Arbor can now take down the malware's botnet

Jul 27, 2016 23:10 GMT  ·  By

Arbor Networks researchers have reverse-engineered the domain generation algorithm (DGA) used by the Mad Max malware to connect to its botnet, which now allows them to put counter-measures in place to prevent infection and sinkhole its operations.

Mad Max is a new piece of malware spotted for the first time earlier this year. Little research exists on it, outside of a mention from UK security firm Sophos.

Based on its analysis, Arbor Networks defines Mad Max as a "targeted trojan," a definition that implies usage in targeted attacks, usually for cyber-espionage, industrial espionage, or other hacking operations specific to very sophisticated threat actors.

Mad Max uses a different C&C server each week

Arbor discovered that, like most modern malware, Mad Max connects to a C&C server to communicate with its masters. Again, as is the case with most advanced malware, the address of this C&C server is not hard-coded in its source but generated automatically based on a DGA, an algorithm that generates C&C server URLs, different each week.

Only the malware and its authors know the pattern in which these URLs are generated. After a complicated process, detailed on their blog, Arbor researchers managed to break the algorithm.

They discovered that Mad Max generates ten-digit strings each week, to which it appends a .com domain extension in the first week of the month, .org for the second week, .info for the third, and .net for the fourth.

The company was able to verify the validity of its algorithm by checking domain names generated by its own DGA against C&C domains used by the malware in the past.

DGA cracking opens the door for a takedown

The success they had reverse-engineering the DGA allowed them to register a few domains in advance and sinkhole some of the malware's operations.

This allowed the researchers to detect that Mad Max has currently created a botnet of victims in 16 countries, namely Brazil, Canada, China, Finland, France, Germany, India, Italy, Japan, South Korea, Norway, Taiwan, Thailand, Ukraine, the UK, and the US.

With this access in hand, researchers were also able to gather more clues about this mysterious malware, which they said they would be publishing at a later date.

Right now, researchers have published the complete list of C&C domain names to which the malware has connected and will be connecting to, from January 1, 2015, and to December 31, 2017.