We often talk about the dynamic nature of botnets and the way in which they’re evolving. Today I want to brief you about a new botnet operational model we’ve run in to – something that doesn’t fit any of the classical categories (if there ever was such a thing).
The nature of this botnet doesn’t fit in to the fast-flux, double-flux or domain-flux models. While it fluxes its IP addresses, the pool is sufficiently small for me to say “not really” to it being fast-flux. The same applies to double-fluxing. As for domain-fluxing – well, yes, but in quite a different manner and the weighting is all wrong.
This particular botnet is clearly associated with the Canadian Pharmacy scams, but is almost certainly operated by an affiliate who knows their botnets.
The botnet I’m discussing here is quite different to the one I covered last week in my Takedown-resistant Double-fluxing Pharma-bots blog. This new botnet is more complex.
Note: For the purpose of this blog, I’m going to restrict the analysis to the findings from a single Damballa sensor – partly because I’m being lazy in not wanting to correlate data from multiple sensors (this is after all only a blog – not a whitepaper), but also because any additional correlation would only increase the wild-carded domain numbers I describe, and very little else.
Massive Domain Cycling
This particular (small) botnet, which we’ve been intensively monitoring since March 2009, consists of close to 100 distinct/compromised hosts. But on any single day only about a third of them are tasked with supporting the “fast-flux” side of the pharma-bot operation – which by my mind is too low to really be called fast-flux, and is more like just a large round-robin IP pool – and the average TTL is 1 hour (which, once again, doesn’t fit the typical fast-flux model) . Each new day sees about half of those IP addresses change to another subset of the original 100.
More interestingly though is the fact that this network has been observed supporting some 2,156,543 domains since March – which is colossal. What this means is that this botnet is currently using more two million domain to direct/trick their victims to go to a web site trying to sell drugs from Canada.
Typical domains being used include:
- mge.paybilej.cn
- mghg11.nanjurar.cn
- mgio1.dobyiruj.cn
- mgkx.zexdorew.cn
- mgmv.yaddujex.cn
- mgqb20.pograxiz.cn
- mgry58.gushicah.cn
- mgug87.kezmacub.cn
- mgyh.facnafik.cn
- mgyli35.zuyrowib.cn, etc.
When we look at the complete domains, we see that the 2+ million domains break down in the following TLDs:
- 1693238 .cn
- 421517 .com
- 41275 .ru
- 387 .net
- 57 .org
- 29 .im
- 19 .pl
- 19 .in
- 2 .mobi
On closer inspection, it’s clear that this botnet uses domain wild-carding. As such, this botnet is currently managing more than 25,000 individual domain registrations (with more being added each day – faster than they are being shutdown). That’s considerably more than the botnet I discussed last week – and the largest ratio of domain-to-IP that I’ve seen for any botnet thus far.
It’s also not insignificant from a financial perspective too. Do you know how much money it costs to register 25,000 domains? It’s typically $20 to register a single .CN domain in the US – so this could represent as much as a $500k up-front investment by the criminals behind this particular botnet.
The breakdown of these registered domains is:
- 18877 .cn
- 5837 .com
- 572 .ru
- 41 .org
- 38 .net
- 14 .im
- 10 .pl
- 9 .in
- 1 .mobi
Some of the TLD’s/ccTLD’s in use are a little unexpected too. In fact this is the first time I’ve ever noticed .im being used for botnets (I had to look up the .im ccTLD – it’s the Isle of Man). The .im, .in, .ip and .ru domains all appear to be used for domain names related to the name servers that resolve the IP addresses to the scam websites.
The domain names referenced by the botnet operator for hosting the actual Canadian Drugs scam web site are a much smaller subset – for example, www.medslovecalm. com and www.amazingpharmsfound. com – and are often flagged by Web filtering software as scam sites (but they’re still operating!).
Strangeness
At the beginning of this blog I mentioned some additional strangeness that I’m still trying to figure out?
–Note @11:00am Friday — I’ve figured it out now after a couple of helpful folks pointed me in the right direction. Serves me right for trying to analyze and blog in the middle of the night. — Gunter
Take a look at the following resolutions to the two host names I mentioned last…
www.medslovecalm. com
; <<>> DiG 9.3.6-P1 <<>> www.medslovecalm.com ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53717 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 13 ;; QUESTION SECTION: ;www.medslovecalm.com. IN A ;; ANSWER SECTION: www.medslovecalm.com. 172800 IN A 112.137.162.143 ;; AUTHORITY SECTION: com. 172800 IN NS g.gtld-servers.net. com. 172800 IN NS a.gtld-servers.net. com. 172800 IN NS c.gtld-servers.net. com. 172800 IN NS e.gtld-servers.net. com. 172800 IN NS d.gtld-servers.net. com. 172800 IN NS f.gtld-servers.net. com. 172800 IN NS i.gtld-servers.net. com. 172800 IN NS m.gtld-servers.net. com. 172800 IN NS l.gtld-servers.net. com. 172800 IN NS k.gtld-servers.net. com. 172800 IN NS h.gtld-servers.net. com. 172800 IN NS j.gtld-servers.net. com. 172800 IN NS b.gtld-servers.net. ;; ADDITIONAL SECTION: g.gtld-servers.net. 172800 IN A 192.42.93.30 a.gtld-servers.net. 172800 IN A 192.5.6.30 a.gtld-servers.net. 172800 IN AAAA 2001:503:a83e::2:30 c.gtld-servers.net. 172800 IN A 192.26.92.30 e.gtld-servers.net. 172800 IN A 192.12.94.30 d.gtld-servers.net. 172800 IN A 192.31.80.30 f.gtld-servers.net. 172800 IN A 192.35.51.30 i.gtld-servers.net. 172800 IN A 192.43.172.30 m.gtld-servers.net. 172800 IN A 192.55.83.30 l.gtld-servers.net. 172800 IN A 192.41.162.30 k.gtld-servers.net. 172800 IN A 192.52.178.30 h.gtld-servers.net. 172800 IN A 192.54.112.30 j.gtld-servers.net. 172800 IN A 192.48.79.30 ;; Query time: 209 msec ;; WHEN: Wed Jun 24 16:08:36 2009 ;; MSG SIZE rcvd: 498
www.amazingpharmsfound. com
$ dig @192.33.14.30 www.amazingpharmsfound.com ; <<>> DiG 9.5.1-P1 <<>> www.amazingpharmsfound.com ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38961 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 13 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;www.amazingpharmsfound.com. IN A ;; ANSWER SECTION: www.amazingpharmsfound.com. 172800 IN A 112.137.162.143 ;; AUTHORITY SECTION: com. 172800 IN NS f.gtld-servers.net. com. 172800 IN NS h.gtld-servers.net. com. 172800 IN NS g.gtld-servers.net. com. 172800 IN NS k.gtld-servers.net. com. 172800 IN NS e.gtld-servers.net. com. 172800 IN NS j.gtld-servers.net. com. 172800 IN NS l.gtld-servers.net. com. 172800 IN NS i.gtld-servers.net. com. 172800 IN NS m.gtld-servers.net. com. 172800 IN NS c.gtld-servers.net. com. 172800 IN NS d.gtld-servers.net. com. 172800 IN NS b.gtld-servers.net. com. 172800 IN NS a.gtld-servers.net. ;; ADDITIONAL SECTION: f.gtld-servers.net. 172800 IN A 192.35.51.30 h.gtld-servers.net. 172800 IN A 192.54.112.30 g.gtld-servers.net. 172800 IN A 192.42.93.30 k.gtld-servers.net. 172800 IN A 192.52.178.30 e.gtld-servers.net. 172800 IN A 192.12.94.30 j.gtld-servers.net. 172800 IN A 192.48.79.30 l.gtld-servers.net. 172800 IN A 192.41.162.30 i.gtld-servers.net. 172800 IN A 192.43.172.30 m.gtld-servers.net. 172800 IN A 192.55.83.30 c.gtld-servers.net. 172800 IN A 192.26.92.30 d.gtld-servers.net. 172800 IN A 192.31.80.30 b.gtld-servers.net. 172800 IN A 192.33.14.30 b.gtld-servers.net. 172800 IN AAAA 2001:503:231d::2:30 ;; Query time: 127 msec ;; WHEN: Wed Jun 24 14:43:56 2009 ;; MSG SIZE rcvd: 504
… notice anything weird? Yeah, that’s right, the authoritative answer for these resolved IP addresses appear to come directly from the .com TLD name servers directly. I was under the assumption you’re not supposed to do things this way (– @11:00am – but my perceptions as to how this part of DNS is supposed to/ought to work have now been corrected. You learn something new every day. )
I’m not sure (– @11:00am – but am now…) why this is happening (beyond giving your web server and name server the same IP address). If I’d have seen this only once, then I’d have attributed it to some kind of fluke or broken record. But to see it happen consistently with domains associated with this particular pharma-bot is strange – and, to some degree, a fingerprint for this particular operator (or proteges) ?
– Gunter Ollmann, VP Research
– Credit to Roberto Perdisci for the detailed analysis