It’s been a blissful few months since Conficker last reared its over-hyped head, but now there’s a new piece of malware that is adopting some of the tactics that Conficker used. The malware, known as Murofet, is using Conficker’s technique of generating thousands of new domains for updates every day, but doing it in a somewhat novel way.
Murofet is rather new on the malware scene, but some of the tactics that it’s using are by no means innovative. The main similarity between Conficker and Murofet is that both pieces of malware use a pre-determined algorithm to generate seemingly random domain names each day and attempt to contact those domains for new updates. But that’s essentially where the similarities end.
The system that Murofet uses to generate the new domain names each day is quite interesting and requires more than a few steps, according to an analysis of Murofet by researchers at Websense.
Immediately upon executing, Murofet starts a thread that attempts to download malware updates. It generates pseudo-random domain names based on the year, month, day, and minute of execution. The algorithm used for domain generation is simple, using the previously mentioned data, it generates two DWORD values. The first is composed of the month, day, and low byte of the year of the date of execution, plus 0x30 (48). The second DWORD value is based on the minute of execution, multiplied by 0x11 (17). This number is hereafter iterated 800 times to generate multiple domains. The resulting QWORD value is then hashed with the MD5 algorithm and each byte of the result is then used to generate one letter of the domain name by dividing it into 2 nibbles and, if a valid numeric representation of a letter of the alphabet, converted into that letter by adding 0x61 (‘a’). For example, 0x42 = 0x4 + 0x2 = 0x6 = ‘g’ (zero represents ‘a’). Each letter is then concatenated into a domain name.
That’s a lot of hoops to jump through in order to generate a domain name, but it may be a result of the amount of effort that researchers and law enforcement officials have been putting into finding and removing command-and-control servers and domains that are used to run phishing and malware operations. As a result of concentrated takedown operations run in tandem by law enforcement and technology companies, a number of high profile botnets and malware operations have been severely damaged or killed altogether.
The most prominent example of this is, in fact, the Conficker Working Group, a group of dozens of technology vendors who banded together and worked on technical and legal techniques for hemming in Conficker last year. The group was successful in identifying and sinkholing many of the domains that Conficker used to download updates and new components.
This atmosphere has made it somewhat more difficult for attackers to maintain persistent domains that they can use as update servers or C&C mechanisms, hence the lengths to which Murofet’s creators have gone to generate 1,020 new random domains every day.