Hacker News new | comments | show | ask | jobs | submit login
New Mirai Variant Has a Domain Generation Algorithm (360.com)
64 points by pjf 371 days ago | hide | past | web | favorite | 26 comments



What software is that? I always see that decompiler software in posts like this.


My guess would be IDA[1]. It's the de facto industry standard for reverse engineering binaries.

[1]: https://www.hex-rays.com/products/ida/


Is it as cool/intuitive as it looks? Lol... I also just saw this from this morning:

http://www.welivesecurity.com/2016/12/06/readers-popular-web...

It looks almost like english. It makes me want to learn it for fun.

More than likely though I would go to decompile something and it would be infinitely complicated and years of learning to know what I'm doing. Perhaps I shall youtube some intro videos.


It's definitely cool, but it's far from intuitive. Worse, the licensing is nearly impossible to deal with as an individual.

If you're interested in getting started with reverse engineering, I recommend Binary Ninja [0]. It's a newer platform, and you may run into bugs, but the team behind it is super responsive to feedback, and they've done a great job of taking a traditionally very arcane UI, and making it into something that's a joy to use.

[0] https://binary.ninja/


Eh, Hex-Rays eased up on the licensing a lot in the past few years, IIRC, and it's much more tolerable for individuals. These days, from what I understand, as long as you basically email them from your corporate, work email address -- they'll let you purchase a permanent, individual license that way, even with their digital downloads. So you don't need physical shipment or anything like that, they just need to make sure they aren't sending it to a rando email address.

In the past it was a lot more difficult since as an individual they'd want to physically ship you the software on disk, so they'd only send it to offices, trusted addresses, etc which complicated it a lot. I never really had to deal with this since I think their strategies changed a bit by the time I got licenses at my last job.

Of course, just emailing them from your work addr won't totally cut it -- you also have to pony up the few thousand USD to get IDA, and near $10k if you want all the decompiler tools, as well... IDA Pro itself is relatively 'cheap' by itself if you just want disassembly, though, and you actually do it for a job.


IDA is the de facto standard tool for reverse engineering. It supports a wide array of processors and executable formats, but the hex-rays decompiler (what generated the code in this screenshot on the page you linked: http://www.welivesecurity.com/wp-content/uploads/2016/12/10-...) brings a lot of the magic.

It takes some learning, but yes it's as cool as it looks.


I don't recommend IDA to newcomers. Binja and Hopper are both easier to get started with. Hopper will even do a half-assed job of converting assembly to analogous C code (you have to pay Hex-Rays quite a bit of money for the same functionality).

It definitely won't take you years to learn how to understand disassemblies! You can get to 80% proficiency in a few weeks, just by understanding how control flow graphs work.


... and that last 20% proficiency will take until the heat death of the universe. It'll be fun trying though, and you'll learn lots of really cool things.


It is both intuitive and not intuitive... Download the free edition and play around with it. You will definitely learn something.


Alternatively, Radare (http://radare.org/r/) is being adopted more widely as an open source tool to do similar analyses. Again: not-very-intuitive unless you know what you're doing, at which point it becomes very intuitive. The learning curve is steep here.


Interesting link. I saw something weird going on with a favicon up in the browser tabs the other day, flashing and reloading sporadically. I wondered if something like this might have been going on in the background.


Yes, that's IDA.


Wow, that's a particularly silly domain generation algorithm.

Do these kids even use some sensible crypto for the C&C? If not, anyone running their own mirai net can steal these bots just by running .dns on their C&C domain and registering one of the generated domains :)


> ...used it to predict all 365 possible DGA domains. When looking up their registration information, we found some of them have been registered by the MIRAI author...

Not so fast. This is just so that malware reverse engineers can't run strings on the executable (note also where they say this executable is stripped but not packed) and then block/tip the handful of hard-coded domains.

Anti-forensics is an arms race, and especially for a botnet like this the goal is to do just enough that you can spread (see also: premature optimization). You'll see it (mirai) get progressively better as the authors are forced to work harder.


>This is just so that malware reverse engineers can't run strings on the executable (note also where they say this executable is stripped but not packed) and then block/tip the handful of hard-coded domains

Nothing to do with `strings`. The purpose of domain generation algorithms is simply to prevent bot loss from domain suspension/C&C takedowns.

Unless these guys patched mirai to authenticate the server somehow, this is a really easy way for them to lose all of their bots.

As I stated earlier, this enables any competing botmaster to easily steal their bots simply by taking down the nameservers for their main domains. Mirai has built in functionality to do that, the ".dns" command.

Even without that flaw, it's also a really bad way of keeping the bots alive since 365 domains will be trivial for the registry to blacklist.


> Nothing to do with `strings`. The purpose of domain generation algorithms is simply to prevent bot loss from domain suspension/C&C takedowns.

The purpose of DGA is also to make it harder to identify the domains the malware will use. One of those ways is to run strings on an executable and look for domain names. As they made no attempt to move off their main domains, we can assume that wasn't the goal. Rather, the goal of this is pretty clearly to add a few new domain names which are not as obvious and thus less likely to be blocked. Certainly not the perfect solution, but see my previous about premature optimization.

Also, I think you're overestimating the ease of taking over someone else's registrant account. Possible? Absolutely. Easy? Well, that depends on a great many things, but typically not easy without a court order.


Are you just coming up with new uses for domain generation algorithms to refute my comment for the sake of refuting it, or do you personally know the developer? Or do you at least personally know developers who have used DGAs for that?

I've seen lots of DGAs, but I've never seen one being used for the purpose you're describing.

You're suggesting a pretty novel use case here, why is that?

>Also, I think you're overestimating the ease of taking over someone else's registrant account. Possible? Absolutely. Easy? Well, that depends on a great many things, but typically not easy without a court order.

While it's not at all what I was referring to, many domain registrars are actually surprisingly happy to just hand over malware domains to "whitehats".

See goatsis comment for the issue I was originally referring to.


My experience differs from yours. Apparently goatsis has heard of you, so good work on that? The logical fallacy of either/or doesn't advance your argument as much as you think it does.

In my experience, malware authors care about beating the defense more than they do about having their domains taken down by some "whitehat". Although if you think that's easy, by all means please do. The Internet will thank you.


Instead of relying on the fallacy fallacy could you try to back up your point of view somehow? Share your differing experiences and give us some examples.

The idea of using a DGA to hide your C&C simply isn't a very good one. It's not going to work, anyone running a packet capture will still see where your bot connects.

Using a DGA to protect your C&C from being taken down? You can easily make it impossible for any domain registry to shut you down. It'll also protect you from server suspensions as you'll just be able to update your DNS records.

One of these actually works, one doesn't. For hiding your C&C you'd want to use tor hidden services instead. Generally C&Cs are disposable though, so there's no need to hide them in the first place.

>In my experience, malware authors care about beating the defense more than they do about having their domains taken down by some "whitehat".

I don't really understand what you mean here. "beating the defense"? Are you suggesting that whoever did this mirai edit was trying to evade antiviruses or any sort of "defense" in that matter? On iot devices and routers?

I'm sure they weren't hoping that whatever analyst finds their binary isn't going to find their C&C... Which seems to be what you're suggesting.

But if they aren't worried about their C&C being taken down by some "whitehat" then why on earth would they want to hide it in the first place?


You don't have to take over their account, you just need to make it so that their domains no longer resolve. Once that happens the DGA kicks in and all the bots connect to the DGA domain you have registered. You are also telling the wrong person that hijacking domains is hard, ask him about mit.edu.


Are these domains for free? Is it possible to bypass a registrar and register a domain for free like this?


They aren't free, no. But the algorithm creates one predictable domain per day.

So, the author of the code doesn't need to register all of them. Just one for each day he needs a backup c&c network.


so apparently this is not about a Toyota.


It could be, if you connected your Toyota to the internet.


If the author's Gmail is known, shouldn't it be trivial for the authorities to find out who registered the domains and arrest them?


Still from Ukraine




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: