Dec 6, 2012

Another Implementation of Pseudo Random Domain for Web Malware

On my previous post, I've discussed about pseudo random domain generator used by RunForestRun malware variation.

In this post, we're going to look on the slightly different implementation of pseudo random domain generator.

Unlike previous use of random domain generator by RunForestRun which randomize the .ru domain, the new implementation makes full use of Dynamic DNS services from ChangeIP.

This pseudo random domain generator will generate a random subdomain to include with the domain The advantage of using a dynamic DNS services is, the attacker doesn't have to buy domains but instead they just need to create the random subdomain generated for that particular date.

This technique however, still does not protect the future generated malicious site from being predicted by security researchers. By using the workaround that I've shown on my previous post, I generate 27 malicious domain (05 Dec - 31 Dec 2012) and out of 27, only 1 are currently pointing to an IP.

2012-12-05      gcrrracfwwwririp.mynumber[.]org
2012-12-06      fhgwhiaerijqcffd.mynumber[.]org
2012-12-07 hcwppefjcdmfwwcm.mynumber[.]org
2012-12-08 jhzcfzpwcpftmwci.mynumber[.]org
2012-12-09 mfdwmdrarorjprtg.mynumber[.]org
2012-12-10 pahrcidrwdwcjqjj.mynumber[.]org
2012-12-11 dpgzrefpargrwpop.mynumber[.]org
2012-12-12 raolzfqtwjfqolfj.mynumber[.]org
2012-12-13 wpfwotlwgopjcafg.mynumber[.]org
2012-12-14 imrfjfiwlrfcwfpz.mynumber[.]org
2012-12-15 ifpfdcmczferfeec.mynumber[.]org
2012-12-16 jqcwldpmpjizffhe.mynumber[.]org
2012-12-17 hrwflpcefmoowccc.mynumber[.]org
2012-12-18 pwempcgwpilwirpf.mynumber[.]org
2012-12-19 wrijhfzmjmpzwdor.mynumber[.]org
2012-12-20 tdwizgwwgtzpfwwe.mynumber[.]org
2012-12-21 glaphiwfamrgpmir.mynumber[.]org
2012-12-22 cdgeddrqhtwcdjip.mynumber[.]org
2012-12-23 cltwpiwpfawfpgho.mynumber[.]org
2012-12-24 gwpgaawammwdwdwp.mynumber[.]org
2012-12-25 filmdzgiiawjecww.mynumber[.]org
2012-12-26 awfrwlcthghwtiwe.mynumber[.]org
2012-12-27 jifzrwjewajiiwcm.mynumber[.]org
2012-12-28 mzwlitifzpjewewd.mynumber[.]org
2012-12-29 fjhwcfwwjqewcfpp.mynumber[.]org
2012-12-30 dheaefjwjwhiorae.mynumber[.]org
2012-12-31 rjdcgljzqcotejfz.mynumber[.]org