“Blackhole” Exploit Kit DGA Analysis

[ Editor’s note: Our new security research team is cranking out information faster than we can create a security blog.  So for now, we’re sharing some of the cool stuff they are doing here. Here’s one of their first pieces, dissecting the “Blackhole” exploit kit. ]

What is the “Blackhole” Exploit Kit?

• A very popular and customizable kit to exploit a range of client vulnerabilities via the Web.
• Hackers license the kit (or rent an already exploited site) to cyber criminals.
• Cyber criminals compromise Web pages and embed an invisible iFrame.
• Potential victims visit a compromised Web page and are redirected to the hosted exploit.
• If the victim has one of the targeted client vulnerabilities, their device is infected.
• OpenDNS’s enforcement is device-, application-, protocol- and port-agnostic so all our users with OpenDNS malware protection are protected.

Redirect to malware host site within invisible iframe.

What is a (DGA) Domain Generation Algorithm?

• Multiple, frequently generated domains are used to host the exploit kit to prevent the security community from easily blocking the site or the site’s DNS record.
• This technique has been used since 2004 for botnet controllers, but appears by many in the security community, to now be an emerging trend for malware sites.
• This new “Blackhole” variation generates one unique second-level domain every 12 hours.
• The machine’s timestamp seeds a fixed cryptographic algorithm.
• The algorithm produces 16-character domain labels with a .ru top-level domain.
• Domain names using this algorithm are registered in advance of dates about 2 months from now.
• OpenDNS blocks all such domains for users of our service.

Snapshot taken on July 6 shows domains generated in the past week and two future days.

What did OpenDNS discover?

• Domain name analysis can detect strings in domain labels that have entropy or a lack of order that is a strong indicator that an algorithm was used to create the domain versus a human.
• Very random domain name strings have a high lexical complexity.
• These are often software generated with potential malicious origin.
• Blackhole DGA domain complexity is graphed in red below.
• Human-readable domain strings have a low lexical complexity.
• These are often legitimate sites.
• The top 1 million accessed domains’ complexity is graphed in green below.

Lexical analysis on the domain names.

• These domain names were observed to have concentrated DNS queries with short life spans, and exhibited a temporal progression every 12 hours.
• We saw abnormally high levels of activity at the time of domain generation, which quickly faded to near zero within a day or two.
• The few DNS queries outside this time window may be due machines with an incorrect date set or security research activity.
• More than a half million connections were attempted to these malicious domains within one week (June 29-July 5, 2012).

Trending query counts for six consecutive generated domains.

• Sampled a range of domain names generated for May 5 – Sept 23 at two times (July 5 & July 9).
• The authoritative name servers used to resolve the A records for the generated domains have changed twice.
• On July 5, three domains (https443.org, https443.net, compress.to) were hosted from a free dynamic DNS provider (https443.net via www.changeip.com).
• On July 9, one domain (otlard.kz) was hosted from a ccTLD (country-code top-level domain).
• The previously used name servers are no longer resolving A records for generated domains corresponding to dates before July 3rd.
• The new name servers are not resolving A records for generated domains today or into the future.
• We propose that the findings indicate that the operation is being brought online gradually for technical reasons or to avoid detection.
• There has been significant press coverage regarding this new DGA technique over the last week, which may have prompted the hackers to change the name servers which is more lax in their registration requirements (e.g. Kazakhstan) and suspend active use.

Blackhole DGA DNS resolution changes from May 5 thru September 23.

• We also searched the public portion of the malware domain list (http://www.malwaredomainlist.com) using these ASNs and found that ASNs 16265 and 39743 were flagged multiple times for hosting malicious domains or IPs in the past.

Malware domain list search results.

OpenDNS found conclusive evidence that the domain names discovered were generated by software with malicious intent.

• All future domains using this DGA are included in our inbound malware protection for OpenDNS Enterprise Insights and Enterprise customers.