Botnet Use of Unregistered Domain Names

A growing number of botnets are using unregistered domain names as a means of establishing a command and control network. The basic idea involves generating an algorithm which produces a series seemingly random domain names which can be registered at a later date as needed. This approach helps to ensure that individual hard coded domain names/IP addresses can't be blocked or taken off line in order to kill the botnet.

The Srizbi botnet employed this tactic, and FireEye, a security firm which focuses on botnet protection, attempted to get a step ahead by registering the generated domain names before they could be used. This was a noble effort, however, as can be expected, costs quickly escalated and the effort was abandoned once it was determined that it could cost the firm $4,000/week just to secure the domain names.

I was poring over some log files this week and was struck by the volume of domain names that appear to be requests from infected machines for these seemingly random, as of yet unregistered domain names. Despite the coordinated effort to take down Srizbi in November 2008, it would appear that there remains no shortage of infected zombies associated with Srizbi.

dfswuhet.com
dgudhdde.com
dihhushd.com
dudteigi.com
eastgage.com
edihhsfd.com
eefiwusg.com
euuetweg.com
fdsdeitu.com
ffwhutgi.com
fhhshddh.com
fiituhew.com
fthdedut.com
gewwhisd.com
gfssguhu.com
gstweude.com
gueswifu.com
guffesuf.com
gwuishts.com
heffiehs.com
hfiesfsu.com
hstuwhhe.com
sdghtife.com
sgtgewiw.com
shtfewwd.com
spoyahoo.com
sthdsstd.com
sthhdist.com
sugteegt.com
teisudgs.com
tewsshsg.com
twhtsdsf.com
ugifsfed.com
uidesgih.com
uiwegwth.com
uwfieuwd.com
wdttsewt.com
whdufuss.com
whwudshg.com

Thanks to the reverse engineering efforts of the team at FireEye, we have insight into the algorithm used to generate the domain names. It would however appear that we're dealing with a different variant than the ones inspected by FireEye as the domains that we're seeing do not line up with the future domain names that were predicted by the Srizbi Domain Calculator derived from the FireEye research.

More importantly than the domains listed above, we are beginning to see a very high volume of requests for unregistered pseudo random domain names that do not appear to be related to Srizbi. Conficker/Downadup has also employed this approach and F-Secure has done a solid job of posting predicted command and control domain names for Conficker, based on their own reverse engineering work. However, there appear to be various other botnets employing this approach, based on the traffic that we're seeing.

Registering domain names isn't like digging ditches. It's a sunk cost for the registrars and it's high time that they stepped up to assist in this matter. Entities like FireEye shouldn't need to expend real dollars to register domain names in an effort to stop the spread of a botnet. A coordinated effort between researchers and registrars needs to be established to ensure that future botnets cannot employ this tactic. It won't be easy as there are several registrars responsible for the many TLDs now available, but it's a worthwhile initiative, especially as this trend continues.

- michael