Labs - Malware Analysis

Malware Authors Update Themselves: Blockchain-Based Decentralized DNS

Written by David Morán | Dec 9, 2020 5:47:01 PM

Perhaps one of the biggest news stories from last October was the operation carried out by Microsoft and its partners , under the protection of a court order, to dismantle Trickbot, a banking trojan that has evolved to become a "mule" of various types of malware, such as Ryuk ransomware.

Introduction

Despite the heavy blow to Trickbot, perceived through pages such as Feodo Tracker , in which the number of operational Trickbot servers has been decreasing (although new ones have emerged), various experts pointed out that it would be very difficult to put an end to the botnet.

One of the most curious reasons mentioned and that has practically gone unnoticed is the use of modules that allow for the use of EmerDNS (the DNS solution based on the Emercoin blockchain) as a domain server.

The intention of this post is to talk about what EmerDNS - and, in particular, decentralized domain name servers (DNS) - has to do with the problem of putting an end to Trickbot or other malware that uses related techniques.

 

Decentralized DNS and Malware

Decentralized DNS emerged as an anti-censorship measure, which also makes it possible to escape security problems related to DNS, such as, for example, domain redirection.

While there are several ways to implement a decentralized domain server, solutions that use blockchain natively are the ones that allow the benefits that this technology offers to be fully taken advantage of.

Users register their domains as part of the creation of the blocks of the blockchain, in a model that doesn't depend on a central entity but on a blockchain, and therefore offers certain notable advantages, among which are its robust and verifiable consensus mechanisms that make the process appear trustworthy.

Specifically, some of the most interesting points from the malware programmer's point of view are the following:

  • Inability to alter a block in the chain (block that defines the domain) – the blockchain consensus protocol guarantees the integrity of the data by design, which is precisely what makes it ideal for transactions, since it guarantees non-repudiation. Therefore, applied to domain registration, if a user defines a domain, the domain data can only be controlled by the user.
  • Decentralization, control doesn't lie with entities that can make decisions. The owners of the blockchain make their mechanism available to users, but do not control their blocks.
  • Freedom in creating domains. It depends on the blockchain, since private entities can restrict the domains that are created before writing, but in general solutions such as EmerDNS allow domains to be defined with low entropy, which weren't previously available on the market, and which stand in the way of known detection techniques.
  • Flexibility in updates. The information about the domain (e.g. the IP to which it resolves) can be quickly updated by the user (through new actions in the blockchain), making it difficult to monitor, trace and define IOCs.

Considerations During Analysis

The way the malware that uses these solutions operates can be identified thanks to several patterns observed during the resolution of domains.

For example, if we consider the example of EmerDNS, there are three access routes to the blockchain to get the data required to reach the domain:

  • installing extensions in the browser,
  • through OpenNIC servers (because they have an agreement by which OpenNIC identifies and redirects requests to EmerDNS), and using proxy servers (from OpenNIC or Emerproxy).

As each blockchain-based decentralized DNS solution uses its own infrastructure, always based on a specific blockchain, the methods must be adjusted to know how to reach the blockchain and thus be able to ask for the domain in question.

These are some of the checks that we could carry out to confirm the use of decentralized domains during the analysis:

  • Identify IPs used to resolve recursively. This occurs with the OpenNIC IPs , for example, since the method to find the domains involves consulting the entire tree of domains recursively. This is precisely why these servers are exposed to DNS amplification attacks, and this is one of the reasons why there are several search engines to check for this feature, such as OpenResolver. The following figure shows the result of checking for this on an IP used by a malware sample that uses the bestgame.bazar domain.

IP used to resolve domain

  • Identify IPs belonging to OpenNIC servers and the like. This is one of the operations observed in some of the samples, as is the case with Fbot , which contained the OpenNIC addresses obfuscated in code and implemented them to resolve the domains used. Other ways are not ruled out, such as, for example, the installation of plugins in browsers. If these decentralized models are more common in the future, this route will already be guaranteed by users' computers.
  • Checking of domains in blockchains used for these purposes. Each blockchain can provide its own mechanisms for consultation, and the analysis tools will have to adapt to this fact; domain checking has to consider these "wild” domains.

Checking the domain bestgame.bazar in EmerAPI and the service's response in JSON format

 

Current Use of These Mechanisms

One way to check the use of these domains could be by searching malware repositories.

In addition to the known drawbacks of obfuscation, we need to add the problems that we could face given the plurality of the domains. If we do search tests with the .bazar extension, one of the best known in this field thanks to the Bazar family, we will find some results that could be interesting for the analysis, along with files that are actually executable to work with EmerDNS, and that are totally legitimate.

.bazar domains in the sample fb8fe3010133ad5904bea7dc41fb8ac479599a1a5b3737476ffa2d81843d5cc0

Use of opennic in recent samples

One possible approach is to start with one of the known samples and apply the VirusTotal plugin for IDA Pro that allows us to refine searches to filter them for the characteristics of the malware code that interests us.

For example, the following image takes the result of VirusTotal Graph as a simple sample, starting from the hash

  • (1), where similar files are observed with respect to different criteria, compared to the result of doing the search from IDA Pro using the plugin
  • (2), result where the similarity criterion is based on the assembly code, and therefore we can be much more accurate. In this example, only two of the five similarity files share the operation observed in the code that interests us.

Searching for executables with common characteristics in the functions that operate with the domain

 

Conclusions

The feature of using blockchain-based decentralized DNS introduces improvements for malware development, and in particular for communication with C&C servers. Although the analysis tools can identify IPs as well as domains, the casuistry of decentralized DNS should be highlighted, since it represents a new form of behavior.

Although various malware reports point to the use of EmerDNS in recent malware, the truth is that the decentralization of DNSs is still a means that has yet to be fully exploited by malware creators. The only way to be prepared is by being aware and preparing the detection and analysis tools to better recognize these utilities.