Cracking of Sphinx Trojan DGA Opens the Door for Botnet Takedown

Share this…

This post takes a quick look at Sphinx’s domain generation algorithm (DGA). Sphinx,another Zeus-based banking trojan variant, has been around circa August 2015. The DGA domains are used as a backup mechanism for when the primary hardcoded command and control (C2) servers go down. It is currently unknown to us as to what version added the DGA functionality.

This sample was used for analysis and it is version 1.7.1.0.

Domain Generation Algorithm

The algorithm isn’t particularly complicated. It uses the current date as the starting seed and performs some maths on it to generate the individual domain characters. Once 16 of them are generated it tacks on the TLD, “.com” in this case. Here is an IDA screenshot of the function:

dga_ida

A proof of concept Python implementation will be available on the Arbor ASERT Github here. The DGA code can be used to determine the domains for a given date. For example, here are the first few domains for 2016-10-13:

  • lglfxpoxekhxiipc[.]com
  • baehyfffjlsnxudr[.]com
  • jsyokakduvaaiqbf[.]com
  • pnllaldgvykyachp[.]com
  • oyiwnbmfkchgqbpy[.]com

DGA Characteristics

  • Backup command and control mechanism
  • Domains change daily
  • The number of daily domains is 128
  • The length of the domain is 16 characters
  • We currently haven’t seen any variation (constants, TLDs, etc.) between samples so it might be possible that the DGA domains are global to the family and not campaign/customer specific

Using this classification system, this DGA could be classified as Time-Dependent, Deterministic, and Arithmetic-based or TDD-A.

Activity

Resolving the year-to-date domain space shows the following, mostly sinkhole, activity:

  • 2016-5-30 – damygjkrmpvcdnhb[.]com
  • 2016-6-1 – tdxhpthbrwouuyoq[.]com
  • 2016-6-2 – arhgjfxcxlxtonfr[.]com
  • 2016-6-16 – gfcjyvkteollejvy[.]com
  • 2016-6-22 – wuciitasvuhcyfuc[.]com
  • 2016-6-24 – wanocxudtloccpqm[.]com
  • 2016-6-24 – kfpuhvhirgyixier[.]com

To get a closer look, we setup our own sinkhole for a 2016-10-13 domain. Within a 24-hour time window 1230 unique source IP addresses phoned in. The geographical distribution of the IPs is as follows:

geoip_map

The top-10 TLDs were:

tlds

Brazil’s 24% share makes some sense in relation to the sample analyzed, as the webinjects used in that campaign were targeting four Brazilian financial institutions.

The sinkhole data also added more evidence that the DGA is global to the malware family and not campaign/customer specific. When the malware executes, the DGA domain will be formatted into a URL using the following template:

  • https://%s/%s.bin

The filename portion will be populated by a configuration parameter that is stored in the base config. For the analyzed sample the parameter is “unique_name”, however sinkhole data reveals quite a few more of these parameters:

  • rude.bin
  • jh3ghjT4Fj42Rv.bin
  • unique_name.bin
  • update_64.bin
  • TEST1.bin
  • my_botnet.bin
  • my_de.bin
  • ccc01.bin
  • tempt.bin
  • deses.bin
  • axe1.bin
  • bbb01.bin
  • viktoria.bin
  • SH1.bin
  • tabooboy.bin
  • mexico.bin
  • cream17.bin
  • mone.bin
  • cream16.bin
  • u2.bin
  • ZEN.bin
  • znYD5cwHW7atoUt.bin
  • gucci1.bin
  • static.bin
  • rap0tor.bin
  • main_template.bin
  • ZeroCool.bin
  • catcher1.bin

Conclusion

This post examines the backup DGA algorithm used in the Zeus variant known as Sphinx and its activity using a sinkhole. It is interesting that the DGA appears to be global to the entire malware family despite the malware being sold as a kit on underground forums to distinct customers. DGAs, even just backup ones, provide a rare opportunity for defenders to get ahead of the curve and preemptively monitor and mitigate a threat.