Tracking Rovnix

Over the past few months we’ve been monitoring the Rovnix botnet (other AV vendors call it papras/ursnif/gozi). We have observed as infection vectors pay per install campaigns, but also the Andromeda malware. We have analyzed the malware’s DGA, sinkholed it, and observed its communication protocol to map current infection campaigns and get an idea of the overall size of the botnet.

Domain Generation Algorithm

The DGA (Domain Generation Algorithm) generates 5 or 10 domains per 3 months. Specifically, 5 or 10 domains will be generated for each of the following group of months:

  • January, February, March
  • April, May, June
  • July, August, September
  • October, November, December

This means there are 20 or 40 candidate domain names per year. The number of the generated domains depends on the DGA version.

The domain names are obtained by concatenating words or their first half as long as the domain name is composed of minimum 12 and maximum 23 characters. Both the words contained in the domain name and its top level domain are chosen in a pseudo-random way from provided lists. The randomness is ensured by a fixed seed number and by the year and months for which the domains are being generated.

The word list is extracted from a publicly available text file, which has a very small probability of being changed in the future, like United States Declaration of Independence, GNU Lesser General Public License, Request for Comments (RFC) pages, and specifications. In order to be part of the list of candidate words, they must contain only letters and be at least 3 characters long. Before being used, they are converted to lower case.

Different versions of the malware use different files from which the words are selected. Interestingly, the versions targeting United Kingdom use the US Declaration of Independence.

For example, the domain names generated by the first version of the DGA for months January, February and March, 2014 are:

  • theseforbiddentandthe.eu
  • allsuchsuchreturned.com
  • landslegisrighthumble.eu
  • consentrulerallpretended.net
  • humthethcertainevi.com
  • theunhasthatinestthmust.net
  • otheovtheeatci.net
  • eathapublishtthe.eu
  • whichdepositoryswath.cn
  • dissolutionsconvufrom.com

Sinkholed Domains

We have sinkholed so far one domain for each of the 6 versions we found in the wild. In the following table, the seed, the words file and the used top level domains are specified for each version.

Domain Seed Words File TLDs
taxes[removed].net 0x35678930 United States Declaration of Independence com net biz cn eu
dissour[removed].biz 0xEDBA8930 United States Declaration of Independence com net biz ru eu
bufa[removed].tk 0xEDBA8930 Netstrings Specification net com biz ru tk
operation[removed].eu 0xCE728930 United States Declaration of Independence com net biz ru eu
youorig[removed].de 0xEDBA8930 GNU Lesser General Public License com net de tk ru
specific[removed].biz 0xEDBA8930 Request for Comments (RFC) 4288 net com biz ru tk

Most domains are still valid for the bots. For example, the last four domains listed in the next table have been receiving requests only two weeks, but are still to receive them in the following two months. Because of this, the number of infected bots contacting them is still expected to increase considerably, like the ones for the first 2 domains did.

Domain Sinkholing Date Targeted Countries Total Number of Reported Infections
taxes[removed].net 04 August 2014 Netherlands, France, Belgium 27.455
dissour[removed].biz 10 September 2014 United Kingdom 129.754
bufa[removed].tk 14 October 2014 Bulgaria 11.441
operation[removed].eu 22 Octomber 2014 Poland 10.055
youorig[removed].de 22 October 2014 Bulgaria 1.630
specific[removed].biz 22 October 2014 Bulgaria 3.394

However, the countries being targeted are already obvious. Proof lies in the fact that the number of infections reported for the most infected country is much higher than the second most infected country. For illustration purposes, note the top 5 most infected countries for each version.

The following images illustrate the number of infections reported for every country, emphasizing on top 5, for each version since sinkholing date. Note how various campaigns target specific countries.

Campaign 1 (targeting Netherlands, France, and Belgium) with taxes[removed].net

taxes[removed].net

Top 5 most infected countries are:

  • 1. Netherlands 9255 (33.70%)
  • 2. France 8574 (31.22%)
  • 3. Belgium 5017 (18.27%)
  • 4. Spain 1377 (5.01%)
  • 5. United Kingdom 960 (3.49%)

Campaign 2 (targeting United Kingdom) with dissour[removed].biz

dissour[removed].biz

Top 5 most infected countries are:

  • 1. United Kingdom 113051 (87.12%)
  • 2. Islamic Republic of Iran 5258 (4.05%)
  • 3. Italy 846 (0.65%)
  • 4. United States 838 (0.64%)
  • 5. Germany 738 (0.56%)

Campaign 3 (targeting Poland) with operation[removed].eu

operation[removed].eu

Top 5 most infected countries are:

  • 1. Poland 9894 (98.39%)
  • 2. Netherlands 44 (0.43%)
  • 3. Belgium 18 (0.17%)
  • 4. France 15 (0.14%)
  • 5. Spain 13 (0.12%)

Campaign 4 (targeting Bulgaria)

bufa[removed].tk
bufa[removed].tk

Top 5 most infected countries are:

  • 1. Bulgaria: 10124 (88,48%)
  • 2. Poland: 804 (7.02%)
  • 3. United States 127 (1.11%)
  • 4. Germany 57 (0.49%)
  • 5. Japan 57 (0.49%)

youorig[removed].de
youorig[removed].de

Top 5 most infected countries are:

  • 1. Bulgaria 911 (55.88%)
  • 2. Germany 361 (22.14%)
  • 3. Croatia 123 (7.54%)
  • 4. Thailand 113 (6.93%)
  • 5. Japan 44 (2.69%)

specific[removed].biz
specific[removed].biz

Top 5 most infected countries are:

  • 1. Bulgaria 2990 (88.09%)
  • 2. United States 84 (2.47%)
  • 3. Czech Republic 82 (2.41%)
  • 4. China 69 (2.03%)
  • 5. Japan 65 (1.91%)

Communication Protocol

The last campaign seems to be the most recent one as it is the only one in which the data being reported to the Command and Control server is first encrypted and after this a base64 is applied. On the data sent by the other three campaigns, only a base64 is applied.

There are three different types of requests:

  • 1. Configuration report is performed by a request following the template: GET /c[random].php?[random]=[data] Examples of Requests for Configuration Report are as follows:
    • GET /cyxvlupmo.php?ufdmvtuyo=aIEtGpd9MKhBWZUUrwvelPSuJwdK1bOFcMrnzy4
      IgqImVLq02QOcWRvKAmwvPwoI9uugxXMuF88lV0WSHnXxLjZ+XTOIYWyGKkHLvf1oraf
      UYvtJMepRhQh9QCQEs9HFalVWBHKtzvJyGAl5INBHTt==
    • GET /cvqxk.php?ocobnw=ktTqj88vJuAjSxtF4HOZsorLbs2N8Rju8E2X3tsXSKbp5r
      82UARWCQwZpqruc8rXjoEh5tzYSqUnr4oS3NC/Fbljpes/gI1fjcLzLYWJ7qgUJ6COXh
      w5gKQ1PqpfqHVhLsCvGjninwHSN15Hz7jYX7==
    • GET /cmvo.php?hoayb=u0FGQmsrxiBs3Bnv5XqzhutXHNUOL/sGTjsrnM/Dvm1RHOzH
      c4IMKCg/vjs2Fapn3BoVN6ikcPbII7HvVKsz5IPIen1W4HlrGEpdsmexiEkXzQtMpzle
      HfWR+MtG8sPgfdvZsO7hEkuWyjaGlOTfru==
  • 2. Data upload is performed with a POST request of the following form: POST /d[random].php?[random]=[data] Examples of Requests for Data Upload are as follows:
    • POST /dnif.php?hpeup=XgbxB7thEb2GwjnpgZAf/FeQvhmXS8+ab49SE/KVXHrY+rch
      mvd50q+u7MPeW/sTgx4IXyNkJjD++60SYnAuFFBUVOOtOAweXgyrGtHvwKaf4G0E+drz1
      wCfu1wuvMiHs4XFysfTsYbTdMSDPz5QMj==
    • POST /dsvcxt.php?cxwojcg=HwzlB1erUEdqX1KNVt5weqVMO8Vppsz/QYYtD/+M9SVt
      LoyYIpkVH/P9tf6KGWWH8Q4a0eqmZgNvyMZebTmiHgDPnbDoT6RKzzVE55NTmj22Zw66q
      3iuf5mIyzPYS31NDfmu1aKr59v8ms6vPIGs1o==
    • POST /dxkxonav.php?ndicride=28pa1PWvBnTgKwbghiIRrz3q1dEuyI5kwNA/q8nQ3
      WeXG7393r/i5/Pcl2GFtrDalo2sFqSER+GyU9tATyFLo7CCvO4HYK7lnzWiKCoFio/X8N
      c3kRURcTBqUA/kdzT8q72FTWArmzUo2knUwX6hQ3==
  • 3. Task request consists of a GET request: GET /t[random]?[random]=[data] Examples of Requests for Task Request are as follows:
    • GET /ttckr.php?cnhl=dwI547qlLTfweO3KK9o1FFKAX5jndBzbwfY+qFXcOybdtjVn
      E4bygKLvPMc6bS4zXuCvSCvmkSCcKZetwZWzrAEXwOpHB/jjVT57xd/PDG8iQCWgarhj
      4kLrGu4/Omqeha2BdXPOZqS+W8MQMBIhRB==
    • GET /tslqspk.php?xahmbb=0m40k6goMx3P0QG5TsNl6OQve7IrQ53JcmBbq4MN
      MlgbAamjs5Aqo4JPOoKg9jkC04LcIkNtfLikE1qirX/YzRzIyvEEqd3kEByG2FI773KK
      s2PXEsH+cxqv64fhd75gfPOVOFfIBo8ixYvP2rygs7==
    • GET /tcnulkckj.php?lfekhw=ZC+d+1r9DLI1CdFep0hUkdCYmXH+udC1BVpccJ
      68XOBGqV85I/lk1GjZ4fNpRCcGkVzEAyg6d1fuuL0sjeoICc+kDdEloVjI5ixRedBM0y
      /cpBGQ1iufyFMJs92CTJIT/JsquRMckxso7WG2IUfmNk==

This technique helps the malware to bypass traffic filtering / signatures.

In the case of the unencrypted requests, we can apply a base64 decoding on the [data] field and extract the information. For example, the configuration request

  • GET /cjbgaahoi.php?syeiv=YXlicGpvYWZmPWdodXllaHBxJnZlcnNpb249MjEyMzA5
    JnVzZXI9ZGYwZGU1NjRkNGEyMjNiMDI2NGQ0ODA3M2JiOTU2YmUmc2VydmVyPTEyJmlkP
    TcxMjg4OSZjcmM9MmUxZWZmNjMmd2RhdGE9MjAxNDEwMjk=

results in

  • aybpjoaff=ghuyehpq&version=212309&user=df0de564d4a223b0264d48073bb956be&
    server=12&id=712889&crc=2e1eff63&wdata=20141029

while the task request

  • POST /txlv.php?hldf=d2N0Z3FhZmY9Z3JmbGd4aiZ2ZXJzaW9uPTIxMjMwOSZ1c2Vy
    PWRjZDRjMDFiOTMxNGQ2OTAzZDc4Nzc2YWY4NGUyZmRjJnNlcnZlcj0xMiZpZD03MTI4
    ODkmY3JjPTQ0Y2VkOTUmd2RhdGE9MjAxNDEwMjk=

consists of

  • wctgqaff=grflgxj&version=212309&user=dcd4c01b9314d6903d78776af84e2fdc&
    server=12&id=712889&crc=44ced95&wdata=20141029

Note that the first parameter has both the name and value randomly generated which ensures that different base64 encodings / encryptions are received for the same request (that is for the same user contacting the same server with the same bot version and requesting/reporting the same data).

Bitdefender advises users to keep their operating system, antivirus solution and other software up to date and to be aware of social engineering tricks prompting them to execute code on their machines.

One Response to Tracking Rovnix