Damballa Discovers Advanced Evasion Techniques Being Used By Six Crimeware Families To Carry Out Global Cyberattacks

Crimeware has been evading detection because cybercriminals are rapidly adopting domain generation algorithms

February 29, 2012

4 Min Read


ATLANTA, Feb 28, 2012 (BUSINESS WIRE) -- Damballa Inc., the company transforming the fight against cyber threats, today released results of its discovery of advanced stealth techniques used by six crimeware families to carry out global cyber attacks. The crimeware families are a new Zeus variant, Bamital, BankPatch, Bonnana, Expiro.Z and Shiz. The crimeware has been evading detection because cyber criminals are rapidly adopting domain generation algorithms (DGAs). This technique is being used to completely evade detection by blacklists, signature filters, and static reputation systems and to hide command-and-control (C&C) infrastructure. DGAs are also referred to as a form of Domain Fluxing.

An eight-page Damballa Research Report describes, for the first time, how six known malware families have been using DGAs to evade detection and grow sizable criminal networks. The oldest, BankPatch, has been using DGAs to evade detection for approximately two years. Without having to reverse engineer malware or 'decode' the DGA algorithm, Damballa Labs can now automatically detect and model DGA behavior by using patent-pending machine learning technology. The report is titled DGAs in the Hands of Cyber-Criminals - Examining the State of the Art in Malware Evasion Techniques.

The company also released a detailed analysis of a recent variant of the Zeus version 3 malware, and for the first time, provided details on its use of DGAs as a secondary connection technique when the primary connection attempt is blocked or fails (the primary connection technique being peer-to-peer). The case study is titled DGAs and Cyber-Criminals -- A Case Study.

"While DGAs are not new, the rate at which they are being adopted and their ability to elude the scrutiny of some of the most advanced malware analysis professionals should be of great concern to incident response professionals," stated Gunter Ollmann, vice president of research for Damballa. "We have found that the security community as a whole has insufficiently or only partially analyzed the network behaviors of DGA-capable malware. For one, some advanced malware is using DGA as a secondary connection technique when the primary technique, let's say peer-to-peer, has failed. Those charged with protecting the enterprise that have detected or blocked the obvious primary connection technique have failed to counter the back-up technique, and the malware can then successfully locate the C&C using DGAs."

DGAs first made major news with the outbreak of Conficker. Since that time, the DGA techniques have significantly advanced and are now being adopted by some of the more stealthy threats and by criminals desperately seeking to avoid attribution.

The concept of DGAs is simple enough, but incredibly stealthy. Malware that has infected an endpoint device is programmed with an algorithm that uses a 'seed' value, like the current date, to generate potentially hundreds of seemingly random domain names that all attempt to resolve to an IP address. Nearly all of the domain names will result in a 'non-existent' domain message (NXDomain). Only one or a few will actually resolve to an IP address. The criminal operator, knowing the nature of the algorithm and the seed that will be used that day, will register only one (or a few) of the domains and have them resolve to his C&C infrastructure. The next day the cycle repeats. The domains used for the previous day's connection are discarded, meaning the domain names are 'thrown away,' and even if detected, would be meaningless in stopping the threat or discovering the criminal C&C.

"With the leak of the Zeus source code and expanding investment by criminal operators to hide and protect their C&C infrastructure, we should expect to see more DGA-based malware being used to deliver ever-increasingly stealthy attacks," said Ollmann. "At Damballa Labs we have been studying this trend and have two patent-pending machine learning technologies specifically designed to identify DGA-based threats by clustering NXDomains from big data that we maintain from years of monitoring global DNS traffic. We can identify these threats without prior interception or knowledge of malware samples, and as described in the case study, map this DGA-based behavior back to the C&C infrastructure and ultimately to the malware family. DGA 'classifiers' are then used on the Damballa Failsafe sensors to automatically and rapidly identify DGA-based malware infected devices in customer networks -- attributing the behavior to a specific malware family without having to see the malware or the infection occur. Damballa is the only company with this capability today. I am very proud of what the research team at Damballa Labs has been able to accomplish."

About Damballa

Damballa is a pioneer in the fight against cybercrime. Damballa provides the only network security solution that detects the remote control communication that criminals use to breach networks to steal corporate data and intellectual property, and conduct espionage or other fraudulent transactions. Patent-pending solutions from Damballa protect networks with any type of server or endpoint device including PCs, Macs, Unix, smartphones, mobile and embedded systems. Damballa customers include mid-size and large enterprises that represent every major market, telecommunications and Internet service providers, universities, and government agencies. Privately held, Damballa is headquartered in Atlanta. http://www.damballa.com

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights