Perhaps one of the biggest news stories from last October was the operation carried out by Microsoft and its partners , under the protection of a court order, to dismantle Trickbot, a banking trojan that has evolved to become a "mule" of various types of malware, such as Ryuk ransomware.
Despite the heavy blow to Trickbot, perceived through pages such as Feodo Tracker , in which the number of operational Trickbot servers has been decreasing (although new ones have emerged), various experts pointed out that it would be very difficult to put an end to the botnet.
One of the most curious reasons mentioned and that has practically gone unnoticed is the use of modules that allow for the use of EmerDNS (the DNS solution based on the Emercoin blockchain) as a domain server.
The intention of this post is to talk about what EmerDNS - and, in particular, decentralized domain name servers (DNS) - has to do with the problem of putting an end to Trickbot or other malware that uses related techniques.
Decentralized DNS emerged as an anti-censorship measure, which also makes it possible to escape security problems related to DNS, such as, for example, domain redirection.
While there are several ways to implement a decentralized domain server, solutions that use blockchain natively are the ones that allow the benefits that this technology offers to be fully taken advantage of.
Users register their domains as part of the creation of the blocks of the blockchain, in a model that doesn't depend on a central entity but on a blockchain, and therefore offers certain notable advantages, among which are its robust and verifiable consensus mechanisms that make the process appear trustworthy.
Specifically, some of the most interesting points from the malware programmer's point of view are the following:
The way the malware that uses these solutions operates can be identified thanks to several patterns observed during the resolution of domains.
For example, if we consider the example of EmerDNS, there are three access routes to the blockchain to get the data required to reach the domain:
As each blockchain-based decentralized DNS solution uses its own infrastructure, always based on a specific blockchain, the methods must be adjusted to know how to reach the blockchain and thus be able to ask for the domain in question.
These are some of the checks that we could carry out to confirm the use of decentralized domains during the analysis:
IP used to resolve domain
Checking the domain bestgame.bazar in EmerAPI and the service's response in JSON format
One way to check the use of these domains could be by searching malware repositories.
In addition to the known drawbacks of obfuscation, we need to add the problems that we could face given the plurality of the domains. If we do search tests with the .bazar extension, one of the best known in this field thanks to the Bazar family, we will find some results that could be interesting for the analysis, along with files that are actually executable to work with EmerDNS, and that are totally legitimate.
.bazar domains in the sample fb8fe3010133ad5904bea7dc41fb8ac479599a1a5b3737476ffa2d81843d5cc0
Use of opennic in recent samples
One possible approach is to start with one of the known samples and apply the VirusTotal plugin for IDA Pro that allows us to refine searches to filter them for the characteristics of the malware code that interests us.
For example, the following image takes the result of VirusTotal Graph as a simple sample, starting from the hash
Searching for executables with common characteristics in the functions that operate with the domain
The feature of using blockchain-based decentralized DNS introduces improvements for malware development, and in particular for communication with C&C servers. Although the analysis tools can identify IPs as well as domains, the casuistry of decentralized DNS should be highlighted, since it represents a new form of behavior.
Although various malware reports point to the use of EmerDNS in recent malware, the truth is that the decentralization of DNSs is still a means that has yet to be fully exploited by malware creators. The only way to be prepared is by being aware and preparing the detection and analysis tools to better recognize these utilities.