Murofet: Domain Generation ala Conficker
Recently a new piece of malware has emerged that operates similarly to Conficker. This malware, named Murofet, is similar to Conficker in that it generates thousands of domains daily that it then contacts for updates. Our customers are protected from this latest threat by ACE, our Advanced Classification Engine.
Immediately upon executing, Murofet starts a thread that attempts to download malware updates. It generates pseudo-random domain names based on the year, month, day, and minute of execution. The algorithm used for domain generation is simple, using the previously mentioned data, it generates two DWORD values. The first is composed of the month, day, and low byte of the year of the date of execution, plus 0x30 (48). The second DWORD value is based on the minute of execution, multiplied by 0x11 (17). This number is hereafter iterated 800 times to generate multiple domains. The resulting QWORD value is then hashed with the MD5 algorithm and each byte of the result is then used to generate one letter of the domain name by dividing it into 2 nibbles and, if a valid numeric representation of a letter of the alphabet, converted into that letter by adding 0x61 ('a'). For example, 0x42 = 0x4 + 0x2 = 0x6 = 'g' (zero represents 'a'). Each letter is then concatenated into a domain name. Once the letter conversion loop is finished, Murofet applies a few rules to decide which domain extension to use. If the current iteration of the value derived from the minute value is divisible by 5, it uses ".biz". Failing this, if the derived value [bitwise] AND 3 results in zero, the extension ".info" is used. If this fails, it checks to see if the number is divisible by 3, in which case it uses ".org". Finally, if the number is divisible by 2 it uses ".net", otherwise it uses ".com". Pseudocode for the above process is as follows:
(Figure 1: domain generation pseudocode)
Because of the modular division of the iterated value derived from the minute the binary is run, there are exactly 1020 domains generated per day. When Murofet finds a valid download at one of the links, it attempts to create a process. Upon successful creation of the process, the thread attempting to find updates exits and the new malware does its job.
If any security research professionals should need a domain list, please visit this link and make your request by selecting the "other" category. Just let us know what date range you need and we'll do what we can to help out!
