not registered
2012-11-18      sckhoyvbrxscgfxt.ru      Not registered
2012-11-19      fpmusbtknvzptyyp.ru      Not registered
2012-11-20      qcpebbxufztcjenw.ru      Not registered
2012-11-21      dprrmhvxeedvldhh.ru      Not registered
2012-11-22      pbubsisvkxfvlqpr.ru      Not registered
2012-11-23      cpvogtshwgqsvrmm.ru      Not registered
2012-11-24      obywijqviuwhbjhf.ru      Not registered
2012-11-25      bobmzdnfgnramikr.ru      Not registered
2012-11-26      maevlhrskhtpwduy.ru      Not registered
2012-11-27      ymfemzowodecdxjg.ru      Not registered

Full list can be viewed here.

No comments:

Post a Comment