Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

From PDNS: Another fix length of 7, a-z. tlds: [ru, com]

See original GitHub issue
  • The range of 3ld is from ‘update’ to ‘update33’.
  • Sample domains from PDNS.

Issue Analytics

  • State:open
  • Created 6 years ago
  • Comments:8 (3 by maintainers)

github_iconTop GitHub Comments

baderjcommented, Dec 11, 2017

There is a DGA in the binary. It generates a new domain every 10 seconds

void __stdcall __noreturn query_fake_domains(LPVOID lpThreadParameter)
  signed int i; // esi@1
  int attempts; // esi@3
  CHAR full_domain; // [esp+4h] [ebp-80h]@4
  char domain[4]; // [esp+44h] [ebp-40h]@2

  while ( 1 )
      i = 0;
        domain[i++] = rand() % 25 + 'a';
      while ( i < 7 );
      *&domain[i] = 'ur.';
      attempts = 0;
    while ( number_of_resolves <= 0 );
      wsprintfA(&full_domain, pFakeDomainPattern, attempts, domain);
      if ( inet_addr(domain) == -1 && !gethostbyname(domain) )
    while ( attempts < number_of_resolves );

The PRNG is seeded with GetTickCount and the domains are therefore not predictable. The domains look like the hardcoded domains though, and I think they are used as decoys.

suqitiancommented, Dec 19, 2017

Finding an analysis article on this issue, unfortunately, is in Chinese. http[:]// Also found another hash with this DGA:

MD5:      54b5e6ae6a4eb6139b10d4ad25df32c2
SHA1:     9f479661020ccb94792315b2ae07738bdb4912cb
SHA256: 4cef263eba381523aa3ad23235e9d512028f41466f2ad1f4319ea4aa8c4d562d
Read more comments on GitHub >

github_iconTop Results From Across the Web

From PDNS: A fix length of 7, az. tlds: [ru, com] #35 - GitHub
A cluster from PDNS, look like DGA: ... From PDNS: A fix length of 7, a-z. tlds: [ru, com] #35....
Read more >
A DGA Odyssey PDNS Driven DGA Analysis - NANOG
First we need to have daily new Domains. – Match. • New Domains in last 7 days. • Second Level Domain(SLD) not on...
Read more >
PowerDNS Recursor Settings
If pdns-distributes-queries is set and this setting is set to another value than 0, the distributor thread will use a bounded load-balancing algorithm...
Read more >
MyloBot (Malware Family) - Malpedia
Details for the MyloBot malware family including references, samples and yara signatures.
Read more >
DGA - Netlab OpenData Project
tld : [com, org, net, ru, in] ; sld: A fix length of 8, a-z chars; 50 domains in total ; time dependent:...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Post

No results found

github_iconTop Related Hashnode Post

No results found