Blog

Gameover ZeuS Switches From P2P to DGA

Though Operation Tovar succeeded in temporarily cutting communication between Gameover ZeuS (GoZeus) and its command and control infrastructure, it appears now that GoZeus has migrated from using peer-to-peer communications to domain generation algorithms (DGAs).

According to research by our friends over at Malcovery, a “new trojan based heavily on the GameOver Zeus binary…was distributed as the attachment to three spam email templates.” In the report, several domains were identified as being the destination of the infected malware’s communications. The most active of the DGAs was one that we at OpenDNS identified on the day it was registered – cfs50p1je5ljdfs3p7n17odtuw[dot]biz.

ani

As you can see, the traffic to the domain starts off with a small number of queries (10) on Thursday, July 10 at around 15:00 UTC. A larger jump to 884 queries doesn’t happen until Friday, July 11 at around 6:00 UTC. At peak (on Friday, July 11th at 10:00 UTC) we see a spike of 10,042 queries for cfs50p1je5ljdfs3p7n17odtuw[dot]biz.

The domain in question is associated with a number of IP addresses (as seen below) and have a very low TTL.

Screenshot 2014-07-11 08.35.23

Three of the IP addresses have also been identified by OpenDNS Labs over the past week as being malicious. All of the IP addresses associated with the domain are located within the Ukraine.

176.8.154.150
81.163.142.143
31.129.65.152

The name server (NS) associated with the domain is also highly suspicious. The IP range is associated with AS 3462 and is hosted in Taiwan (TW) – quite the distance from the hosting location in the Ukraine. The IP address is also associated with suspicious name servers for a number of Russian (.ru) servers.  A quick scan of some of the other domains hosted by the IP shows a handful of DGAs and Russian (.ru, .su), Kazakhstan (.kz), and Indian (.in) ccTLDs.

ns118.171.163.153

One last nugget of intel is some of the scoring that OpenDNS assigns to the domain, its associated IPs, and related ASNs.

Screenshot 2014-07-11 08.48.23

Hopefully this information has helped you better understand the methodologies employed by GoZeus users. Using OpenDNS Investigate, we were able to derive additional intelligence from our global DNS data and shed some additional light on the communication channels.

All OpenDNS users are already protected against the identified domains in the Malcovery report. Should you have any additional questions, please do not hesitate to reach out to us.

Additional Refernces:

The post Gameover ZeuS Switches From P2P to DGA appeared first on OpenDNS Security Labs.

The Security Internship

The-Internship-2013-movie-posterNote from Andrew Hay: This is a post written by OpenDNS Security Labs interns Kevin Bottomley and Skyler Hawthorne on their experiences working at OpenDNS.

Although neither of us have been working at OpenDNS for very long, the experience thus far has been very rewarding. We work at a company that serves as a gateway to the Internet for 50 million users daily that allows us to bring in our ideas and concepts, and implement them into the OpenDNS infrastructure.

Culture

The culture is alive and vibrant at OpenDNS. OpenDNS regularly hosts fun events, such as: hackathons; OpenLate meetups, where anyone can come to code in the OpenDNS basement late at night, and collaborate on cool projects; ToastMasters, which helps people practice and learn about public speaking; company sponsored sports outings; and yoga three times a week, on the roof.

Every Friday, the company has a “Town Hall” meeting in which our CEO, David Ulevitch, speaks to everyone about the company’s health and current events. The whole company is very lively at these meetings. Whenever there are new employees (which has been pretty often lately, as we are growing rapidly), a portion of the meeting is dedicated to the “Fresh Meat,” who stand up in front of the entire company and tell everyone three fun facts about themselves.

These all make for a fantastic work environment.

Benefits

Being an Intern on the OpenDNS Security Labs team comes along with some pretty cool benefits that you might not find at other startups. Lunches are catered three times a week, with Mondays and Fridays being from a different restaurant, and Wednesdays coming from a rotation of local food trucks. The fairs on these menus can range anywhere from pizza and pasta to pita and hummus. There is also the ever popular Waffle Wednesday where our Office Manager Adrian Rodriguez serves up homemade waffles with all the fixings to go along with them.

To compliment this, OpenDNS keeps two kitchens fully stocked from floor to ceiling with just about any snack and drink one could possibly want. Whether it be fresh fruit, artisan bread, or beef jerky, it’s there, and if it is not, all one has to do is ask and it will be soon.

While working here, you don’t have to feel confined to one location to get some work done. The office, a very spacious two story building that is in the midst of expansion, has numerous places where you can sit back and relax, whether it be the overly comfortable couches at either end of the building, or up on the rooftop to get some air with a pretty good view from it’s location in the heart of San Francisco’s SoMA neighborhood.

One of the best benefits would have to be that you are surrounded by highly intelligent peers on a daily basis. The backgrounds of the employees here go far and wide, from Ph.Ds in Graph Theory, to published authors of technical books. Hands-on experience is one of the best ways to gain knowledge, and you definitely get plenty of that at OpenDNS, with some great mentors to look up to and be inspired by constantly.

Cool Projects

Being at a small startup allows us the chance to wear many different hats, as Kevin would say. We’ve had the chance to work on many cool projects. Several of the projects have involved the OpenDNS Security Graph, which is a very large database of all IP addresses, domain names, ASNs, and their associated co-occurrences, internal security scores, etc. One project in particular was to add different sources of information about the domains being queried. Another involved writing APIs for the Security Graph in different programming and scripting languages.

Other projects have involved creating tools to automate the white and black listings of domains deemed to be either malicious or not to the internal servers, writing web scrapers to gather information to be analyzed so it can be added to our preemptive threat datasets, as well as document parsers to so that we can cover as much area as it takes to stay out in front of potentially harmful domains, ips, and urls.

Overall, these projects have been very fascinating and educational. We have learned a lot about internet security, and how OpenDNS manages to protect all of its users from malicious hosts. Most importantly, a benefit of working for a startup is that our contributions actually feel meaningful to the company. We look forward to our days ahead at OpenDNS, and all of the exciting projects they have planned for us.

Image source: http://www.dvdsreleasedates.com/movies/5748/The-Internship-2013.html

The post The Security Internship appeared first on OpenDNS Security Labs.

Research: Xerox Printers Beaconing Out To The Internet

4896710690_8cf5781412_b-241x300While conducting some research, I happened to notice a rather odd domain name that a particular server was beaconing out to. The domain in question was xeroxdiscoverysupernode3.com. Initially, I figured that the domain could be malware or phishing related as the likelihood of Xerox Corporation using such a long domain was relatively low. Upon further investigation, the xeroxdiscoverysupernode3 domain wasn’t even registered. Could a piece of malware have been constructed to call out to this specific domain to download additional files? Why wouldn’t the malware author register the domain ahead of time if that was the plan?

As this domain ended in the number 3, I pondered the idea of there being a ’1′, ’2′, or maybe even a ’4′ numbered domain that followed this same pattern. It turned out that xeroxdiscoverysupernode1, xeroxdiscoverysupernode2, and xeroxdiscoverysupernode3 were actively being queried for within the OpenDNS global infrastructure. Not only were the domains being queried, but each was receiving roughly 2,000 queries per hour (as seen below).

Screenshot-2014-04-22-15.15.53

The plot thickens…

The full post can be read here: http://labs.opendns.com/2014/05/01/xerox-printer-beacons/

Photo Credit: Truthout.org via Compfight cc

Scroll to top