
New Mirai Variant Has a Domain Generation Algorithm - pjf
http://blog.netlab.360.com/new-mirai-variant-with-dga/
======
Exuma
What software is that? I always see that decompiler software in posts like
this.

~~~
Cyph0n
My guess would be IDA[1]. It's the de facto industry standard for reverse
engineering binaries.

[1]: [https://www.hex-rays.com/products/ida/](https://www.hex-
rays.com/products/ida/)

~~~
Exuma
Is it as cool/intuitive as it looks? Lol... I also just saw this from this
morning:

[http://www.welivesecurity.com/2016/12/06/readers-popular-
web...](http://www.welivesecurity.com/2016/12/06/readers-popular-websites-
targeted-stealthy-stegano-exploit-kit-hiding-pixels-malicious-ads/)

It looks almost like english. It makes me want to learn it for fun.

More than likely though I would go to decompile something and it would be
infinitely complicated and years of learning to know what I'm doing. Perhaps I
shall youtube some intro videos.

~~~
ShaneWilton
It's definitely cool, but it's far from intuitive. Worse, the licensing is
nearly impossible to deal with as an individual.

If you're interested in getting started with reverse engineering, I recommend
Binary Ninja [0]. It's a newer platform, and you may run into bugs, but the
team behind it is super responsive to feedback, and they've done a great job
of taking a traditionally very arcane UI, and making it into something that's
a joy to use.

[0] [https://binary.ninja/](https://binary.ninja/)

~~~
aseipp
Eh, Hex-Rays eased up on the licensing a lot in the past few years, IIRC, and
it's much more tolerable for individuals. These days, from what I understand,
as long as you basically email them from your corporate, work email address --
they'll let you purchase a permanent, individual license that way, even with
their digital downloads. So you don't need physical shipment or anything like
that, they just need to make sure they aren't sending it to a rando email
address.

In the past it was a lot more difficult since as an individual they'd want to
physically ship you the software on disk, so they'd only send it to offices,
trusted addresses, etc which complicated it a lot. I never really had to deal
with this since I think their strategies changed a bit by the time I got
licenses at my last job.

Of course, just emailing them from your work addr won't totally cut it -- you
also have to pony up the few thousand USD to get IDA, and near $10k if you
want all the decompiler tools, as well... IDA Pro itself is relatively 'cheap'
by itself if you just want disassembly, though, and you actually do it for a
job.

------
ryanlol
Wow, that's a particularly silly domain generation algorithm.

Do these kids even use some sensible crypto for the C&C? If not, anyone
running their own mirai net can steal these bots just by running .dns on their
C&C domain and registering one of the generated domains :)

~~~
Godel_unicode
> ...used it to predict all 365 possible DGA domains. When looking up their
> registration information, we found some of them have been registered by the
> MIRAI author...

Not so fast. This is just so that malware reverse engineers can't run strings
on the executable (note also where they say this executable is stripped but
not packed) and then block/tip the handful of hard-coded domains.

Anti-forensics is an arms race, and especially for a botnet like this the goal
is to do just enough that you can spread (see also: premature optimization).
You'll see it (mirai) get progressively better as the authors are forced to
work harder.

~~~
ryanlol
>This is just so that malware reverse engineers can't run strings on the
executable (note also where they say this executable is stripped but not
packed) and then block/tip the handful of hard-coded domains

Nothing to do with `strings`. The purpose of domain generation algorithms is
simply to prevent bot loss from domain suspension/C&C takedowns.

Unless these guys patched mirai to authenticate the server somehow, this is a
really easy way for them to lose all of their bots.

As I stated earlier, this enables any competing botmaster to easily steal
their bots simply by taking down the nameservers for their main domains. Mirai
has built in functionality to do that, the ".dns" command.

Even without that flaw, it's also a really bad way of keeping the bots alive
since 365 domains will be trivial for the registry to blacklist.

~~~
Godel_unicode
> Nothing to do with `strings`. The purpose of domain generation algorithms is
> simply to prevent bot loss from domain suspension/C&C takedowns.

The purpose of DGA is also to make it harder to identify the domains the
malware will use. One of those ways is to run strings on an executable and
look for domain names. As they made no attempt to move off their main domains,
we can assume that wasn't the goal. Rather, the goal of this is pretty clearly
to add a few new domain names which are not as obvious and thus less likely to
be blocked. Certainly not the perfect solution, but see my previous about
premature optimization.

Also, I think you're overestimating the ease of taking over someone else's
registrant account. Possible? Absolutely. Easy? Well, that depends on a great
many things, but typically not easy without a court order.

~~~
ryanlol
Are you just coming up with new uses for domain generation algorithms to
refute my comment for the sake of refuting it, or do you personally know the
developer? Or do you at least personally know developers who have used DGAs
for that?

I've seen lots of DGAs, but I've never seen one being used for the purpose
you're describing.

You're suggesting a pretty novel use case here, why is that?

>Also, I think you're overestimating the ease of taking over someone else's
registrant account. Possible? Absolutely. Easy? Well, that depends on a great
many things, but typically not easy without a court order.

While it's not at all what I was referring to, many domain registrars are
actually surprisingly happy to just hand over malware domains to "whitehats".

See goatsis comment for the issue I was originally referring to.

~~~
Godel_unicode
My experience differs from yours. Apparently goatsis has heard of you, so good
work on that? The logical fallacy of either/or doesn't advance your argument
as much as you think it does.

In my experience, malware authors care about beating the defense more than
they do about having their domains taken down by some "whitehat". Although if
you think that's easy, by all means please do. The Internet will thank you.

~~~
ryanlol
Instead of relying on the fallacy fallacy could you try to back up your point
of view somehow? Share your differing experiences and give us some examples.

The idea of using a DGA to _hide_ your C&C simply isn't a very good one. It's
not going to work, anyone running a packet capture will still see where your
bot connects.

Using a DGA to protect your C&C from being taken down? You can easily make it
impossible for any domain registry to shut you down. It'll also protect you
from server suspensions as you'll just be able to update your DNS records.

One of these actually works, one doesn't. For hiding your C&C you'd want to
use tor hidden services instead. Generally C&Cs are disposable though, so
there's no need to hide them in the first place.

>In my experience, malware authors care about beating the defense more than
they do about having their domains taken down by some "whitehat".

I don't really understand what you mean here. "beating the defense"? Are you
suggesting that whoever did this mirai edit was trying to evade antiviruses or
any sort of "defense" in that matter? On iot devices and routers?

I'm _sure_ they weren't hoping that whatever analyst finds their binary isn't
going to find their C&C... Which seems to be what you're suggesting.

But if they aren't worried about their C&C being taken down by some "whitehat"
then why on earth would they want to hide it in the first place?

------
maxt
Are these domains for free? Is it possible to bypass a registrar and register
a domain for free like this?

~~~
tyingq
They aren't free, no. But the algorithm creates one predictable domain per
day.

So, the author of the code doesn't need to register all of them. Just one for
each day he needs a backup c&c network.

------
rconti
so apparently this is not about a Toyota.

~~~
Cyph0n
It _could_ be, if you connected your Toyota to the internet.

------
jmiserez
If the author's Gmail is known, shouldn't it be trivial for the authorities to
find out who registered the domains and arrest them?

------
rurban
Still from Ukraine

