Researchers Crack Mad Max Botnet’s DGA

Researchers at Arbor Networks, the security division of Netscout, recently managed to crack the heavy obfuscated domain generation algorithm (DGA) of Mad Max, a targeted Trojan that has created a botnet of infected machines in sixteen countries.

The malware itself hasn’t been detailed as of now, but researchers did manage to find all of the domains that the threat has connected to since the beginning of 2015, as well as those it is supposed to use until the end of 2017. The Trojan’s analysis revealed some details on its features, installation life cycle, and other characteristics, but Arbor’s researchers plan on publishing these details at a later date.

The Mad Max malware family has generic detections on Virus Total and was observed dropping several DLLs onto the infected computers, which are then executed via rundll32.exe. The malware uses heavy obfuscation to hide its malicious intent, researchers say, revealing that the Trojan’s code consists mainly of dummy instructions, with only small sequences of real instructions inserted at certain intervals.

This form of obfuscation, researchers say, is fairly effective, as it makes it incredibly difficult for both specialized disassemblers/debuggers and human reverse engineers to find their way through the mass of fake code. The bad news, according to Jeff Edwards, research analyst on Arbor’s ASERT team, is that this type of obfuscation has become increasingly popular among cybercriminals.

However, given that the obfuscation algorithm was using a reliable pattern, the researchers managed to create a de-obfuscator capable of easily revealing the real instructions amid the dummy ones. After removing the fake instructions, researchers discovered that the malware was indeed using a DGA, and that some type of timestamp was used as variable “seed” input to the algorithm.

The malware would change the domain it connects to each week and would use a specific pattern for the TLD (top-level domain) depending on the current week of the month. Specifically, it would generate a .com domain for the first week of the month, then switch to .org, then .info, and end the month with a .net domain, researchers say.

By creating a sinkhole, researchers also succeeded to determine that the Trojan has already managed to infect computers in sixteen countries around the world, including Brazil, Canada, China, Finland, France, Germany, India, Italy, Japan, South Korea, Norway, Taiwan, Thailand, Ukraine, United Kingdom, and United States.

Arbor Networks researchers were able to verify the cracked DGA by observing the malware attempting to connect to a series of historical domains. Given that these domains, along with the domain the bots were connecting at the time of the analysis, were already back-generated by the cracked implementation, the researchers decided to publish the entire list of domains that Mad Max has and will connect to between January 1, 2015, and December 31, 2017.

“We could find little to no published information on this Mad Max family, although it is quite possible that it has been previously documented under another name. Based on our sinkholing results to date, it certainly appears to be an active botnet at this time,” Edwards says. He also notes that, while the initial research focused on the malware’s DGA, full details on the malware will be provided soon.

Related: New DGA Variants Spotted in Attacks