For the past two weeks, since Oct 9th, we’ve observed a high volume of periodic nxdomain lookups in our DNS traffic to a number of Domain Generation Algorithm (DGA) domains. In investigating these domains we found a few curious patterns in when and how they seemed to appear.
A DGA is a technique that uses a random or dynamic component in its logic to generate domain names. This component can be a random number or the current time, and combined with alphanumeric characters, the algorithm will generate a new different domain name in every iteration. DGA domain names are typically generated by certain malware families to contact their CnCs as a scheme against domain or IP blocking of the malware CnCs, or to prevent the domains from being as easily identified as if they were hardcoded in the malware. However, not all DGA-like domains are necessarily malware related. For example, Chrome connects at startup to random domains to determine if you’re currently on a network that intercepts and redirects requests for nonexistent hostnames [1]. Or a seemingly random domain could be used as a form of DNS-tunneling where a request is encoded in the domain name, and depending on the DNS query type, a specific response is sent back to the client [2].
In this case, the 12 DGA domains we’re investigating do seem to be part of some suspicious activity. These are the first domains that we noticed:
eqxowsn.info
ggegtugh.info
hquterpacw.net
oumaac.com
qfiadxb.net
rwyoehbkhdhb.info
rzziyf.info
vmlbhdvtjrn.org
yeiesmomgeso.org
yeuqik.com
yfewtvnpdk.info
zffezlkgfnox.net
Take a look at the daily periodic traffic to zffezlkgfnox.net across all data centers:
Daily DGA domains
While the traffic to these 12 domains was ongoing, on Oct 16th we observed the emergence of about 570+ related DGA domains that received lookups during the entire 24 hours of the day before dropping to no activity. On each of the following days, from Oct 17th to Oct 21st, we saw about 2100+ DGA domains display the same traffic pattern of constant lookups lasting exactly 24 hours then complete drop. Each day, there was a completely new set of DGA domains, and all of these lookups were nxdomains, except for a handful of resolving domains that we will discuss later.
In total, we saw 12000+ unique DGA domains in our DNS traffic over a period of 2 weeks. Then, suddenly around 12am on Oct 22nd, traffic to all of these domains stopped. For the present moment, no new related DGA domains have been observed. Below we show the traffic pattern of one of these daily domains along with the daily DGA domains counts.
DGAs are all related
All of these domains are linked together via the related domains model, meaning they are looked up by the same set of client IPs during a short time period. Assuming these DGAs are malicious, this is an indication that they are likely generated by a single or similar malware samples. To discover the set of 12000+ domains, we start from a seed DGA domain as the root then traverse the graph of related domains over a very high number of hops away from the root. Since it is very likely that non-DGA legitimate popular sites (for example we observed dropbox.com, hulu.com, cnn.com, etc) could be looked up during the same time frame as the DGA domains, they might end up in the related domains set of traversed nodes. After careful empirical verification to make sure we are catching DGA domains that fit in our target set, we only keep domains that meet a certain traffic profile. This profile corresponds to a specific volume of traffic that spans only 24 hours. This filtering heuristic turns out to be efficient as no false positives were observed. Below we can see a sample of related domains as displayed by the Security Graph web interface and also the visualization engine. The related domains is close to the co-occurences model that we used before [3][4]
In the meantime, on Oct 19th, João Gouveia from AnubisNetworks’ research lab (@jgouv) tweeted about a new DGA lookalike set of domains that he saw rising in traffic and that was quite active in Brazil. He also posted a screenshot of a sample DGA domains which happened to correspond to the same domains seen in our traffic.
Worldwide DGA DNS traffic
On the map below, we show the worldwide volume of DNS traffic to a sample of DGA domains recorded on Oct 18th. From this daily sample, we see that the top 10 countries generating traffic to these DGA domains are Turkey, Bulgaria, Brazil, Russia, Italy, India, Vietnam, Lithuania, United States, and Poland. It is interesting to see the heavy traffic volume coming from Turkey compared to other countries.
Domain name analysis
Based on the sample set, all of these DGA domains consist of 1 single label and fall under 4 TLDs: info, net, org and com. Below we can see the domains’ TLD distribution.
Every domain label is a random lowercase alphabetic string with a length between 6 and 12 characters. Below we can see the labels’ length distribution and the labels’ character frequency distribution of the entire dataset of 12000+ DGA domains.
It seems from the dataset that all lengths of the labels are more or less equally likely. We also observe from the character frequency graph that all letters of the alphabet are used in generating the domains’ labels, and it is interesting to see how the frequency alternates between consecutive letters in the alphabet. In other words, if we index the alphabet letters into an array starting from index 0. Letters with even indices (0,2,4,6, etc) have all about the same frequency and letters with odd indices (1,3,4,5, etc) also have approximately the same frequency.
This gives a few hints on how the DGA algorithm operates, suggesting patterns in how the set of domains is created. In addition, the time component comes into play since a new distinct set of DGA domains is generated every day.
Resolving DGA domains
All the 12000+ DGA domains are nxdomains except for 5 domains that resolve:
comiss.com 107.20.206.69 10800
mcscwi.org 54.246.158.32 86400
oumaac.com 141.8.224.183 300
qqmiao.com 198.58.102.106 600
yousuo.com 65.19.157.194 86400
Let’s go over some OSINT gathered about these domains and IPs.
comiss.com is a parked domain hosted on a parking IP 107.20.206.69. The IP is currently associated with dropping FakeAV [VirusTotal report]
mcscwi.org was registered on Feb 12th, 2013, and seems to belong to the “Milwaukee Community Service Corps”. It resolves to a shared hosting IP 54.246.158.32.
oumaac.com is also a parked domain that resolves to a parking IP 141.8.224.183. This IP is currently associated with dropping trojan worms [VirusTotal report]
qqmiao.com resolves to a SoftLayer shared hosting IP 198.58.102.106. There is no known public record of malicious activity on this IP.
yousuo.com is a parked domain that resolves to a parking IP 65.19.157.194. This IP has been associated with dropping trojans [VirusTotal report]
Conclusion
In conclusion, this is a rather odd DGA campaign that lasted for more than two weeks with 12 domains, rose to 12000+ domains within less than a week, then suddenly stopped. There is no confirmation yet of its maliciousness as we are not aware at the time of this writing of the actual sample generating these domains. All of these domains have been blocked as a preemptive protection measure for our customers, and we will keep a close eye on this phenomenon and report any new findings.
