Thursday, March 24, 2011

Malware Distribution Server Hostname Similarities by Michael Rash

On the Arbor Networks security blog there was an interesting post
(see: asert.arbornetworks.com/2011/03/jkddos-ddos-bot-with-an-interest-in-the-mining-industry/)
about a Chinese DDoS bot called "JKDDOS" that appears to specifically
target the heavy mining industry. That by itself is noteworthy
considering that China is reducing rare eath exports (see:
uk.reuters.com/article/2010/12/29/uk-china-rareearth-idUKTRE6BR0UZ20101229),
but what I found interesting in the JKDDOS analysis is a link between
the distribution servers for JKDDOS and another malware family called
the Avzhan family. That is, a disbtribution server for JKDDOS is
(sanitized) nnnavzhan.3322nnn.org and two distribution servers for
the Avzhan family are nnnavzhan1.3322nnn.org and
nnnavzhan2.3322nnn.org. So, they are the same to within one
character, and this is most likely not just a coincidence.

Now, if we wanted to take our current malware repository and quickly
determine which distribution hostnames are highly similar, we could
use something like the perl String::Similarity module, or the
Levenshtein Python extension (see: code.google.com/p/pylevenshtein/).
Given two strings, each of these will return a number between 0 and 1
that is a measure of how similar they are. Zero implies totally
different, and 1 implies identical. So, for a quick one liner in perl
(see below), we can see that the two hostnames mentioned above are
extremely similar, and it would be an interesting result to see this
applied across our entire malware repository - we might discover a
previously unknown relationship between two pieces of malware that is
worth exploring. Of course, just because a malware distribution
server is similar does not (by itself) prove anything - more
investigation would be necessary.


$ perl -e 'use String::Similarity; print similarity($ARGV[0],
$ARGV[1]), "\n"' nnnavzhan.3322nnn.org nnnavzhan1.3322nnn.org
0.976744186046512


--
Michael Rash
If you would like to discuss DDOS, or anything else in this post, email Michael at:
michael (dot) rash (at) g2-inc (dot) com

No comments:

Post a Comment