Matsnu Botnet DGA Discovers Power of Words

The Matsnu botnet has deployed a new domain generation algorithm that builds domain names from a list of nouns and verbs. The plain English phrases help the DGA elude detection.

Domain generation algorithms have been botmasters’ favorite tool for keeping malware up and running—and for frustrating security researchers and detection technologies.

Like malware, DGAs evolve, thus complicating an already tricky cat-and-mouse game between criminals and white hats.

The latest in DGA evolution was spotted in June by researchers at Seculert, who today published a report describing a variant of the Matsnu botnet whose DGA pulls nouns and verbs from a built-in list of more than 1,300 words to form domains that are 24-character phrases. Unlike other DGAs that generate domain names that are essentially gibberish and easily detected by security software, the Matsnu botnet uses a noun-verb-noun-verb combination to beat machine-learning phonetic algorithms trained to look for domain names with no meaning.

“Detection and prevention mechanisms had some ways to detect such domains,” explained Aviv Raff, chief technology officer at Seculert. “Some malware authors figured it out and put this in to bypass such detection solutions.

“It looks more legitimate than a bunch of characters.”

“It looks more legitimate than a bunch of characters,” Raff said. “If a human were looking at a domain, it would look legit and not generated by a machine.”

Matsnu is not the first botnet to go down this route; Bayrob, discovered in October 2013, paired real words to form domain names. Another botnet named Rovnix used words from the U.S. Constitution to build domain names while others such as Gameover Zeus and Tinba go for volume and are capable of generating thousands of domains per day.

“This just adds more complexity to the machine learning algorithms,” Raff said. “It requires additional effort to differentiate between domains generated by a machine versus something created by legitimate usage.”

Detection technologies will now have to look for other clues in the malware’s behavior to spot such attacks, Raff said.

“If the malware continuously goes for similar words and tries to communicate with domains, you will have to look for clusters of domains using similar words,” Raff said. “You’ll have to look at domains over time and not at specific communication.”

Seculert said 9,000 bots on average communicate daily with a sinkholed Matsnu server. It’s been primarily confined to German-speaking victims and is spread by spam related to online shopping. The payload, so far, is just a backdoor with the capability of downloading malicious plug-ins; previous versions of Matsnu spread ransomware and fake antivirus scams.

Once a victim’s computer is infected, it connects to a command and control server and sends back a trove of system information including user name, operating system version, CPU and VM environment information, as well as language and locale information. It supports a number of commands from the centralized server, including code upgrades, payload download and execution, as well as a number of other commands not yet in use. It also has features for persistence and encrypts communication with the C&C server, Raff said.

“We’ve seen so many other malware authors adapt this feature, as we’re sure we’ll see more in the near future,” Raff said, adding that Tinba was the latest to add DGA to its capabilities. “We’re sure to see others adopt this; this is currently the best way for attackers to evade detection. Look at GameOver Zeus; the attackers shut it down and when it resurfaced, they’d removed the peer-to-peer communication but left in the DGA. This feature is here to stay because it’s tremendously successful.”

Suggested articles