In the past, we have demonstrated use cases of massive data-driven algorithmic malware and botnet detections, given our unique visibility to the global DNS traffic. When dealing with cases of few infections and thus mostly low traffic volume (but not necessarily less impact!), making correlations and revealing patterns with little contextual information becomes both tricky and critical. Using the recent revival of the ransomware Cryptolocker, which victimized a few OpenDNS customers, we present a case study of a method that we call the Ripple Effect. 

The ransomware spread typically through email attachments. Once the malware is downloaded and executed on the victim’s system, it first establishes connections with its command and control (CnC) servers, from which it retrieves an encryption key . It then begins encrypting data files on the system, across all connected drives and mapped network shares.  

The victim sees a popped window asking for one-time payments at $300 to regain their access to the encrypted data files. Under no circumstances should one ever pay the fee. However, without the decryption key, there is no way to recover the encrypted files except from backups. 

The Emsisoft blogpost has an in-depth analysis. According to their analysis, the malware contacted a hard-coded IP (184.164.136.134) CnC first. 

Returned 3 RRs in 0.13 seconds. (source: ISC)
jngburgerjoint.ca. A 184.164.136.134
johnmejalli.com. A 184.164.136.134
jngburgerjoint.com. A 184.164.136.134

 We don’t have much intelligence on the IP itself, nor another seemingly associated IP address 74.207.227.154 (domains such as jngburgerjoint[.]com were found hosted across both IPs). When the original IP CnC fails—in this case, it was taken down as of Emisisoft’s reporting—the malware contacts a set of randomly generated domains. In order to contain the threat, we need to predict or detect these domains in time to prevent the malware from phoning home. After all,

 

 

 

If we knew the DGA (domain generation algorithm) used by the malware, determining the generated domains would be effortless. But investigating the malware code to reveal these algorithms and their many variations is a time and resource intensive process that stands in the way of timely response. Can we find a way to predict what domains the malware will contact without knowledge of the algorithm?

We sent in a simple query “ip:184.164.136.134″ in the beloved cuckoo sandbox system malwr.com. Malwr provides a good collection of cryptolocker samples here for us to advance our study. 

malwr-1
malwr-2

Malwr executes malware samples in a sandbox environment, reporting both static and dynamic analysis including files accessed, registry keys modified, and network hosts contacted by the malware. Now we have a set of CnC domains that Cryptolocker samples have contacted—a good start. 

Now we forego the arduous task of uncovering the DGA algorithm, and we take a rather different approach to detection. We think it’s a pretty neat process, so we ‘ve actually given it a name—the Ripple Effect. 

Given a seed set of known domains, we start searching the unknown by expanding the co-occurring domains with the known ones. For two domains to co-occur means that a statistically significant number of clients have requested both domains consecutively in a small time window. Please find more detail in this technical blog on domain co-occurrence

 K = set(known domains)  # seed domains
 S = K 
 N = K # the first ripple

 WHILE N is not empty: 
       for n in N:
             Sn = set(domains co-occurred with n)
             S = S.union(Sn) 

       N = S.difference(K) 
       K = S
# so now you see why I call it the Ripple Effect. =]

With the mighty power of Security Graph visualization platform, we can show a nice animation of the ripple effect starting off from this domain uwelwphpjsemxsn.info (seed domain).  

cyl
 
 
Several domains were expanded by clicking this seed domain to show co-occurring domains, and we continue to expand them for more co-occurring domains. The process continues until we no longer find new domains. 
This screenshot below shows the Ripple Effect  expanding the co-occurrence domains from the set of seed domains that we started with.
 Screen Shot 2013-09-24 at 4.58.56 PM
Here’s a sample of some of the domains we found:
uwelwphpjsemxsn[.]info
arjddblgbsumi[.]biz
danvawrrcgrwo[.]com
obcmcbmdspopn[.]org
frjpjcapmnvdo[.]ru
ewyublfwlgcgf[.]net
cfdbrgwybyxam[.]co[.]uk
To find the full list of domains we discovered using the Ripple Effect method today, click here.  

Security threats spreading via emails have a long history. They are not seen as frequently as a decade ago, but they aren’t dying any time soon. A bit of social engineering can make a victim out of all but the most vigilant, and the sheer volume of potential targets means even a low rate of success makes a campaign worthwhile for the perpetrators. Because some attachments will inevitably be opened, cutting off communication back out to CnC servers is an effective method of containment, but finding that domain generation algorithm takes too long to prevent damage. We developed the Ripple Effect to protect our users from malware like Cryptolocker even without uncovering the DGA.

Of course users themselves stand at the front line of defense against social engineering attacks. The Ripple Effect can find many of the domains that the malware attempts to contact, but it can’t be 100% effective. Always practice your best judgement in opening email attachments, especially from unfamiliar sources. Important data files should be always properly backed up. A good security scheme requires multiple layers of defense with no reliance on a single system. Desktop Antivirus, Email gateway scanning, and OpenDNS offer a good trio of protections against threats like this.