Dec 22, 2015reverse engineering

Kraken's two Domain Generation AlgorithmsA side by side comparison of the DGAs

Kraken (also known as Oderoor or Bobax) was once a large, if not the largest, botnet. It was primarily used to send spam messages. Kraken features a Domain Generation Algorithm (DGA) which appeared in July 2007 and was first mentioned in 2008. This makes it one of the first ever widely used DGA.read

Nov 26, 2015reverse engineering

A JavaScript-based DGAAnalysis of a JavaScript/ActiveX Downloader Using a Domain Generation Algorithm

This JavaScript on Malwr.com from November 23, 2015 caught my attention because of the contacted domains: 133754.cc 64.62.224.253 vvoxox.eu jarvis.co cudbbwsff.eu fdqawiz.eu ahmxwyw.eu vyyltt.cc ldpkyawb.co dnbqig.eu cfzqzyuf.eu pujdmzqb.cc mxkuchq.co ocwzueix.cc Only the...read

Sep 25, 2015reverse engineering

Ranbyus's DGA, RevisitedA second version of the Domain Generation Algorithm

Edit Dec. 8th, 2015: I found two additional samples. One of them uses a different tld ordering and an additional operation on the hardcoded seed. I left the original text as is and put the changes in as edits. Edit Jan. 25, 2016: found another seed: 0x572473BB In May I wrote about the Domain...read

Jul 19, 2015reverse engineering

The Faulty Precursor of Pykspa's DGA

Pyskpa is a worm that spreads over Skype. The malware has been relying on a domain generation algorithm (DGA) to contact its command and control targets since at least October 2013. Even though the C2 infrastructure seems to be long abandoned, there are still many infected clients. Virustracker,...read

Notes

see all