Last Wednesday morning, João Gouveia from AnubisNetworks’ research lab (@jgouv) tweeted about a new large botnet he spotted and posted a great blog describing the early stages of this botnet’s spread that he dubbed UnknownDGA17.
According to Gouveia, the botnet spread at a rapid pace to infect 150,000 devices within hours. He also showed that “a total of 21 different domain names were being used at the time of the initial analysis” as CnCs. AnubisNetworks promptly sinkholed these domains to monitor the evolution of the infection. Gouveia revealed that the 21 domains were all registered under the .su ccTLD but did not disclose the full domain names.
The first CnC
As the workday started, I was curious to see what information OpenDNS traffic data could tell us about this botnet and if the Security Graph could help us find more. I was not disappointed. First, by checking our authoritative DNS traffic of Oct 9th for all .su domains, it was possible to spot an initial CnC. Thankfully, that initial CnC was already blocked by our team. A few hours after his first tweet, I replied to @jgouv that OpenDNS also saw a surge in traffic to one of the .su CnC domains.
The remaining CnCs
Next, it was important to see if we could find the other related CnC domains using the co-occurrences model. Co-occurrence is a very effective investigative model that we regularly use in gathering intelligence about all kinds of threats . Applying the model to the initial CnC domain, it was possible to discover all the remaining 20 .su domains as can be seen on the Security Graph screenshot below.
In order to protect our customers, we blocked all 21 CnC domains as soon as they were discovered, and we will continue to monitor this threat. For example, we can see in the screenshot below that traffic to the CnCs remains high.
In the screenshot below, we can see how the Security Graph can also help visually spot co-occurring or related domains by starting from an initial domain and expanding to the other vertices in the co-occurrences graph.
Worldwide Botnet Spread
On the map below, we show the worldwide volume of DNS traffic to these 21 CnC domains that we recorded on Oct 9th. From this daily sample, we see that the top 10 countries generating traffic to the botnet CnCs are Vietnam, Algeria, Turkey, Brazil, Venezuela, Indonesia, France, Russia, India, and Italy.
I was also curious to see if any of the infected IPs looking up the new botnet’s CnCs were tied to the Kelihos botnet, another botnet we’ve been monitoring for some time . It came as no surprise that a few infected client IPs that were phoning to UnknownDGA17’s CnCs were also part of the Kelihos botnet. These IPs were located in Ukraine, Vietnam, and India and have hosted known (now defunct) fast flux Kelihos domains: syqholu.com, and widerat.com. This demonstrates once again that botnets often have overlapping sets of victims either by using each others’ infrastructures, or by indistinguishably infecting machines on a large scale with as many malware families as possible. We saw this recently when we showed that ZeroAccess supernodes can also be part of the Kelihos botnet , and we’ll continue investigating this phenomenon in the future.