My first article on URL Generation for worm updates quickly became my most popular article (until being exceeded by an analysis of Conficker). I’ve been thinking on the concepts of URL generation, and I believe I’ve come up with a similar method that will work just as well, if not better.
URL Generation is the process of doing just that — generating URLs. The concept was brought up while analyzing Conficker: the worm generates 250 pseudorandom URLs per day (10,000 per day in one variant) and attempts to connect to them to upload stats on newly infected computers and to download new instructions and payloads.
Now, one problem in this is tracking. Unless you steal a credit card of a stranger far away, drive down to another state/province, steal some wireless, proxy up, and purchase a domain name, there’s a possibility that you could be tracked down as the purchaser. Sure, you can hide your name in a whois, but the company still has your information. When the algorithm for generating URLs is compromised and released to malware analytics, you also have to worry about the company monitoring expected domains (See: Honeypots).
What I propose is this: pastebins.
Yes, pastebins. Pastebins are free, effective, anonymous, and can be private. There are many pastebins out there to choose from, and certain ones allow for “your own pastebin,” such as pastebin.com. Simply by prefixing the URL with a unique name, you can paste code without having it show anywhere else on the site. For example, if my name were Abraham Lincoln and I were an avid coder, I might paste my leet perl scripts to http://abrahamlincoln.pastebin.com.
Now you can probably see where I’m going with this. The usual way of URL generation generates a predetermined amount of URLs per day (based off the day, so they’re predictable and different each day, but the same for each time it’s run on the same day for anyone running the program.) A program might generate the URLs lksdjgsdg.com, kljsdgsdg.info, asfgkajgsg.com, alksgjagsg.org, sdjfhsdjkg.net, fklsdjfsddsf.org, sdflkjsdf.com, and sdfsdfuhfsd.com for a single day. The next day, the URLs would be completely different. They need to be predictable so the author of the malware can plan ahead and purchase and prepare a domain name before a bunch of infected computers call home to get instructions. The fact that there are so many URLs is a form of security through obscurity – in that someone trying to stop, analyze or fight the worm won’t know which URL the script will be getting instructions from. It’s just whatever domain is up and able to identify with the worm at the time.
My approach, for the poor man. And by poor man, I mean either a man who isn’t willing to steal a credit card (hey, why not add more charges on top of your malware ones?) or a man who is too poor to purchase a domain (you’ll be rich soon enough!). Instead of generating URLs like the ones above, the Poor Man’s URL Generation will generate random strings, such as gksljdgsdg, sdgkljsdgsd, skdjgsdlkg, sdgksjdgsdg, sdgkljsdg, sdgkjsdglkjd, and sdlkgjsdglkjd.
The malware author will be required to upload an encrypted payload to an expected private pastebin, such as gksljdgsdg.pastebin.com shortly before all the infected computers call home to there to decrypt and deal with their new instructions and/or payload. Afterwards, the author has the ability to remove the paste, making it look like nothing was ever there.
